Lebanese Hackers Behind Volatile Cedar Spy Campaign

A “persistent” attacker group that may have links to a political party in the Lebanon are behind a global cyber espionage campaign.

That is the warning from the malware and vulnerability research group located at security specialist Check Point Software Technologies.

Explosive Malware

The attack campaign is called Volatile Cedar, and according to Check Point it makes use of a custom-made malware implant codenamed Explosive.

The campaign has been ongoing since 2012, and has apparently successfully penetrated a large number of targets across the globe, including defence contractors, telecommunications and media companies, as well as educational institutions.

The Lebanese hackers are said to be able to monitor the victim’s actions and steal their data.

“The nature of the attacks and associated repercussions suggest that the attacker’s motives are not financial but aim to extract sensitive information from the targets,” warned Check Point.

The researcher also warned that the Volatile Cedar campaign is a “highly targeted and well-managed campaign.”

Targets are apparently carefully chosen, and are designed to confine the infection to “the bare minimum required to achieve the attacker’s goal while minimising the risk of exposure.”

The way it works is that the hackers initially target public facing web servers, with both automatic and manual vulnerability discovery. When the hacker gains control over a server, they use it to explore, identify, and attack additional targets located deeper inside the internal network.

“We have seen evidence of online manual hacking as well as an automated USB infection mechanism,” said Check Point.

“Volatile Cedar is a very interesting malware campaign,” said Dan Wiley, Head of Incident Response & Threat Intelligence at Check Point Software Technologies. “The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.”

“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems,” said Wiley. It’s time for organisations to be more proactive about securing their networks.”

A full report on the Volatile Cedar campaign can be found here.

Middle East Hackers

Last year, the Russian security vendor Kaspersky Labs warned that the number of cyber attacks against Internet users in Syria was growing, with organised groups relying on increasingly sophisticated strains of malware to target media agencies, activists and dissidents.

One of the most active hacker groups in the Middle East is perhaps the Syrian Electronic Army, a pro-President Bashar al-Assad hacking crew that has claimed a number of big name targets in recent years.

Previous targets include the Guardian newspaper and the Financial Times, and more recently the Independent, the Daily Telegraph, OK magazine, the London Evening Standard, as well as the New York Daily News.

What do you know about Internet security? Find out with our quiz!