Cyber Incident Victim: TE Data
Date:
Jan 2020
Location:
Egypt
Summary
A Hezbollah-affiliated threat actor known as Lebanese Cedar compromised telecom operators and ISPs across multiple countries, including a major Egyptian telecommunications provider, by exploiting vulnerabilities in unpatched Atlassian and Oracle servers. The attackers deployed web shells like ASPXSpy and Caterpillar 2 to maintain access, then infiltrated internal networks to exfiltrate sensitive databases containing client call records and private information using their proprietary Explosive RAT malware. Security researchers attributed the campaign to Lebanese Cedar based on the exclusive use of this tool and operational patterns, identifying over 250 compromised servers globally during the intrusion series aimed at intelligence gathering.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving telecommunications and internet service providers attributed to the Lebanese Cedar group, a cyber unit affiliated with Hezbollah, commenced in early 2020 and persisted for approximately one year before being uncovered by Israeli cybersecurity firm ClearSky. Attackers employed open-source scanning tools to identify internet-exposed servers running unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion middleware. They exploited known vulnerabilities—specifically CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152—to gain initial access. Upon compromising these systems, the threat actors deployed multiple web shells, including ASPXSpy, Caterpillar 2, Mamad Warning, and a modified JSP file browser, to establish persistent remote control. The attackers then pivoted to internal networks, where they utilized a custom remote access trojan named Explosive RAT, designed for data exfiltration. This tool had historically been exclusive to Lebanese Cedar operations, serving as a key attribution indicator.
The campaign impacted at least 254 web servers across telecommunications and ISP entities in nine countries, including the United States, United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, Palestinian Authority, and the United Arab Emirates. Confirmed victims included Vodafone Egypt, Etisalat UAE, SaudiNet, and US-based Frontier Communications. Attackers targeted databases containing sensitive customer information, with ClearSky assessing that call records and private client data were likely accessed. Operational security lapses by the group, such as reusing identical files across multiple intrusions, enabled researchers to correlate 135 compromised servers through matching file hashes. The attackers’ primary objective appeared to be intelligence gathering, though no specific exfiltrated datasets were publicly confirmed. ClearSky’s investigation revealed no details regarding victim organizations’ containment or remediation actions beyond the firm’s own discovery and analysis of the campaign.