LebanonJanuary 28, 202111 min read
# Lebanese Cedar APT: Hezbollah-Linked Hackers Breach 250+ Servers at Major Telecom and ISP Operators
In January 2021, Israeli cybersecurity firm ClearSky published research exposing "Lebanese Cedar," an advanced persistent threat (APT) group attributed to Hezbollah's cyber warfare unit.
The campaign compromised more than 250 servers belonging to telecommunications companies and internet service providers across the Middle East, Africa, Europe, and North America.
Targets included Etisalat (UAE), Mobily (Saudi Arabia), Vodafone Egypt, SaudiNet, TE Data (Egypt), and operators in the United States, United Kingdom, and Israel.
The group exploited known vulnerabilities in Atlassian and Oracle products to deploy custom webshells and the "Explosive RAT" backdoor, extracting call detail records, customer databases, and company infrastructure data.
## Key Facts
- .**What:** Hezbollah-linked Lebanese Cedar APT breached 250+ telecom servers globally.
- .**Who:** Etisalat, Vodafone Egypt, Mobily, and operators in the US and UK.
- .**Data Exposed:** Call detail records, customer databases, and network infrastructure data.
- .**Outcome:** Exploited years-old known vulnerabilities; no Lebanese enforcement possible.
## What Was Exposed
- .Call detail records (CDRs) from multiple telecommunications providers, revealing who called whom, when, for how long, and from what cell tower
- .Customer databases containing subscriber personal information including names, national IDs, phone numbers, and billing addresses
- .Company internal databases including network configurations, infrastructure maps, and operational data
- .Server credentials and administrative access tokens enabling persistent unauthorized access
- .Email communications and internal documents from compromised corporate servers
- .Network topology data that could be leveraged for further espionage or sabotage operations
The technical methodology of Lebanese Cedar was methodical rather than innovative. The group exploited well-documented, publicly known vulnerabilities: CVE-2019-3396 and CVE-2019-11581 in Atlassian Confluence and Jira, and CVE-2012-3152 in Oracle WebLogic.
These were not zero-day exploits--they were vulnerabilities for which patches had been available for months or years.
The success of the campaign reflected not the sophistication of the attackers but the persistent failure of major telecom operators to apply basic security patches to internet-facing servers.
Once inside a target network, the group deployed "Caterpillar," a customized JSP webshell that provided persistent access, file management, and command execution capabilities on compromised servers.
The webshell was designed to evade detection by security products through obfuscation and by mimicking legitimate application files.
From this foothold, the operators deployed "Explosive RAT" version 4, a custom-developed remote access trojan that provided full system control, keylogging, screen capture, file exfiltration, and credential harvesting.
The attribution to Hezbollah rested on multiple technical and operational indicators.
ClearSky noted significant overlap with infrastructure and tooling previously attributed to "Volatile Cedar," a Hezbollah-linked group documented by Check Point Research in 2015. The Explosive RAT shared code lineage with earlier versions used in Volatile Cedar operations, and the targeting pattern--focused on telecommunications providers in countries of strategic interest to Hezbollah--was consistent with the intelligence priorities of a state-aligned militant organization.
The group's interest in CDRs was particularly telling: call detail records are the foundation of signals intelligence, revealing communication patterns, social networks, and the movements of individuals between cell towers.
The targeting of specific telecom operators was strategic rather than opportunistic. Etisalat and Mobily serve tens of millions of subscribers in the Gulf states. Vodafone Egypt and TE Data are major carriers in the Arab world's most populous country.
Access to CDRs from these operators would provide Hezbollah with signals intelligence capabilities normally reserved for nation-state intelligence agencies, enabling the tracking of individuals of interest across the Middle East and North Africa without the need for physical surveillance infrastructure.
The scale of the compromise--250+ servers across multiple operators--indicated that Lebanese Cedar maintained a dedicated team of operators who systematically scanned for and exploited vulnerable servers over an extended period.
The campaign was not a single intrusion but an ongoing operational program. ClearSky's research indicated that some compromised servers had been under the group's control for months before detection, providing sustained access to real-time telecommunications data.
## Regulatory Analysis
The Lebanese Cedar case creates an unusual regulatory analysis scenario. The threat actor operates from Lebanon, but the victims are foreign telecommunications operators.
Lebanon's Law No. 81 of 2018, to the extent it addresses data processing activities, would theoretically apply to the processing (in this case, unauthorized collection) of personal data by entities operating within Lebanese territory.
However, the notion that a Hezbollah cyber unit would be subject to Lebanese data protection law is, in practice, absurd.
Lebanon's regulatory framework is structurally incapable of addressing cyber operations conducted by non-state armed groups operating within its borders. Hezbollah maintains a parallel military and intelligence infrastructure that operates independently of the Lebanese state.
The group is designated as a terrorist organization by the United States, the European Union, and the Arab League (in its entirety or its military wing, depending on the designating entity).
