14 DAY TRIAL // The cyber espionage group believed to operate from Lebanon dubbed Volatile Cedar has been focusing on targets in Lebanon more than in other countries.
The campaign, which appears to have a political agenda, has been discovered by security researchers at Check Point.They determined that it is ongoing and that its starting point was November 2012, as per the compilation date of the first malware sample associated with Volatile Cedar group.
Detection evaded for more than two years
In a report released on Tuesday, the researchers presented the techniques used by the threat actor to compromise targets, as well as the behavior and functions of the Trojan (called Explosion) used to exfiltrate data from infected systems; the info is generally collected via keylogging, by taking screenshots and logging clipboard content.
For more than two years, the threat actor switched to a new version of the Trojan each time it got detected (heuristically) by antivirus solutions.
The infection method used by Volatile Cedar does not involve spear phishing, as is usually the case in spy ops, but instead, web servers are compromised by exploiting vulnerabilities discovered both automatically and manually.
Once the server is breached and web shell code is injected, the attacker moves laterally across the internal network, sometimes via online manual hacking.
Explosion relies on a redundant infrastructure of command and control (C&C) servers, using an IP address hard-coded in the malware code (a different one for each of the discovered versions), on static update servers, and on domains that are generated automatically via a certain algorithm.
If the domain generation algorithm (DGA) is cracked, then the list of hosts becomes available, allowing security experts to purchase the domains and monitor the infected clients seeking communication with the control center.
Victims identified in Israel and Lebanon
Check Point says that it identified victims located in about ten countries, listing a handful of them, with US, Canada, UK and Turkey first, followed by Lebanon and Israel.
“Some of the confirmed targets can be associated with organizations related to the state of Israel, and some are Lebanon-based, potentially testifying to in-state espionage among rival political groups,” they write in the technical report on Volatile Cedar.
The activity field of the entities attacked spreads from telecommunications and media to defense contractors and educational institutions.
Security researchers from Kaspersky sinkholed some of the DGA infrastructure used by Explosion Trojan and noticed that most of the infected machines were from Lebanon, according to their IP, recording 22 connections from this country, followed by the US (9), Canada (3), UK (2), Israel (2) and Russia (1).
“Clearly, the bulk of the victims we observe are all communicating from ip ranges maintained by ISPs in Lebanon. And most of the other checkins appear to be research related,” Kaspersky’s lead security researchers Kurt Baumgartner and Costin Raiu said on Tuesday.
Nevertheless, the data from Kaspersky is partial, as it is gathered from the DGA command and control infrastructure, which is not the one primarily used by Explosion. Furthermore, Check Point has already sinkholed some servers, so it has better insight over the number of victims and their location.
Threat actor is a supporter of Lebanese political activism
The two researchers say that this creates “a somewhat surprising profile,” which seems to fit the theory of intrastate espionage perfectly.
However, spying on organizations controlled by the state seems like a terrible waste of effort and resources on part of the Lebanese government, which can check the activity of its defense contractors, telcos, media companies and research institutes without the need of a covert cyber operation.
Shahar Tal, security researcher at Check Point, said via email that the theory of a different state operating from Lebanon is a valid one; and that it would make sense that a different entity tried to make the operation look like it was carried out by the Lebanese.
But he also said that the wide distribution of the attack invalidates this assumption, which would suggest that the government or other political organizations may be backing the activity.
Also, since Check Point has not released details about the location of the targets, they may very well be from a different country than Lebanon.
There is no hard proof to sustain clear attribution, but evidence found by Check Point suggests that the attackers are based in Lebanon and that they are supporters of Lebanese political activism.
In favor of this assumption stands the fact that the C&C servers for the first Explosion variant were hosted at a major Lebanese company and that an email address associated with a social media account supporting political activism in Lebanon was leaked for a short while by the threat actor in the WHOIS records, before they became private.
Red herrings are meant to influence attribution
There is no doubt that slip-ups can happen even to the best of hackers, but security experts are also aware that threat actors leave false leads behind, in order to throw investigators off track.
These fake clues are commonly known by the name “red herring,” and can consist of messages inserted in the malware code suggesting a certain origin of the attacker or purpose of the action.
Such clues are also found in malware configuration files, on C&C servers or even in the WHOIS records for the malicious domains.
The privacy feature for these records protects the identity of the registrant and keeps it from public view; however, if the feature is not activated at the time the domain is registered, the information ends up in a cache that can still be accessed after it becomes secret.
Smart hackers, especially those involved in nation-state operations, know this all too well and could rely on this mechanism to cover their tracks.
Since the analysis of the Volatile Cedar campaign clearly shows that the hackers behind it are not amateurs, it can be assumed that not all the hints related to their identity or affiliation are reliable.
Tal, however, said that if the authors indeed left these, and possibly other clues in an attempt to hide their trails, the level of deception would surpass what has been seen in major incidents of cyber espionage that have already been documented.
Although attribution is difficult to make, Lebanon government running Volatile Cedar does not look like a valid assumption. Given the sensitivity of the region, with Syria and Israel at the borders, it would not come as a surprise if evidence were found that a nation-state was working from inside the country, monitoring political developments.