Cyberattack tied to Hezbollah ups the ante for Israel's digital defenses
A sophisticated malware campaign recently discovered by an Israeli firm has been linked to Hezbollah, suggesting that the militant group has more advanced technological skill than previously thought.
A sophisticated malware campaign recently discovered by an Israeli firm has been linked to Hezbollah, suggesting that the militant group has more advanced technological skill than previously thought.
Israel is聽familiar with defending itself against cyberattacks from small hacker groups and armed militants alike. Last year, it claims to have fended off a large-scale strike from Iran during the war with Hamas.
But recently,聽security researchers in Israel uncovered something different 鈥 a widespread聽cyberespionage campaign carried out by skilled hackers that targeted military suppliers, telecom companies, media outlets, and universities with malicious software meant to steal sensitive data and monitor its victims.
The campaign appears to have been ongoing since 2012 and has been found in networks in roughly a dozen other countries, too. The hackers penetrated sensitive systems with custom-built malicious software that has been named "Explosive" by Check Point,聽the Israeli security firm that discovered it聽attacking a Web server on a private network.
While Check Point did not specifically attribute the聽malware聽to a particular group or organization,聽other technical聽experts say聽the attack has all the markings of a campaign orchestrated by the聽Lebanese Shiite militant group聽Hezbollah, which maintains close ties to Iran and its Revolutionary Guard.
Check Point聽named the campaign "Volatile Cedar" for its suspected Lebanese origins 鈥 the Cedar tree is Lebanon鈥檚 national emblem. But researchers also say that it appears an Iranian hacker may have been involved, too. The hacker, a member of a notorious Iranian hacker group that calls itself the ITSEC team, left behind his or her alias in code implanted on a victimized server that was later reviewed by Check Point.聽
If the malware campaign is indeed the work of Hezbollah, it marks a new and more advanced聽era in the digital battle between Israel and its foes. This kind of attack goes far beyond defacing websites with anti-Israel or anti-Western messages or attacks designed to steal bank account information.
鈥淲e see the attacks are getting more sophisticated, the tools are more sophisticated, and they are getting into the databases of the system and are trying to gain intelligence 鈥 a password, details of people,鈥 says聽Daniel Cohen, coordinator of the Cyber Warfare Program at The Institute for National Security Studies,聽a prominent聽Israeli think tank.
What's more, he says, if Hezbollah is behind聽Volatile Cedar, it represents an evolution in what nonstate actors are capable of when it comes to cyberattacks. The malware discovered is more advanced than most and signals a high degree of technical ability among the militant group, he says. This is the first time Hezbollah has been tied to a major cyberattack.聽
鈥淵ou need to see it as a combination of Hezbollah and Iran,鈥 Mr. Cohen says. 鈥淲e know the Iranians provide for them, help them, and guide them in intelligence. They鈥檝e been trying for years now to gather intelligence."聽
Though Check Point was careful not to make any explicit claims about the group behind Volatile Cedar except that they appear to be Lebanese in origin, and attribution is always tricky when studying cybercampaigns, experts say the evidence strongly suggests that Hezbollah was responsible.聽
For instance, Check Point discovered that聽servers used in the attack were registered in Lebanon. They also uncovered the address and identity of a Lebanese person they suspect was involved. The malware used in the attack was compiled on a computer on which the language was set to Arabic-Lebanon. Then there鈥檚 the Iranian contribution and the surprising emphasis on espionage against institutional targets within Lebanon as well as in Israel.
Volatile Cedar wasn't just limited to Israel and Lebanon. The malware was discovered on聽systems in more than 10 countries, says聽Shahar Tal, the head of Malware and Vulnerability Research at Check Point. 鈥淚 can say it is centered around Lebanon,鈥 said Mr. Tal. "A lot in Lebanon, a lot in Israel, also US, UK, Canada, Japan, Turkey, and recently, Saudi Arabia."聽
The attack itself appeared to be designed for espionage and has all the marking of being created by someone with deep technical knowledge, he said. 鈥淭he malware is custom written,鈥 he said. 鈥淚t鈥檚 not something anyone has seen before. It鈥檚 not [US National Security Agency] grade, but it鈥檚 definitely something that takes some skill to write.鈥
The choice of聽targets, especially the heavy emphasis on Lebanese and Israeli institutions, was also telling, says Tal.聽鈥淭hat was interesting for me, at least for trying to identify the actor here,鈥 Tal said, referring to the heavy focus on official networks within Lebanon. 鈥淚鈥檓 not going to go into the geopolitical state of Lebanon, but that hints at a group that might not be the formal government.鈥
Hezbollah and the formal Lebanese government are frequently at odds over Hezbollah operating a paramilitary group within the country that does not consider itself subject to the decisions of the Lebanese government or military.
Dorothy Denning of the Naval Postgraduate School says that these kinds of attacks can be carried out by nonstate actors and don鈥檛 always require the level of sophistication you might expect.
鈥淟ots of times it鈥檚 real easy to get into a system. Humans 鈥 we鈥檙e all vulnerable. There鈥檚 probably some phishing attempt with a link that every one of us would click on,鈥 says Professor聽Denning. 鈥淓spionage is commonplace.鈥