Cyber Incident Victim: Arabian Internet & Communications Services Co. Ltd.
Date:
Jan 2020
Location:
Lebanon
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised Arabian Internet & Communications Services by exploiting vulnerabilities in internet-facing Atlassian and Oracle servers to deploy web shells, enabling persistent access. The attackers infiltrated internal networks using the Explosive RAT malware to exfiltrate sensitive customer databases and private company documents, including telecommunications call records. This campaign targeted multiple telecommunications and internet service providers globally, with the primary objective of intelligence gathering through stolen data. The group reused tools and infrastructure across intrusions, allowing security researchers to attribute the attacks and identify widespread server compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving Arabian Internet & Communications Services Co. Ltd. occurred within a broader campaign conducted by the Hezbollah-affiliated threat actor Lebanese Cedar, which targeted telecommunications providers and internet service providers across multiple countries beginning in early 2020. The attackers employed open-source scanning tools to identify internet-exposed systems running unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion middleware. They exploited known vulnerabilities—CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152—to gain initial access to target networks. Upon compromising these systems, the group deployed web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and a JSP file browser tool to establish persistent access. This initial breach phase enabled lateral movement into internal corporate networks, where the attackers deployed the Explosive remote access trojan (RAT), a malware tool historically exclusive to Lebanese Cedar operations.
The campaign was discovered and analyzed by cybersecurity firm ClearSky, which identified at least 254 compromised servers globally, including infrastructure belonging to Arabian Internet & Communications Services Co. Ltd. and other regional telecommunications operators. Attackers exfiltrated sensitive databases containing customer call records and private client information, with intelligence gathering appearing to be the primary objective. Operational security failures by the threat actors—such as reusing identifiable files across multiple victim networks—enabled ClearSky to attribute the activity to Lebanese Cedar through tool overlap and infrastructure patterns. Specifically, 135 compromised servers shared identical file hashes with artifacts recovered during incident response investigations. The exploitation of public-facing enterprise systems allowed access to internal networks, where the Explosive RAT facilitated further data collection and exfiltration. No victim-specific remediation actions were detailed in public reporting, though the campaign's discovery terminated the threat actor's access across the identified infrastructure.