Lebanese Cedar APT, which is believed to be a Hezbollah-linked group, has breached 250 companies worldwide, including in Israel, Egypt, Jordan, Saudi Arabia, the UAE, and the United States, the Israeli cybersecurity firm ClearSky revealed.

The group, also known as Volatile Cedar, has been active since 2012 and is motivated by political and ideological interests. However, the APT has been keeping a low profile since 2015, after Kaspersky and Check Point researchers exposed the threat actor’s cyber espionage activities.

In its report ClearSky has linked the Lebanese Cedar APT to breaches at telco companies, internet service providers, hosting providers, and managed hosting and applications companies. The cyber espionage campaign began in early 2020 and affected internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.

“Based on a modified JSP file browser with a unique string that the adversary used to deploy ‘Explosive RAT’ into the victims’ network, we found some 250 servers that were apparently breached by Lebanese Cedar. This file was installed in vulnerable Atlassian (JIRA) and Oracle 10g servers,” the researchers wrote.

The researchers said they have found “Caterpillar WebShell” in the majority of the compromised networks, as well as traces of the “Explosive” RAT. Both Caterpillar WebShell and Explosive RAT are custom tools used by Lebanese Cedar.

“Caterpillar WebShell’ was found in most of the victims we investigated, in many of the systems we also found traces of “Explosive” RAT. We identified the specific open-source JSP file browser that was modified for the hackers’ purposes. We found that Lebanese Cedar deployed the payload of Explosive RAT into the victims’ network. Lebanese Cedar is the only known threat actor that uses this code,” the report said.

The group also uses a variety of open-source tools in their attacks, such as GoBuster (a tool used to brute-force website URIs, DNS subdomains and Virtual Host names on target web servers), JSP file browser, ASPXspy, RottenPotato, and others.

Lebanese Cedar compromises networks via unpatched Atlassian Confluence, Atlassian Jira, and Oracle Fusion Middleware servers by exploiting a number of vulnerabilities, such as CVE-2019-3396 or CVE-2019-11581.

“The primary attack vector utilized by the Lebanese Cedar group is taking over a target organization’s vulnerable web server by exploiting a security flaw, followed by a WebShell installation. Once the WebShell is installed, the attacker establishes a connection over HTTP using compromised credentials and activates the WebShell modules via a visual GUI,” ClearSky explained.

“Lebanese Cedar APT has been orchestrating sophisticated, well-designed attacks using custom-made attack tools since 2012, often with no disruptions by the global security community for long consecutive periods of time. The group’s ability to remain under the radar is not coincidental – it is the result of a clever selection of targets, tools, and attack vectors. Previous research of this APT attributed the group to a Lebanese threat actor (In some reports about the group, they were attributed particularly to the Hezbollah Cyber Unit7). The targets of Lebanese Cedar are from multiple sectors and spread globally,” the security firm concluded.