Lebanese cyberespionage campaign hits defense, telecom, media firms worldwide

A cyberespionage group compromised hundreds of organizations by getting in through Web servers, researchers from Check Point said

For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries.

The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company's researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs.

Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims' networks. Instead they target Web servers and use them as initial entry points.

The attackers use automated vulnerability scanners, as well as manual techniques to find and exploit flaws in websites and Web applications. Those compromises are then used to install backdoor scripts known as Web shells on the affected Web servers, according to a detailed report released Tuesday by Check Point.

If the compromised servers run Microsoft's IIS Web server software, the attackers use their access to install a custom-made Windows Trojan program called Explosive that has key logging and other information-stealing capabilities. This is the group's main malware tool and is used to extract information from the compromised servers, including passwords typed by their administrators.

The same Trojan program is also used to infect other servers and systems running inside the networks of the targeted organizations. Its most recent version contains functionality for spreading over USB mass storage devices.

"Residues of custom-built port scanners and several other attack tools have been found on the victim servers, leading us to believe the attackers use the initially infected servers as a pivot to manually spread to the entire network," the Check Point researchers said in their report.

Three main versions of the Explosive Trojan that were used at different times over the past two years have been identified. Typically, a new, technically improved version was released after attackers found signs that a previous version had been detected by antivirus programs -- in most cases such detection events were accidental and due to aggressive antivirus software heuristics rather than manual analysis by researchers.

There is ample evidence that the Volatile Cedar attackers went to great lengths to keep their malware infections undiscovered. They constantly checked antivirus detection results and updated the Trojan on infected servers, the Check Point researchers said.

The malicious program monitors its own memory consumption to ensure that it doesn't exceed certain thresholds that could arouse suspicion and it goes into periods of "radio silence" during which it doesn't initiate external communications. These periods are different for each victim and are predefined in its configuration file.

The Explosive Trojan also periodically checks with its command-and-control (C&C) servers for confirmation that it is safe to continue operating. All of its communications are obfuscated to appear as random network traffic and the C&C infrastructure is redundant. The program contacts both hard-coded and dynamic update servers and if those fail, it uses a domain generation algorithm (DGA) to find new servers.

While the Explosive Trojan is only installed on Windows servers, the attackers also compromised Linux-based servers and installed Web shells on them, said Check Point security researcher Shahar Tal. No zero-day exploits -- exploits for previously unknown vulnerabilities -- were found, but the use of such exploits cannot be excluded, he said.

The Check Point researchers found a large number of victims in Lebanon, but compromised organizations were also found in Israel, Turkey, the U.K., Japan, the U.S. and other countries.

There are hundreds of victims, but their exact number and accurate geographical distribution is not yet available, because that data is still being collected, Tal said. Check Point plans to release a follow-up report at a later date that will likely include more information about this aspect, he said.

As far as attribution goes, technical evidence -- C&C server hosting, domain whois records and other information -- suggests that the attackers are based in Lebanon. Their high level of sophistication and the nature of the targeted organizations points to possible sponsorship by a nation state or political group, but the high number of victims in Lebanon also indicates intrastate espionage. This could mean that the operation is not supported by the main authorities in that country, Tal said.

Establishing attribution for cyberattacks is always complicated and can't be done with complete accuracy, Tal said, adding that there's always the possibility that evidence pointing to Lebanon was intentionally forged by the attackers.

What's clear is that these attackers are not some kids playing around; they do this as as their day-to-day job, Tal said. They're not at the same level of sophistication as the NSA, but they're persistent and have operational discipline. It's also not every day that researchers see completely custom malware like the Explosive Trojan, he said.

The Volatile Cedar attackers have already reacted after Check Point privately shared its report and indicators of compromise with other security vendors a few days ago, Tal said. They activated a self-destruct command that will remove the malware from any infected system that establishes a connection with their command-and-control server, he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Check Point Software Technologiesintrusionsecuritydata breachspywaremalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?