Cyberattack tied to Hezbollah ups the ante for Israel's digital defenses
| TEL AVIV
Israel is听familiar with defending itself against cyberattacks from small hacker groups and armed militants alike. Last year, it claims to have fended off a large-scale strike from Iran during the war with Hamas.
But recently,听security researchers in Israel uncovered something different 鈥 a widespread听cyberespionage campaign carried out by skilled hackers that targeted military suppliers, telecom companies, media outlets, and universities with malicious software meant to steal sensitive data and monitor its victims.
The campaign appears to have been ongoing since 2012 and has been found in networks in roughly a dozen other countries, too. The hackers penetrated sensitive systems with custom-built malicious software that has been named "Explosive" by Check Point,听the Israeli security firm that discovered it听attacking a Web server on a private network.
While Check Point did not specifically attribute the听malware听to a particular group or organization,听other technical听experts say听the attack has all the markings of a campaign orchestrated by the听Lebanese Shiite militant group听Hezbollah, which maintains close ties to Iran and its Revolutionary Guard.
Check Point听named the campaign "Volatile Cedar" for its suspected Lebanese origins 鈥 the Cedar tree is Lebanon鈥檚 national emblem. But researchers also say that it appears an Iranian hacker may have been involved, too. The hacker, a member of a notorious Iranian hacker group that calls itself the ITSEC team, left behind his or her alias in code implanted on a victimized server that was later reviewed by Check Point.听
If the malware campaign is indeed the work of Hezbollah, it marks a new and more advanced听era in the digital battle between Israel and its foes. This kind of attack goes far beyond defacing websites with anti-Israel or anti-Western messages or attacks designed to steal bank account information.
鈥淲e see the attacks are getting more sophisticated, the tools are more sophisticated, and they are getting into the databases of the system and are trying to gain intelligence 鈥 a password, details of people,鈥 says听Daniel Cohen, coordinator of the Cyber Warfare Program at The Institute for National Security Studies,听a prominent听Israeli think tank.
What's more, he says, if Hezbollah is behind听Volatile Cedar, it represents an evolution in what nonstate actors are capable of when it comes to cyberattacks. The malware discovered is more advanced than most and signals a high degree of technical ability among the militant group, he says. This is the first time Hezbollah has been tied to a major cyberattack.听
鈥淵ou need to see it as a combination of Hezbollah and Iran,鈥 Mr. Cohen says. 鈥淲e know the Iranians provide for them, help them, and guide them in intelligence. They鈥檝e been trying for years now to gather intelligence."听
Though Check Point was careful not to make any explicit claims about the group behind Volatile Cedar except that they appear to be Lebanese in origin, and attribution is always tricky when studying cybercampaigns, experts say the evidence strongly suggests that Hezbollah was responsible.听
For instance, Check Point discovered that听servers used in the attack were registered in Lebanon. They also uncovered the address and identity of a Lebanese person they suspect was involved. The malware used in the attack was compiled on a computer on which the language was set to Arabic-Lebanon. Then there鈥檚 the Iranian contribution and the surprising emphasis on espionage against institutional targets within Lebanon as well as in Israel.
Volatile Cedar wasn't just limited to Israel and Lebanon. The malware was discovered on听systems in more than 10 countries, says听Shahar Tal, the head of Malware and Vulnerability Research at Check Point. 鈥淚 can say it is centered around Lebanon,鈥 said Mr. Tal. "A lot in Lebanon, a lot in Israel, also US, UK, Canada, Japan, Turkey, and recently, Saudi Arabia."听
The attack itself appeared to be designed for espionage and has all the marking of being created by someone with deep technical knowledge, he said. 鈥淭he malware is custom written,鈥 he said. 鈥淚t鈥檚 not something anyone has seen before. It鈥檚 not [US National Security Agency] grade, but it鈥檚 definitely something that takes some skill to write.鈥
The choice of听targets, especially the heavy emphasis on Lebanese and Israeli institutions, was also telling, says Tal.听鈥淭hat was interesting for me, at least for trying to identify the actor here,鈥 Tal said, referring to the heavy focus on official networks within Lebanon. 鈥淚鈥檓 not going to go into the geopolitical state of Lebanon, but that hints at a group that might not be the formal government.鈥
Hezbollah and the formal Lebanese government are frequently at odds over Hezbollah operating a paramilitary group within the country that does not consider itself subject to the decisions of the Lebanese government or military.
Dorothy Denning of the Naval Postgraduate School says that these kinds of attacks can be carried out by nonstate actors and don鈥檛 always require the level of sophistication you might expect.
鈥淟ots of times it鈥檚 real easy to get into a system. Humans 鈥 we鈥檙e all vulnerable. There鈥檚 probably some phishing attempt with a link that every one of us would click on,鈥 says Professor听Denning. 鈥淓spionage is commonplace.鈥
听
