Add Lebanon to the list of nations seen actively conducting cyber espionage.
Researchers from Check Point Software Technologies today revealed a cyber spying attack campaign that's been underway since 2012, mainly against Israeli and other Middle Eastern targets in Lebanon and Turkey, but also in the US, Canada, Japan, Peru, and the UK and other countries. The attack campaign, which Check Point researchers believe is the handiwork of a nation-state group out of Lebanon, has infected hundreds of victims in the defense, telecommunications, media, and education sectors.
Shahar Tal, head of malware & vulnerability research at Check Point, says several clues point to Lebanon's involvement, including trends in its targets as well as its command and control infrastructure with ties to Lebanon. Check Point has dubbed the campaign "Volatile Cedar."
"We also saw an OPSEC fail: one of the registered domains for a brief time before it went operational, pointed at a real identity," Tal says. "That led us to a social media account ... and very clearly it was [associated with] Lebanese political activism."
Command and control servers used for its malware also were seen being hosted at a major hosting company in Lebanon, and several of the servers were registered with a Lebanese address, according to Check Point.
Like most cyber spying operations, Volatile Cedar is all about stealing sensitive information for political or intelligence gain. The attackers use custom-written malware code-named Explosive, a data-stealing Trojan that can steal files, log keystrokes and screenshots, as well as run commands.
This is not the first time Lebanon has been tied to cyber spying: FireEye early last month revealed that it had uncovered attacks by pro-Assad government hackers against Syrian government opposition plans and players that scored the attackers a treasure trove of sensitive information and details on opposition forces. The researchers cited a definite Lebanese connection in the attacks, and a user in Lebanon was spotted uploading test versions of the malware launcher used in the attacks. In addition, the catfishing technique used by the attackers on social media to lure their targets included references to Lebanon by the phony female avatars who duped the victims.
Tal says Volatile Cedar is unrelated to the operation exposed by FireEye, and is yet another example of how most major governments now employ cyber spying operations. "It's not surprising that most governments or political groups are working on developing their capabilities in the cyber realm," he says.
The Lebanese cyber espionage team does not, however, deploy the standard spearphish as its initial attack vector like many other nation-state attacks do. The attackers instead hack into the public websites of their victims--in many cases, manually--and then pivot from there. "Then they hack their way through the internal network," Tal says. "They also use an auto-USB mechanism, where a USB device is inserted and every executable on it is getting the Explosive attachment in hopes of moving laterally."
The attackers first scan for vulnerabilities in the target's Web server. Once they detect a flaw, they exploit it to inject web shell code to wrest control of the server and install the Explosive malware. The Trojan dates back to November 2012, with its newest variant released in June of last year and still in use.
The Explosive malware isn't exactly NSA-quality, Tal says, but it has been effective in staying mostly under the radar for three years. "They're not replacing hard drive firmware, but they're definitely not script-kiddie level. They have stealth and monitoring" capabilities, he says.
For instance, Volatile Cedar monitors whether its malware has been spotted by antivirus software, and if so, comes up with a new variant. The attackers also regularly check to see if the command and control infrastructure is under surveillance, and if so, goes temporarily silent.
"We're seeing persistence and a lot of discipline with them. They do proactive monitoring of their infrastructure," he says. Plus they have a "kill switch" option that they use when they detect that they've been detected, he says.
"We were very passive in trying not to alert them of our investigation. But we've seen them respond very quickly to our actions, turning on the kill switch on every piece of Explosive malware trying to talk home to the C&C--sending self-destruct commands," he says.
Tal notes that there may well be more to the attacks beyond what Check Point can watch via its sinkhole. "I wouldn't be surprised if there's something we haven't seen yet. We still have, for example, unexplained cases of how they got into a server."