Set back Piracy With alleged links to the Lebanese Hezbollah, it equipped its arsenal of malware with a new version of the Trojan Remote Access (RAT) program in order to break into companies around the world and extract valuable information.
And in report New published by the ClearSky research team, the cybersecurity company said: Since early 2020, it has identified at least 250 web servers that have been compromised by a threat representative to gather intelligence and steal company databases.
The organized incursions hit a large number of companies located in the United States, the United Kingdom, Egypt, Jordan, Lebanon, Saudi Arabia, Israel and the Palestinian Authority.
The majority of victims were telecom operators (Etisalat, Mobily, and Vodafone Egypt), Internet service providers (SaudiNet and TE Data), and hosting and infrastructure service providers (Secured Servers LLC and iomart).
It was first documented in 2015, and it is known that the group Volatile rice Or Lebanese Cedar that penetrates a large number of targets using various attack techniques, including specially designed malware implantation.
The Flying Rice group – specifically the electronic unit of Hezbollah – was previously suspected of being linked to the 2015 cyber espionage campaign that targeted military suppliers, telecom companies, the media, and universities.
The 2020 attacks were no different, as the hacking activity revealed by ClearSky matching processes attributed to Hezbollah relied on code interactions between the 2015 and 2020 variants of the Remote Access Trojan (RAT) program.
The group took advantage of the three flaws in servers – CVE-2019-3396, CVE-2019-11581, and CVE-2012-3152 to gain an initial foothold – was able to navigate the network and download the remote access Trojan, which comes with capabilities to log keystrokes. Keys, capture screenshots, and execute arbitrary commands.
And in the five years since the group’s Trojan program first appeared, ClearSky said: New anti-error-correction features have been added to the latest version of the group’s software, with communications between the compromised device and the command and control server encrypted.
While it is not surprising for actors to keep their place out of sight, the fact that the Lebanese Cedars Group has managed to remain in hiding since 2015 without attracting any attention whatsoever means that the group may have suspended operations for prolonged periods between themselves to avoid detection.