Modern field guide to security and privacy
Mohammed Zaatari/AP
A recently discovered cyberattack in Israel may have been the work of Shiite militants Hezbollah. In this May 24 photo, one of the group's fighters stood guard at a rally commemorating "Liberation Day," which marks the withdrawal of the Israeli army from southern Lebanon in 2000.

Cyberattack tied to Hezbollah ups the ante for Israel's digital defenses

A sophisticated malware campaign recently discovered by an Israeli firm has been linked to Hezbollah, suggesting that the militant group has more advanced technological skill than previously thought.

Israel is familiar with defending itself against cyberattacks from small hacker groups and armed militants alike. Last year, it claims to have fended off a large-scale strike from Iran during the war with Hamas.

But recently, security researchers in Israel uncovered something different – a widespread cyberespionage campaign carried out by skilled hackers that targeted military suppliers, telecom companies, media outlets, and universities with malicious software meant to steal sensitive data and monitor its victims.

The campaign appears to have been ongoing since 2012 and has been found in networks in roughly a dozen other countries, too. The hackers penetrated sensitive systems with custom-built malicious software that has been named "Explosive" by Check Point, the Israeli security firm that discovered it attacking a Web server on a private network.

While Check Point did not specifically attribute the malware to a particular group or organization, other technical experts say the attack has all the markings of a campaign orchestrated by the Lebanese Shiite militant group Hezbollah, which maintains close ties to Iran and its Revolutionary Guard.

Check Point named the campaign "Volatile Cedar" for its suspected Lebanese origins – the Cedar tree is Lebanon’s national emblem. But researchers also say that it appears an Iranian hacker may have been involved, too. The hacker, a member of a notorious Iranian hacker group that calls itself the ITSEC team, left behind his or her alias in code implanted on a victimized server that was later reviewed by Check Point. 

If the malware campaign is indeed the work of Hezbollah, it marks a new and more advanced era in the digital battle between Israel and its foes. This kind of attack goes far beyond defacing websites with anti-Israel or anti-Western messages or attacks designed to steal bank account information.

“We see the attacks are getting more sophisticated, the tools are more sophisticated, and they are getting into the databases of the system and are trying to gain intelligence – a password, details of people,” says Daniel Cohen, coordinator of the Cyber Warfare Program at The Institute for National Security Studies, a prominent Israeli think tank.

What's more, he says, if Hezbollah is behind Volatile Cedar, it represents an evolution in what nonstate actors are capable of when it comes to cyberattacks. The malware discovered is more advanced than most and signals a high degree of technical ability among the militant group, he says. This is the first time Hezbollah has been tied to a major cyberattack. 

“You need to see it as a combination of Hezbollah and Iran,” Mr. Cohen says. “We know the Iranians provide for them, help them, and guide them in intelligence. They’ve been trying for years now to gather intelligence." 

Though Check Point was careful not to make any explicit claims about the group behind Volatile Cedar except that they appear to be Lebanese in origin, and attribution is always tricky when studying cybercampaigns, experts say the evidence strongly suggests that Hezbollah was responsible. 

For instance, Check Point discovered that servers used in the attack were registered in Lebanon. They also uncovered the address and identity of a Lebanese person they suspect was involved. The malware used in the attack was compiled on a computer on which the language was set to Arabic-Lebanon. Then there’s the Iranian contribution and the surprising emphasis on espionage against institutional targets within Lebanon as well as in Israel.

Volatile Cedar wasn't just limited to Israel and Lebanon. The malware was discovered on systems in more than 10 countries, says Shahar Tal, the head of Malware and Vulnerability Research at Check Point. “I can say it is centered around Lebanon,” said Mr. Tal. "A lot in Lebanon, a lot in Israel, also US, UK, Canada, Japan, Turkey, and recently, Saudi Arabia." 

The attack itself appeared to be designed for espionage and has all the marking of being created by someone with deep technical knowledge, he said. “The malware is custom written,” he said. “It’s not something anyone has seen before. It’s not [US National Security Agency] grade, but it’s definitely something that takes some skill to write.”

The choice of targets, especially the heavy emphasis on Lebanese and Israeli institutions, was also telling, says Tal. “That was interesting for me, at least for trying to identify the actor here,” Tal said, referring to the heavy focus on official networks within Lebanon. “I’m not going to go into the geopolitical state of Lebanon, but that hints at a group that might not be the formal government.”

Hezbollah and the formal Lebanese government are frequently at odds over Hezbollah operating a paramilitary group within the country that does not consider itself subject to the decisions of the Lebanese government or military.

Dorothy Denning of the Naval Postgraduate School says that these kinds of attacks can be carried out by nonstate actors and don’t always require the level of sophistication you might expect.

“Lots of times it’s real easy to get into a system. Humans – we’re all vulnerable. There’s probably some phishing attempt with a link that every one of us would click on,” says Professor Denning. “Espionage is commonplace.”


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Cyberattack tied to Hezbollah ups the ante for Israel's digital defenses
Read this article in
QR Code to Subscription page
Start your subscription today