Cyber Incident Victim: Vodafone Egypt
Date:
Jan 2020
Location:
Egypt
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecommunications providers, including Vodafone Egypt, by exploiting vulnerabilities in internet-facing Atlassian and Oracle servers to deploy web shells and gain network access. The attackers exfiltrated sensitive databases likely containing customer call records and private information, utilizing tools like Explosive RAT for internal network infiltration across multiple countries. Security researchers attributed the campaign to the group based on reused attack infrastructure and unique malware signatures, identifying over 250 compromised servers globally during the operation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2020, a Hezbollah-affiliated threat actor known as Lebanese Cedar initiated a year-long cyber espionage campaign targeting telecommunications providers and internet service providers across multiple countries, including Vodafone Egypt. The group, identified by Israeli cybersecurity firm ClearSky, exploited vulnerabilities in internet-facing servers to gain initial access. Attackers scanned for unpatched Atlassian Confluence (CVE-2019-3396), Atlassian Jira (CVE-2019-11581), and Oracle Fusion (CVE-2012-3152) systems, deploying web shells such as ASPXSpy, Caterpillar 2, Mamad Warning, and JSP file browser to maintain persistence. After compromising external servers, the attackers pivoted to internal networks, where they deployed the Explosive remote access trojan (RAT), a tool previously exclusive to Lebanese Cedar operations. This malware facilitated data exfiltration from victim organizations, with ClearSky confirming the theft of sensitive databases containing customer call records and private client information.
The campaign impacted at least 254 servers globally, with Vodafone Egypt, Etisalat UAE, SaudiNet, and Frontier Communications among the confirmed victims. Attackers reused files across intrusions, enabling ClearSky to attribute the activity through forensic analysis of matching file hashes found on 135 compromised servers. Operational security lapses, including tool reuse and infrastructure patterns, further solidified the link to Hezbollah’s cyber unit. The primary objective centered on intelligence gathering, with telecom databases representing high-value targets due to their sensitive subscriber data. No remediation efforts by Vodafone Egypt or other victims were detailed in the report, though ClearSky’s investigation provided definitive attribution through technical evidence tying the Explosive RAT and infrastructure to Lebanese Cedar’s historical tactics. The incident underscored the group’s focus on critical telecommunications infrastructure for geopolitical intelligence collection.