Middle-Eastern 'Volatile Cedar' cyberattack breached western defence firms

First significant example of western countries being targeted by region

Security firm Check Point has uncovered the first important example of a well-resourced, long-running and apparently successful cyber-surveillance campaign carried out by a Middle-Eastern group against hundreds of mostly western targets in the defence and military sectors.

Until now, known cyber-campaigns originating in this region have either been painfully unsophisticated or targeting other countries in the region (for example, Iran's Shamoon attack on Saudi Arabia in 2012), but the campaign the firm calls 'Volatile Cedar' looks very different.

Although lacking flashy mechanisms such as zero days or complex malware, what stands out is the innovative attack design that eschews the usual spear phishing in favour of entering via the back door of vulnerable web servers, using that breach to carry out reconnaissance on the internal network.

Once a compromised sever is found, a fairly basic but effective piece of malware called 'Explosive' (so named by the group itself) is launched. This carries out keylogging, screen scraping, and credential sniffing, all of which were sent out of the network to the command and control. It could also be used to steal files, has the ability to infect USB drives and is armed with destructive capability.

It is, however, clever enough to maintain 'radio silence' which corresponded to the working hours of a target as a way of hiding its activity.

Using web servers is a rare approach and Check Point believes represents a vulnerability that is under-estimated by today's security world. Although the firm is reluctant to go into specifics about the victims, Volatile Cedar has been going since at least early 2012 until its discovery a few months ago so the assumption must be that it worked.

It's also interesting that the attackers are not interested in named individuals so much as specific organisations in military, defence contracting and government in the US, UK, Canada, Turkey, Israel and the Lebanon. The number of victims detected number hundreds, said Check Point.

Is this a state actor or state-backed group? Almost certainly. Older versions of the malware were retired when detected by anti-virus and a new version deployed - this takes resources and planning.

Check Point said it had found clues including time stamps on software and the fact that it initially used a Lebanese hosting firm to suggest it originated with a group from that country. Who this might be Check Point would not be drawn on although an Iranian-backed group such as Hezbollah or its sympathisers is one possibility.

"There are more and more examples of successful campaigns from the Middle East," agreed one of the two researchers who first spotted Volatile Cedar, Michael Shalyt.

"It is interesting to see how far you can go with 'just OK' attack vectors," he said referring to the effective but relatively straightforward design of the software.

"You don't have to be that complex but what you really need to do is have good operations control and choose you targets carefully and that you are not being discovered."

The attack was determined in nature as suggested by the removal of old versions, he said.

He and fellow researcher Shahar Tal believed that the attackers avoided using spear phishing emails because this was too 'noisy'. The use of web servers would have been far harder to detect or close, particularly three years ago.

"People don't necessarily segment their networks to protect internal servers. My guess it we're going to see more of this if we haven't already. It was an effective choice," said Tal. "[Using web servers is stealthy."

They believed that in addition to the hundreds of victims detected, many more remained to be discovered, suggesting a larger campaign.

The significance of Volatile Cedar is that it demonstrates not only that Middle-Eastern countries have the capability to perform cyber-surveillance on other countries including the US and Europe but that this has existed for over three years.

One way of looking at the last five years of cyber-warfare revelations is to see it as a slow unveiling of the way that geo-politics has been working for far longer than anyone realised. The world's understanding of cyber-warfare is only now catching up with the reality.

In February, Check Point bought the tiny Israeli security startup for $80 million.

Join the CSO newsletter!

Error: Please check your email address.

Tags Detection / preventioncheck pointintrusionsecurityExploits / vulnerabilitiesspywaremalware

More about Check Point

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts