Security firm Check Point has uncovered the first important example of a well-resourced, long-running and apparently successful cyber-surveillance campaign carried out by a Middle-Eastern group against hundreds of mostly western targets in the defence and military sectors.
Until now, known cyber-campaigns originating in this region have either been painfully unsophisticated or targeting other countries in the region (for example, Iran's Shamoon attack on Saudi Arabia in 2012), but the campaign the firm calls 'Volatile Cedar' looks very different.
Although lacking flashy mechanisms such as zero days or complex malware, what stands out is the innovative attack design that eschews the usual spear phishing in favour of entering via the back door of vulnerable web servers, using that breach to carry out reconnaissance on the internal network.
Once a compromised sever is found, a fairly basic but effective piece of malware called 'Explosive' (so named by the group itself) is launched. This carries out keylogging, screen scraping, and credential sniffing, all of which were sent out of the network to the command and control. It could also be used to steal files, has the ability to infect USB drives and is armed with destructive capability.
It is, however, clever enough to maintain 'radio silence' which corresponded to the working hours of a target as a way of hiding its activity.
Using web servers is a rare approach and Check Point believes represents a vulnerability that is under-estimated by today's security world. Although the firm is reluctant to go into specifics about the victims, Volatile Cedar has been going since at least early 2012 until its discovery a few months ago so the assumption must be that it worked.
It's also interesting that the attackers are not interested in named individuals so much as specific organisations in military, defence contracting and government in the US, UK, Canada, Turkey, Israel and the Lebanon. The number of victims detected number hundreds, said Check Point.
Is this a state actor or state-backed group? Almost certainly. Older versions of the malware were retired when detected by anti-virus and a new version deployed - this takes resources and planning.
Check Point said it had found clues including time stamps on software and the fact that it initially used a Lebanese hosting firm to suggest it originated with a group from that country. Who this might be Check Point would not be drawn on although an Iranian-backed group such as Hezbollah or its sympathisers is one possibility.
"There are more and more examples of successful campaigns from the Middle East," agreed one of the two researchers who first spotted Volatile Cedar, Michael Shalyt.
Sign up for CIO Asia eNewsletters.