Cyber Incident Victim: Secured Servers LLC
Date:
Jan 2020
Location:
United States of America
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar conducted a cyber espionage campaign targeting telecommunications providers and internet service providers across multiple countries, including a U.S.-based entity. The attackers exploited vulnerabilities in internet-facing Atlassian and Oracle servers to deploy web shells, subsequently infiltrating internal networks to steal sensitive databases containing client call records and private data. They utilized tools including ASPXSpy, Caterpillar 2, and the proprietary Explosive RAT for persistent access and data exfiltration. Operational security lapses, such as reusing files across intrusions, enabled researchers to attribute the activity to the group and identify widespread compromises. The campaign's primary objective centered on intelligence gathering through systematic network breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Lebanese Cedar threat group, affiliated with Hezbollah's cyber unit, conducted a year-long hacking campaign beginning in early 2020 targeting telecommunications providers and internet service providers across multiple countries. Israeli cybersecurity firm Clearsky discovered the intrusions, identifying at least 254 compromised web servers globally. Attackers initiated operations by scanning the internet for unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion middleware servers. They exploited known vulnerabilities—CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152—to gain initial access to exposed systems. Upon breaching servers, operators deployed multiple web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and an open-source JSP file browser tool to establish persistent remote access.
The attackers pivoted from compromised internet-facing systems to internal corporate networks, where they deployed the Explosive remote access trojan (RAT), a malware tool historically exclusive to Lebanese Cedar operations. This RAT facilitated data exfiltration from victim environments, targeting sensitive databases containing customer call records and private client information. Clearsky attributed the campaign to Hezbollah's cyber unit through technical fingerprints, including consistent reuse of specific file hashes across 135 infected servers and the exclusive deployment of Explosive RAT. Victim organizations spanned the United States, United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, Palestinian Authority, and UAE, with confirmed compromises at Vodafone Egypt, Etisalat UAE, SaudiNet, and US-based Frontier Communications. The operation's primary objective centered on intelligence gathering and theft of proprietary databases, potentially exposing telecommunications subscriber data. Clearsky's investigation revealed operational security lapses by the attackers, including reuse of identifiable tools and files across intrusions, enabling cross-correlation of incidents. No victim remediation efforts or containment actions were detailed in the report.