For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries.
The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company’s researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs.
Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims’ networks. Instead they target Web servers and use them as initial entry points.
The attackers use automated vulnerability scanners, as well as manual techniques to find and exploit flaws in websites and Web applications. Those compromises are then used to install backdoor scripts known as Web shells on the affected Web servers, according to a detailed report released Tuesday by Check Point.
If the compromised servers run Microsoft’s IIS Web server software, the attackers use their access to install a custom-made Windows Trojan program called Explosive that has key logging and other information-stealing capabilities. This is the group’s main malware tool and is used to extract information from the compromised servers, including passwords typed by their administrators.
The same Trojan program is also used to infect other servers and systems running inside the networks of the targeted organizations. Its most recent version contains functionality for spreading over USB mass storage devices.
“Residues of custom-built port scanners and several other attack tools have been found on the victim servers, leading us to believe the attackers use the initially infected servers as a pivot to manually spread to the entire network,” the Check Point researchers said in their report.
Three main versions of the Explosive Trojan that were used at different times over the past two years have been identified. Typically, a new, technically improved version was released after attackers found signs that a previous version had been detected by antivirus programs—in most cases such detection events were accidental and due to aggressive antivirus software heuristics rather than manual analysis by researchers.
There is ample evidence that the Volatile Cedar attackers went to great lengths to keep their malware infections undiscovered. They constantly checked antivirus detection results and updated the Trojan on infected servers, the Check Point researchers said.
The malicious program monitors its own memory consumption to ensure that it doesn’t exceed certain thresholds that could arouse suspicion and it goes into periods of “radio silence” during which it doesn’t initiate external communications. These periods are different for each victim and are predefined in its configuration file.
The Explosive Trojan also periodically checks with its command-and-control (C&C) servers for confirmation that it is safe to continue operating. All of its communications are obfuscated to appear as random network traffic and the C&C infrastructure is redundant. The program contacts both hard-coded and dynamic update servers and if those fail, it uses a domain generation algorithm (DGA) to find new servers.
While the Explosive Trojan is only installed on Windows servers, the attackers also compromised Linux-based servers and installed Web shells on them, said Check Point security researcher Shahar Tal. No zero-day exploits—exploits for previously unknown vulnerabilities—were found, but the use of such exploits cannot be excluded, he said.
The Check Point researchers found a large number of victims in Lebanon, but compromised organizations were also found in Israel, Turkey, the U.K., Japan, the U.S. and other countries.
There are hundreds of victims, but their exact number and accurate geographical distribution is not yet available, because that data is still being collected, Tal said. Check Point plans to release a follow-up report at a later date that will likely include more information about this aspect, he said.
As far as attribution goes, technical evidence—C&C server hosting, domain whois records and other information—suggests that the attackers are based in Lebanon. Their high level of sophistication and the nature of the targeted organizations points to possible sponsorship by a nation state or political group, but the high number of victims in Lebanon also indicates intrastate espionage. This could mean that the operation is not supported by the main authorities in that country, Tal said.
Establishing attribution for cyberattacks is always complicated and can’t be done with complete accuracy, Tal said, adding that there’s always the possibility that evidence pointing to Lebanon was intentionally forged by the attackers.
What’s clear is that these attackers are not some kids playing around; they do this as as their day-to-day job, Tal said. They’re not at the same level of sophistication as the NSA, but they’re persistent and have operational discipline. It’s also not every day that researchers see completely custom malware like the Explosive Trojan, he said.
The Volatile Cedar attackers have already reacted after Check Point privately shared its report and indicators of compromise with other security vendors a few days ago, Tal said. They activated a self-destruct command that will remove the malware from any infected system that establishes a connection with their command-and-control server, he said.