Lebanese cyberespionage campaign hits defense, telecom, media firms worldwide

A cyberespionage group compromised hundreds of organizations by getting in through Web servers, researchers from Check Point said

For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries.

The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company's researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs.

Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims' networks. Instead they target Web servers and use them as initial entry points.

The attackers use automated vulnerability scanners, as well as manual techniques to find and exploit flaws in websites and Web applications. Those compromises are then used to install backdoor scripts known as Web shells on the affected Web servers, according to a detailed report released Tuesday by Check Point.

If the compromised servers run Microsoft's IIS Web server software, the attackers use their access to install a custom-made Windows Trojan program called Explosive that has key logging and other information-stealing capabilities. This is the group's main malware tool and is used to extract information from the compromised servers, including passwords typed by their administrators.

The same Trojan program is also used to infect other servers and systems running inside the networks of the targeted organizations. Its most recent version contains functionality for spreading over USB mass storage devices.

"Residues of custom-built port scanners and several other attack tools have been found on the victim servers, leading us to believe the attackers use the initially infected servers as a pivot to manually spread to the entire network," the Check Point researchers said in their report.

Three main versions of the Explosive Trojan that were used at different times over the past two years have been identified. Typically, a new, technically improved version was released after attackers found signs that a previous version had been detected by antivirus programs -- in most cases such detection events were accidental and due to aggressive antivirus software heuristics rather than manual analysis by researchers.

There is ample evidence that the Volatile Cedar attackers went to great lengths to keep their malware infections undiscovered. They constantly checked antivirus detection results and updated the Trojan on infected servers, the Check Point researchers said.

The malicious program monitors its own memory consumption to ensure that it doesn't exceed certain thresholds that could arouse suspicion and it goes into periods of "radio silence" during which it doesn't initiate external communications. These periods are different for each victim and are predefined in its configuration file.

The Explosive Trojan also periodically checks with its command-and-control (C&C) servers for confirmation that it is safe to continue operating. All of its communications are obfuscated to appear as random network traffic and the C&C infrastructure is redundant. The program contacts both hard-coded and dynamic update servers and if those fail, it uses a domain generation algorithm (DGA) to find new servers.

While the Explosive Trojan is only installed on Windows servers, the attackers also compromised Linux-based servers and installed Web shells on them, said Check Point security researcher Shahar Tal. No zero-day exploits -- exploits for previously unknown vulnerabilities -- were found, but the use of such exploits cannot be excluded, he said.

The Check Point researchers found a large number of victims in Lebanon, but compromised organizations were also found in Israel, Turkey, the U.K., Japan, the U.S. and other countries.

There are hundreds of victims, but their exact number and accurate geographical distribution is not yet available, because that data is still being collected, Tal said. Check Point plans to release a follow-up report at a later date that will likely include more information about this aspect, he said.

As far as attribution goes, technical evidence -- C&C server hosting, domain whois records and other information -- suggests that the attackers are based in Lebanon. Their high level of sophistication and the nature of the targeted organizations points to possible sponsorship by a nation state or political group, but the high number of victims in Lebanon also indicates intrastate espionage. This could mean that the operation is not supported by the main authorities in that country, Tal said.

Establishing attribution for cyberattacks is always complicated and can't be done with complete accuracy, Tal said, adding that there's always the possibility that evidence pointing to Lebanon was intentionally forged by the attackers.

What's clear is that these attackers are not some kids playing around; they do this as as their day-to-day job, Tal said. They're not at the same level of sophistication as the NSA, but they're persistent and have operational discipline. It's also not every day that researchers see completely custom malware like the Explosive Trojan, he said.

The Volatile Cedar attackers have already reacted after Check Point privately shared its report and indicators of compromise with other security vendors a few days ago, Tal said. They activated a self-destruct command that will remove the malware from any infected system that establishes a connection with their command-and-control server, he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespywareintrusionCheck Point Software Technologies

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?