National Security National Security
Image Credit: YouTube/Screenshot/Channel 4 News

Hezbollah is Evolving at an Alarming Pace

Since early 2020, an advanced persistent threat (APT) group dubbed “Lebanese Cedar” (aka Volatile Cedar) compromised approximately 250 public-facing Oracle and Atlassian servers which facilitate widespread espionage, according to a recent report.  Per the report, the majority of the companies impacted were from the telecommunications sector and located in Europe, Egypt, Israel, Jordan, the United Kingdom, and the United States.  Researchers believed many more companies have likely been compromised, and that valuable data was likely stolen during the time of this campaign.  Lebanese Cedar used an updated variant of its Explosive remote access tool (RAT) against the unpatched servers.  Unique to Lebanese Cedar, the highly functional RAT possesses several evasion techniques to avoid detection and maintain persistence (via obfuscation and communication encryption) on compromised systems.

Active since 2012, the Lebanese Cedar group has demonstrated itself to be a stealthy threat actor that has typically employed custom-made attack tools in its operations.  While not considered as advanced as some other APT groups, Lebanese Cedar has been operationally successful throughout its existence, evading detection by most antivirus products.  The group has traditionally focused on targeting organizations in the Middle East, although there have been instances of the actors conducting activity against Canada, Russia, the United Kingdom, and the United States as well.  While there has been no definitive attribution, at least one computer security company believes that Lebanese Cedar is likely linked to Hezbollah (“Party of God”), a Lebanon-based Shia terror group formed in 1982 in response to Israeli invasion of Lebanon.  Hezbollah maintains a close relationship with the Iranian government, and the two often collaborate on several fronts to include the social and political spheres, as well as conducting attacks.

Hezbollah has been identified as “one of the most technically-capable terrorist groups in the world,” a plaudit that extends to the organization’s Internet-enabled activities.  Therefore, it is unsurprising that Hezbollah has been affiliated with several cyber-attacks, an attack component that complements the group’s units that are dedicated to propaganda and information warfare.  In 2006, Hezbollah allegedly executed cyber attacks against websites in several countries that supported Israel during the 34-day Israel-Hezbollah war.  Notably, the group hijacked communication portals of companies, cable providers, and web-hosting servers in the United States to spread propaganda.  Then in 2013, while fighting in Syria, Hezbollah revealed its technical understanding of securing communications by devising a system that allowed its combatants to use radios without fear of conversations being intercepted.

In 2015, under the Lebanese Cedar moniker, Hezbollah hostile cyber activity gained access into public and private organizations associated with Israel’s defense sector, among other targets.  In 2017, Hezbollah evolved its tactics by exploiting social media platforms via the creation of fake accounts that featured beautiful women to entice targets into clicking links that downloaded malware on their systems.  Finally, according to a news organization in 2020, Hezbollah further demonstrated its increasing technical prowess by providing training on how to digitally manipulate photographs, manage social media accounts, circumvent Facebook censorship, and spread disinformation online.

Fast forward to the recent incident targeting telecommunications companies and it appears that Hezbollah has yet again evolved its operations to include widespread intelligence collection, which potentially supports a variety of operations to include but not limited to spying, surveillance, and additional targeting, depending on the intent of the attackers.  The ability to collect sensitive information is important for any hostile actor and Hezbollah’s focus on exploiting telecommunications companies reflects this priority.  This is further underscored by the fact that the group continues to upgrade and improve its custom Explosive RAT’s functionality.  RATs are notorious tools for spycraft, and the vast targeting of telecommunications entities can facilitate the tracking and monitoring of communications and online activities of targets of interest. 

The latest version of Explosive RAT possesses active and passive data collection capabilities, harvesting data found on compromised computers, as well as searching for data specified by the attackers.  Moreover, in addition to features such as keylogging, screenshot capture, and command execution, the recent iteration of Explosive Rat includes mechanisms to avoid detection, thereby improving the attackers’ ability to maintain persistence once deployed. It appears that Hezbollah may be maximizing its ability to collect information with the goal of operationalizing it in some capacity in the future.

Hezbollah’s continued growth may benefit from the partnership between Iran and Russia.  Tehran and Moscow enjoy a strategic relationship that serves as a counterbalance to U.S. and Western influence in the Middle East.  Russia is Iran’s main arms supplier, and the two militaries have cooperated in Syria.  Notably, the two governments recently signed an agreement to collaborate on information security issues, which included exchange of intelligence, interaction against threats, and joint defense. These are broad subject areas that could include more than just token exchanges, begging the question of what types of collaboration are being conducted and which stakeholders are engaged in them.  It follows that anything learned can be shared with Hezbollah, as Iran’s Islamic Revolution Guards Corps has a history of training Hezbollah in kinetic operations.  As Iranian support of Hezbollah fluctuates according to the scope of their shared goals and joint activity, it can be assumed that this extends to information activities as well.

Key Takeaway

The culmination of these aforementioned events reveals how a nonstate group, backed by a nation state’s financial and material resources, can quickly develop a mature capability that leverages the full scope of operations in the larger information environment.  Coming on the heels of the 2016 U.S. presidential election and influence and disinformation campaigns targeting Europe, it is apparent that Hezbollah watches how states – particularly Russia – take advantage of information and the critical role technology plays in its production, dissemination, and consumption. 

While Hezbollah likely has some level of cyber attack capabilities, it is the organization’s larger information warfare program that is reminiscent of that of a nation state that gives pause for concern.  Disruptive and destructive cyber-attacks may garner immediate attention, but the attacks that focus on exploiting information and information assets, sowing discord, encouraging division, and influencing thought have a more lasting impact.  These are the ones to watch for from Hezbollah in the future because they are the ones that achieve larger, more strategic objectives.