Mystery 'Explosive' cyber-spy campaign traced back to Lebanon

A nation-state cyber-attack campaign running since 2012 has been traced back to a somewhat unlikely launchpad in Lebanon.

Security researchers at Check Point reckon hackers behind the so-called Volatile Cedar campaign have hit defence contractors, telecommunications and media companies, and educational institutions in multiple countries.

Check Point has confirmed live infections in around 10 different countries, including the USA, Canada, UK, Turkey, Lebanon and Israel. There's no obvious cyber-crime motive in all this malfeasance.

Hackers appear to be acting in furtherance of the goals of a government/political group interested in lifting sensitive data for the purposes of cyber-espionage.

The hackers' main tool is a custom malware implant codenamed ‘Explosive’ (named by the attackers). Once installed, the tool continuously runs a key-logger and a clipboard logger, which transmit the results to command-and-control servers. The implant has built-in file deletion functionality as well as arbitrary code execution capabilities, making it possible for the attackers to cripple or wipe infected systems.

The hackers initially target publicly facing web servers, with both automatic and manual vulnerability discovery. Once an attacker gains control over a server, they use them as a pivot point to explore, identify, and attack additional targets located deeper inside the internal network. Check Point researchers have obtained evidence of online manual hacking, as well as an automated USB infection mechanism by the Volatile Cedar cyber-spies.

Evidence obtained by the Israeli security firm suggests the attacker group is based in Lebanon. Check Point first detected the Explosive malware on a web server in a customer network. The Explosive hacker tool was first detected in November 2012. Multiple versions have been created in the more than two years since its discovery, in what's become a game of Whack-a-Mole between the black hats and security firms like Check Point.

“The [Volatile Cedar] campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents,” said Dan Wiley, head of incident response & threat intelligence at Check Point Software Technologies.

“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by anti-virus systems," he added. A blog post by Check Point about Volatile Cedar can be found here. ®