Cyberterrorism is on the rise, and the way terror groups are using cyber-attacks has evolved to become more sophisticated.
Terrorist organizations are upping the ante on the cyber front to steal critical information and disrupt networks and systems that could compromise national security and public safety.
A recent incident whereby a Middle East-based terror group breached the telecommunication systems and ISPs of multiple countries underscores the importance of robust cyber defenses against such forces.
Security firm Clearsky revealed on Jan. 28, 2021, that the infamous Lebanese Cedar, a Hezbollah-affiliated threat actor, hacked into telcos and ISPs in multiple countries.
Clearsky said the terror group encroached on the operations of several telcos and internet service providers in the US, UK, and multiple Middle Eastern countries, including the UAE, Saudi Arabia, Israel, and Egypt.
While the Lebanese Cedar has been active since 2012, their year-long reign of terror began with a hacking campaign in early 2020, which was later discovered by the Israeli cyber-security firm Clearsky.
In a recently published report, Clearsky claimed to have identified around 250 web servers hacked into by Lebanese Cedar.
The cybersecurity firm said the attackers attempted to gather information and steal sensitive data from the database of various companies.
It is also believed that criminals accessed the databases of several telecommunication companies. If that is to be believed, it means the terrorists got access to the call records and personal information of the affected telcos’ customers.
Cause of Intrusion: Vulnerable and Outdated Atlassian and Oracle Servers
According to Clearsky investigators, the attacks were carried out straightforwardly. Using open-source hacking tools, Lebanese Cedar operatives scanned the web for any unpatched Atlassian and Oracle servers. After identifying the vulnerable servers, they deployed exploits to gain entry into these servers using web shells like ASPXSpy, Caterpillar 2, and Mamad Warning.
These web shells allowed them to enter the companys’ internal networks, from where they extracted confidential material. The web shells ensured that they had access to the company’s servers in the future as well.
The Lebanese Cedar specifically targeted vulnerabilities in servers, such as the CVE-2019-3396 in Atlassian Confluence, the CVE-2019-11581 in Atlassian Jira, and the CVE-2012-3152 in Oracle Fusion to launch the attacks.
A dangerous tool known as the Explosive Remote Access Trojan (RAT) was used for internal network attacks. This is a custom-built malware tool that extracts data from a network. It allows a computer to be controlled in the same way that a remote administrator would manage.
Due to the distinctiveness of the Explosive Rat used exclusively by the Lebanese Cedar group, Clearsky identified and held the group responsible for the attacks.
Fortunately, the attackers slipped up in their work, making some crucial errors, such as reusing the files used in previous infringements. For this reason, Clearsky was able to pinpoint the exact locations of the attacks from around the world, linking them to the terrorist group.
The report revealed the names of some of the most high-profile victims of the Lebanese Cedar group attack, including:
- Vodafone Egypt
- Mobily in Saudi Arabia
- Iomart Cloud Services Limited in the UK
- Frontier Communications in the US
According to Clearsky, the entire operation was vital in allowing them to identify the Lebanese Cedar group members’ footprints and classify them according to sector and country of origin. Among the 254 infected servers worldwide, 135 had similarities with the files Clearsky observed in a victim’s network during their investigation.
Clearsky’s report provides detailed insights into the signs of a potential security breach in each company, as well as a much more detailed analysis of the APT and their attacks.