Lebanon Believed Behind Newly Uncovered Cyber Espionage Operation

Middle East, US, and other targets hit in nearly three-year-old Volatile Cedar cyber attack campaign.

Add Lebanon to the list of nations seen actively conducting cyber espionage.
Researchers from Check Point Software Technologies today revealed a cyber spying attack campaign thats been underway since 2012, mainly against Israeli and other Middle Eastern targets in Lebanon and Turkey, but also in the US, Canada, Japan, Peru, and the UK and other countries. The attack campaign, which Check Point researchers believe is the handiwork of a nation-state group out of Lebanon, has infected hundreds of victims in the defense, telecommunications, media, and education sectors.
Shahar Tal, head of malware & vulnerability research at Check Point, says several clues point to Lebanons involvement, including trends in its targets as well as its command and control infrastructure with ties to Lebanon. Check Point has dubbed the campaign Volatile Cedar.
We also saw an OPSEC fail: one of the registered domains for a brief time before it went operational, pointed at a real identity, Tal says. That led us to a social media account ... and very clearly it was [associated with] Lebanese political activism.
Command and control servers used for its malware also were seen being hosted at a major hosting company in Lebanon, and several of the servers were registered with a Lebanese address, according to Check Point.
Like most cyber spying operations, Volatile Cedar is all about stealing sensitive information for political or intelligence gain. The attackers use custom-written malware code-named Explosive, a data-stealing Trojan that can steal files, log keystrokes and screenshots, as well as run commands.
This is not the first time Lebanon has been tied to cyber spying: FireEye early last month revealed that it had uncovered attacks by pro-Assad government hackers against Syrian government opposition plans and players that scored the attackers a treasure trove of sensitive information and details on opposition forces. The researchers
cited a definite Lebanese connection
in the attacks, and a user in Lebanon was spotted uploading test versions of the malware launcher used in the attacks. In addition, the catfishing technique used by the attackers on social media to lure their targets included references to Lebanon by the phony female avatars who duped the victims.
Tal says Volatile Cedar is unrelated to the operation exposed by FireEye, and is yet another example of how most major governments now employ cyber spying operations. Its not surprising that most governments or political groups are working on developing their capabilities in the cyber realm, he says.
The Lebanese cyber espionage team does not, however, deploy the standard spearphish as its initial attack vector like many other nation-state attacks do. The attackers instead hack into the public websites of their victims--in many cases, manually--and then pivot from there. Then they hack their way through the internal network, Tal says. They also use an auto-USB mechanism, where a USB device is inserted and every executable on it is getting the Explosive attachment in hopes of moving laterally.
The attackers first scan for vulnerabilities in the targets Web server. Once they detect a flaw, they exploit it to inject web shell code to wrest control of the server and install the Explosive malware. The Trojan dates back to November 2012, with its newest variant released in June of last year and still in use.
The Explosive malware isnt exactly NSA-quality, Tal says, but it has been effective in staying mostly under the radar for three years. Theyre not replacing hard drive firmware, but theyre definitely not script-kiddie level. They have stealth and monitoring capabilities, he says.
For instance, Volatile Cedar monitors whether its malware has been spotted by antivirus software, and if so, comes up with a new variant. The attackers also regularly check to see if the command and control infrastructure is under surveillance, and if so, goes temporarily silent.
Were seeing persistence and a lot of discipline with them. They do proactive monitoring of their infrastructure, he says. Plus they have a kill switch option that they use when they detect that theyve been detected, he says.
We were very passive in trying not to alert them of our investigation. But weve seen them respond very quickly to our actions, turning on the kill switch on every piece of Explosive malware trying to talk home to the C&C--sending self-destruct commands, he says.
Tal notes that there may well be more to the attacks beyond what Check Point can watch via its sinkhole. I wouldnt be surprised if theres something we havent seen yet. We still have, for example, unexplained cases of how they got into a server.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Lebanon Believed Behind Newly Uncovered Cyber Espionage Operation