A nation-state group originating from Lebanon is likely behind a global cyber espionage campaign targeting defense contractor firms, telecommunications and media companies, and educational institutions in the US, Canada, UK, Turkey, Lebanon, and Israel, among others.
A recent report by Israeli-based software provider Check Point Software Technologies, LTD. revealed a carefully orchestrated advanced persistent threat (APT) campaign dubbed “Volatile Cedar” has successfully penetrated a large number of sensitive targets worldwide using various attack techniques, and specifically, a custom-made malware implant codenamed "Explosive."
“Volatile Cedar is a very interesting malware campaign. The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents,” said Dan Wiley, head of incident response and threat intelligence at Check Point.
Although malware attribution often proves difficult, Check Point indicated evidence suggests that Volatile Cedar bears the hallmarks of a state-sponsored espionage campaign and likely originates from Lebanon.
“Some of the confirmed targets can be associated with organizations related to the state of Israel, and some are Lebanon-based, potentially testifying to in-state espionage among rival political groups,” the report stated.” Other factors to consider are the low infection rate and the targeted nature of this campaign. These suggest that the attacker’s motives are not financial but aim to extract sensitive information from the targets.”
The reported added, “The combination of these factors leads us to believe that the attack originated or is sponsored by groups affiliated with Lebanon and the specific targets are chosen based on nation-state/political-group interests.”
Dating back at least three years, Volatile Cedar is a highly-targeted and well-managed campaign. While many of the technical aspects of the threat are not considered “cutting edge,” the campaign has successfully managed to avoid detection by a majority of AV products throughout its three year timeline.
“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems. It’s time for organizations to be more proactive about securing their networks,” Wiley said.
The main threat posed by Volatile Cedar is sensitive data theft and cyber espionage. Check Point researchers said the Explosive implant goes to great lengths to not only steal data from its victims, but also to hide its presence from victims and security software. IT has built-in file deletion functionality as well as arbitrary code execution, making it possible for the attackers to inflict a lot of damage on an infected system.
The first evidence of any Explosive version was detected in November 2012, with five additional variants detected since then. The latest Explosive version was released in June 2014 and was still active at the time Check Point published the report.
The attacker group behind Volatile Cedar initially hacks into publicly facing web servers, rather than the widely-used spear phishing method of entering networks. Once in control of a server, the attackers further penetrate the targeted internal network via various means, including manual online hacking as well as an automated USB infection mechanism.
Check Point is encouraging organizations to protect themselves against an attack like Volatile Cedar through a smart security infrastructure that includes proper firewall segmentation, IPS, anti-bot, patching and application control configuration.
“It’s not NSA-grade malware, but it’s also, not script kiddie level,” said Shahar Tal, vulnerability research manager at Check Point Software Technologies, as reported by ThreatPost. “They’re not replacing firmware, but they are implementing stealth features and eliminating what analytic tools would flag. What they lack in technical skill, they make up for in operation discipline.”
