A cyber unit believed to be associated with the Shiite militant group Hezbollah has been conducting stealthy espionage missions all over the globe, hacking into internet service providers and telecoms to gather data.
The threat group researchers call “Lebanese Cedar” is believed to have formed sometime around 2012, and is primarily motivated by “political and ideological” rather than financial incentives, says a new report from security firm ClearSky. “Cedar” uses its intrusion campaigns to quietly climb into government and corporate systems and gather intelligence, the report states.
The group was first discovered by security firms Kaspersky Labs and Checkpoint back in 2015 (it was called “Volatile Cedar” at that time), at which point researchers said it had the fingerprints of the Lebanese government. ClearSky agrees with this assessment.
“We endorse Check Point’s strong case attributing Lebanese Cedar APT to the Lebanese government or a political group in Lebanon. Moreover, there are several indications that link Lebanese Cedar APT to the Hezbollah Cyber Unit,” researchers write.
Hezbollah, which the U.S. government has designated a terrorist organization, has been known for its use of cyberattacks in its conflicts with Israel, as well as for its prolific use of information operations and social media manipulation.
“Cedar” has apparently kept a low profile since its initial sighting half a decade ago. Through its quiet maneuvering, the group has managed to compromise approximately 250 servers in countries all over the world, including the U.S., Israel, the UK, and a number of countries in the Middle East like Egypt, Jordan, and the Palestinian Authority.
In the U.S., “Cedar” has managed to get inside the networks of entities such as Frontier Communications—a telecom company based in Connecticut—as well as the Oklahoma Office of Management and Enterprise Service, the state’s primary IT agency, the report says.
Researchers emphasize the group’s ability to carry out missions without bringing much attention to itself or its activities:
Lebanese Cedar APT has been orchestrating sophisticated, well-designed attacks using custom-made attack tools since 2012, often with no disruptions by the global security community for long consecutive periods of time. The group’s ability to remain under the radar is not coincidental – it is the result of a clever selection of targets, tools, and attack vectors.
“We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years,” the report concludes.