Cyber Incident Victim: Etisalat

The Lebanese Cedar cyber espionage group, affiliated with Hezbollah, conducted a year-long hacking campaign beginning in early 2020 targeting telecommunications providers and internet service providers across multiple countries, including Etisalat in the UAE. Israeli cybersecurity firm ClearSky discovered the campaign, identifying at least 254 compromised web servers globally. Attackers employed open-source scanning tools to locate internet-exposed systems running unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion middleware. They exploited known vulnerabilities—CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152—to gain initial access, subsequently deploying web shells including ASPXSpy, Caterpillar 2, Mamad Warning, and JSP file browser for persistent remote control. After establishing footholds on perimeter systems, the group pivoted to internal networks where they deployed the Explosive remote access trojan (RAT), a custom malware tool historically exclusive to Lebanese Cedar operations. This RAT facilitated data exfiltration from compromised environments.

The campaign impacted organizations in the US, UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, Palestinian Authority, and UAE, with telecom operators like Vodafone Egypt and Etisalat UAE among confirmed victims. ClearSky attributed the activity through technical evidence, including file hash matches across 135 infected servers and reuse of operational infrastructure. Attackers focused on stealing sensitive corporate databases and client records, with telecommunications firms’ call detail records and subscriber information likely compromised. Operational security failures by the group, such as reusing identifiable files across intrusions, enabled researchers to track the campaign’s global scope. The primary objective centered on intelligence collection rather than disruptive attacks, leveraging compromised systems to harvest proprietary and customer data from critical communications infrastructure providers.