Israel is familiar with defending itself against cyberattacks from small hacker groups and armed militants alike. Last year, it claims to have fended off a large-scale strike from Iran during the war with Hamas.
But recently, security researchers in Israel uncovered something different – a widespread cyberespionage campaign carried out by skilled hackers that targeted military suppliers, telecom companies, media outlets, and universities with malicious software meant to steal sensitive data and monitor its victims.
The campaign appears to have been ongoing since 2012 and has been found in networks in roughly a dozen other countries, too. The hackers penetrated sensitive systems with custom-built malicious software that has been named "Explosive" by Check Point, the Israeli security firm that discovered it attacking a Web server on a private network.
While Check Point did not specifically attribute the malware to a particular group or organization, other technical experts say the attack has all the markings of a campaign orchestrated by the Lebanese Shiite militant group Hezbollah, which maintains close ties to Iran and its Revolutionary Guard.
Check Point named the campaign "Volatile Cedar" for its suspected Lebanese origins – the Cedar tree is Lebanon’s national emblem. But researchers also say that it appears an Iranian hacker may have been involved, too. The hacker, a member of a notorious Iranian hacker group that calls itself the ITSEC team, left behind his or her alias in code implanted on a victimized server that was later reviewed by Check Point.
If the malware campaign is indeed the work of Hezbollah, it marks a new and more advanced era in the digital battle between Israel and its foes. This kind of attack goes far beyond defacing websites with anti-Israel or anti-Western messages or attacks designed to steal bank account information.
“We see the attacks are getting more sophisticated, the tools are more sophisticated, and they are getting into the databases of the system and are trying to gain intelligence – a password, details of people,” says Daniel Cohen, coordinator of the Cyber Warfare Program at The Institute for National Security Studies, a prominent Israeli think tank.
What's more, he says, if Hezbollah is behind Volatile Cedar, it represents an evolution in what nonstate actors are capable of when it comes to cyberattacks. The malware discovered is more advanced than most and signals a high degree of technical ability among the militant group, he says. This is the first time Hezbollah has been tied to a major cyberattack.
“You need to see it as a combination of Hezbollah and Iran,” Mr. Cohen says. “We know the Iranians provide for them, help them, and guide them in intelligence. They’ve been trying for years now to gather intelligence."
Though Check Point was careful not to make any explicit claims about the group behind Volatile Cedar except that they appear to be Lebanese in origin, and attribution is always tricky when studying cybercampaigns, experts say the evidence strongly suggests that Hezbollah was responsible.
For instance, Check Point discovered that servers used in the attack were registered in Lebanon. They also uncovered the address and identity of a Lebanese person they suspect was involved. The malware used in the attack was compiled on a computer on which the language was set to Arabic-Lebanon. Then there’s the Iranian contribution and the surprising emphasis on espionage against institutional targets within Lebanon as well as in Israel.
Volatile Cedar wasn't just limited to Israel and Lebanon. The malware was discovered on systems in more than 10 countries, says Shahar Tal, the head of Malware and Vulnerability Research at Check Point. “I can say it is centered around Lebanon,” said Mr. Tal. "A lot in Lebanon, a lot in Israel, also US, UK, Canada, Japan, Turkey, and recently, Saudi Arabia."
The attack itself appeared to be designed for espionage and has all the marking of being created by someone with deep technical knowledge, he said. “The malware is custom written,” he said. “It’s not something anyone has seen before. It’s not [US National Security Agency] grade, but it’s definitely something that takes some skill to write.”
The choice of targets, especially the heavy emphasis on Lebanese and Israeli institutions, was also telling, says Tal. “That was interesting for me, at least for trying to identify the actor here,” Tal said, referring to the heavy focus on official networks within Lebanon. “I’m not going to go into the geopolitical state of Lebanon, but that hints at a group that might not be the formal government.”
Hezbollah and the formal Lebanese government are frequently at odds over Hezbollah operating a paramilitary group within the country that does not consider itself subject to the decisions of the Lebanese government or military.
Dorothy Denning of the Naval Postgraduate School says that these kinds of attacks can be carried out by nonstate actors and don’t always require the level of sophistication you might expect.
“Lots of times it’s real easy to get into a system. Humans – we’re all vulnerable. There’s probably some phishing attempt with a link that every one of us would click on,” says Professor Denning. “Espionage is commonplace.”