Security firm Check Point has uncovered the first important example of a well-resourced, long-running and apparently successful cyber-surveillance campaign carried out by a Middle-Eastern group against hundreds of mostly western targets in the defence and military sectors.

Until now, known cyber-campaigns originating in this region have either been painfully unsophisticated or targeting other countries in the region (for example, Iran’s Shamoon attack on Saudi Arabia in 2012), but the campaign the firm calls ‘Volatile Cedar’ looks very different.

Cyber attack1

Although lacking flashy mechanisms such as zero days or complex malware, what stands out is the innovative attack design that eschews the usual spear phishing in favour of entering via the back door of vulnerable web servers, using that breach to carry out reconnaissance on the internal network.

Once a compromised sever is found, a fairly basic but effective piece of malware called ‘Explosive’ (so named by the group itself) is launched. This carries out keylogging, screen scraping, and credential sniffing, all of which were sent out of the network to the command and control. It could also be used to steal files, has the ability to infect USB drives and is armed with destructive capability.

It is, however, clever enough to maintain ‘radio silence’ which corresponded to the working hours of a target as a way of hiding its activity.

Using web servers is a rare approach and Check Point believes represents a vulnerability that is under-estimated by today’s security world. Although the firm is reluctant to go into specifics about the victims, Volatile Cedar has been going since at least early 2012 until its discovery a few months ago so the assumption must be that it worked.

It’s also interesting that the attackers are not interested in named individuals so much as specific organisations in military, defence contracting and government in the US, UK, Canada, Turkey, Israel and the Lebanon. The number of victims detected number hundreds, said Check Point.

Is this a state actor or state-backed group? Almost certainly. Older versions of the malware were retired when detected by anti-virus and a new version deployed – this takes resources and planning.

Check Point said it had found clues including time stamps on software and the fact that it initially used a Lebanese hosting firm to suggest it originated with a group from that country. Who this might be Check Point would not be drawn on although an Iranian-backed group such as Hezbollah or its sympathisers is one possibility.

“There are more and more examples of successful campaigns from the Middle East,” agreed one of the two researchers who first spotted Volatile Cedar, Michael Shalyt.

“It is interesting to see how far you can go with ‘just OK’ attack vectors,” he said referring to the effective but relatively straightforward design of the software.

“You don’t have to be that complex but what you really need to do is have good operations control and choose you targets carefully and that you are not being discovered.”

The attack was determined in nature as suggested by the removal of old versions, he said.

He and fellow researcher Shahar Tal believed that the attackers avoided using spear phishing emails because this was too ‘noisy’.  The use of web servers would have been far harder to detect or close, particularly three years ago.

“People don’t necessarily segment their networks to protect internal servers. My guess it we’re going to see more of this if we haven’t already. It was an effective choice,” said Tal. “[Using web servers is stealthy.”

They believed that in addition to the hundreds of victims detected, many more remained to be discovered, suggesting a larger campaign.

The significance of Volatile Cedar is that it demonstrates not only that Middle-Eastern countries have the capability to perform cyber-surveillance on other countries including the US and Europe but that this has existed for over three years.

One way of looking at the last five years of cyber-warfare revelations is to see it as a slow unveiling of the way that geo-politics has been working for far longer than anyone realised.  The world’s understanding of cyber-warfare is only now catching up with the reality.

In February, Check Point bought the tiny Israeli security startup for $80 million.