Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2015
08:59 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Lebanon Believed Behind Newly Uncovered Cyber Espionage Operation

Middle East, US, and other targets hit in nearly three-year-old 'Volatile Cedar' cyber attack campaign.

Add Lebanon to the list of nations seen actively conducting cyber espionage.

Researchers from Check Point Software Technologies today revealed a cyber spying attack campaign that's been underway since 2012, mainly against Israeli and other Middle Eastern targets in Lebanon and Turkey, but also in the US, Canada, Japan, Peru, and the UK and other countries. The attack campaign, which Check Point researchers believe is the handiwork of a nation-state group out of Lebanon, has infected hundreds of victims in the defense, telecommunications, media, and education sectors.  

Shahar Tal, head of malware & vulnerability research at Check Point, says several clues point to Lebanon's involvement, including trends in its targets as well as its command and control infrastructure with ties to Lebanon.  Check Point has dubbed the campaign "Volatile Cedar."

"We also saw an OPSEC fail: one of the registered domains for a brief time before it went operational, pointed at a real identity," Tal says. "That led us to a social media account ... and very clearly it was [associated with] Lebanese political activism."

Command and control servers used for its malware also were seen being hosted at a major hosting company in Lebanon, and several of the servers were registered with a Lebanese address, according to Check Point.

Like most cyber spying operations, Volatile Cedar is all about stealing sensitive information for political or intelligence gain. The attackers use custom-written malware code-named Explosive, a data-stealing Trojan that can steal files, log keystrokes and screenshots, as well as run commands.

This is not the first time Lebanon has been tied to cyber spying: FireEye early last month revealed that it had uncovered attacks by pro-Assad government hackers against Syrian government opposition plans and players that scored the attackers a treasure trove of sensitive information and details on opposition forces. The researchers cited a definite Lebanese connection in the attacks, and a user in Lebanon was spotted uploading test versions of the malware launcher used in the attacks. In addition, the catfishing technique used by the attackers on social media to lure their targets included references to Lebanon by the phony female avatars who duped the victims.

Tal says Volatile Cedar is unrelated to the operation exposed by FireEye, and is yet another example of how most major governments now employ cyber spying operations. "It's not surprising that most governments or political groups are working on developing their capabilities in the cyber realm," he says.

The Lebanese cyber espionage team does not, however, deploy the standard spearphish as its initial attack vector like many other nation-state attacks do. The attackers instead hack into the public websites of their victims--in many cases, manually--and then pivot from there. "Then they hack their way through the internal network," Tal says. "They also use an auto-USB mechanism, where a USB device is inserted and every executable on it is getting the Explosive attachment in hopes of moving laterally."

The attackers first scan for vulnerabilities in the target's Web server. Once they detect a flaw, they exploit it to inject web shell code to wrest control of the server and install the Explosive malware. The Trojan dates back to November 2012, with its newest variant released in June of last year and still in use.

The Explosive malware isn't exactly NSA-quality, Tal says, but it has been effective in staying mostly under the radar for three years. "They're not replacing hard drive firmware, but they're definitely not script-kiddie level. They have stealth and monitoring" capabilities, he says.

For instance, Volatile Cedar monitors whether its malware has been spotted by antivirus software, and if so, comes up with a new variant. The attackers also regularly check to see if the command and control infrastructure is under surveillance, and if so, goes temporarily silent.

"We're seeing persistence and a lot of discipline with them. They do proactive monitoring of their infrastructure," he says. Plus they have a "kill switch" option that they use when they detect that they've been detected, he says.

"We were very passive in trying not to alert them of our investigation. But we've seen them respond very quickly to our actions, turning on the kill switch on every piece of Explosive malware trying to talk home to the C&C--sending self-destruct commands," he says.

Tal notes that there may well be more to the attacks beyond what Check Point can watch via its sinkhole. "I wouldn't be surprised if there's something we haven't seen yet. We still have, for example, unexplained cases of how they got into a server."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2015 | 4:57:10 PM
Re: Build to just beyond the sophistication of your target
Given what's going on in the Middle East , I suspect we will be seeing a lot more of this going forward...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/31/2015 | 4:56:58 PM
Re: Build to just beyond the sophistication of your target
Given what's going on in the Middle East , I suspect we will be seeing a lot more of this going forward...
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/31/2015 | 2:14:41 PM
Re: Build to just beyond the sophistication of your target
Thanks for sharing your thoughts, Christopher. I am sure this only scratches the surface of all of the other as-yet unpublicized or undiscovered nation-state activity out there. It's always interesting to see a new attack group emerge, and to learn about their techniques and approach. 
BurgessCT
50%
50%
BurgessCT,
User Rank: Apprentice
3/31/2015 | 2:07:40 PM
Build to just beyond the sophistication of your target
Great piece Kelly.  Reading the analysis and target selection provided by Checkpoint it harkened back to an observation seen in the past which is the enttity doing the "attacking" only needs to be better than their target, not necessarily better than the best. It appears that the creators are continuing to evolve in step with their targets.

All the best,

Christopher
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/31/2015 | 12:47:32 PM
Re: Polymorphic?
@Kelly Jackson Higgins. Ah ok, thank you for clearing that up...I feel that their time would be better spent trying to code variants into the malware. Otherwise, malware from the same source location may raise a red flag and the organization may be more vigilant in restrictions for those attack specifics.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
3/31/2015 | 12:00:37 PM
Re: Polymorphic?
Good question, @Ryan. It's not self-modifying: The attackers customize Explosive as needed to avoid detection, and for specific targets. 
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/31/2015 | 10:43:27 AM
Polymorphic?
Does that make Volatile Cedar polymorphic? By this I mean will it change to a different variant based on previous coding or does the team invoking the malware need to make changes on the back-end?
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.