Lebanese law enforcement agencies have neither the mandate nor the capability to investigate Hezbollah's cyber operations, and the Lebanese judiciary has no practical jurisdiction over the group's military activities.
From the victims' perspective, the regulatory implications are significant but fall under the data protection frameworks of the countries where the telecom operators are headquartered.
Etisalat and Mobily operate under UAE and Saudi Arabian data protection regulations respectively.
Under the UAE PDPL and Saudi PDPL, these operators have obligations to implement appropriate security measures to protect subscriber data, to detect and respond to security incidents, and to notify regulators and affected individuals when breaches occur.
The exploitation of unpatched, publicly known vulnerabilities in internet-facing servers would likely be viewed as a failure to maintain adequate security measures under both regulatory frameworks.
The absence of a functioning DPA in Lebanon means there is no Lebanese regulatory body that could participate in international cooperation to investigate the origins of the attack, share threat intelligence with victim-country regulators, or take enforcement action against Lebanese entities involved in the campaign.
This regulatory gap does not merely affect Lebanon's domestic data protection environment--it makes Lebanon a regulatory blind spot in the international data protection landscape, a jurisdiction from which cyber operations can be launched without any domestic regulatory consequence.
For the global telecommunications sector, Lebanese Cedar underscores the reality that APT groups targeting telecom operators do not need sophisticated capabilities when basic patch management failures provide all the access they need.
The regulatory frameworks in victim countries should be evolving to impose more stringent requirements for vulnerability management on telecom operators, given that CDRs represent some of the most sensitive personal data in existence.
## What Should Have Been Done
The most damning aspect of the Lebanese Cedar campaign is that it was entirely preventable. Every vulnerability exploited by the group had known patches available at the time of exploitation.
CVE-2019-3396 and CVE-2019-11581, the Atlassian vulnerabilities, were patched by Atlassian in 2019. CVE-2012-3152, the Oracle WebLogic vulnerability, was patched in 2012--eight years before Lebanese Cedar exploited it.
The compromise of 250+ servers at major telecom operators was not a failure of security technology but a failure of basic security hygiene.
Telecom operators must implement automated vulnerability scanning and patch management programs that identify and remediate known vulnerabilities on internet-facing servers within defined timelines.
For critical vulnerabilities in internet-facing applications, the remediation timeline should be measured in days, not months or years.
Automated patch deployment systems, combined with vulnerability scanning that validates successful remediation, are foundational security controls that would have prevented the initial access in the Lebanese Cedar campaign.
Web application firewalls (WAFs) should have been deployed in front of all internet-facing Atlassian and Oracle applications.
Modern WAFs include signatures for known exploitation techniques targeting CVE-2019-3396 and similar vulnerabilities, and would have blocked the initial exploitation attempts.
For telecom operators handling CDR data, the investment in WAF infrastructure is trivially small compared to the intelligence value of the data they protect.
Network segmentation should have ensured that a compromise of a web-facing Confluence or Jira server did not provide access to CDR databases and customer information systems.
The fact that Lebanese Cedar was able to pivot from initial webshell access on application servers to CDR extraction indicates that the compromised telecom operators lacked adequate network segmentation between their application tier and their core data infrastructure.
CDR databases should exist in isolated network segments with strict access controls and monitoring that would detect and alert on unauthorized query patterns.
Endpoint detection and response (EDR) solutions should have been deployed on all servers, including application servers running Atlassian and Oracle products.
The Caterpillar webshell and Explosive RAT would have generated behavioral indicators that modern EDR platforms can detect, including unusual process creation, file system modifications in web application directories, and command-and-control communications to known or suspicious infrastructure.
At the international level, the Lebanese Cedar case demonstrates the need for enhanced
cooperation between telecommunications regulators and cybersecurity agencies across the
MENA region. CDR data is a regional intelligence target, and telecom operators across
the Middle East face similar threats from state-aligned APT groups. A regional
information-sharing framework specifically for telecom sector threats would enable
operators to benefit from collective intelligence and coordinated defense.
Threat hunting programs should be an ongoing operational practice at telecom operators,
not merely a reactive measure deployed after a breach is discovered. Given the known
interest of state-aligned APT groups in CDR data, telecom security teams should
proactively search for indicators of compromise associated with known telecom-targeting
threat actors, including Lebanese Cedar, APT41, LightBasin, and other groups documented
by the threat intelligence community. Regular threat hunting exercises, informed by
current threat intelligence, would have detected the Caterpillar webshell and Explosive
RAT deployments that Lebanese Cedar used to maintain persistent access.
The CDR data that Lebanese Cedar targeted represents a category of personal data
that deserves special regulatory attention across the MENA region. Call detail records
reveal the complete social graph of an individual: who they communicate with, how
frequently, at what times, and from what locations. In the hands of a hostile
intelligence service, CDR data enables the mapping of organizational structures,
the identification of key individuals within target organizations, and the tracking
of movements across geographic areas. Telecom regulators in the Gulf states and
across the Middle East should establish enhanced security requirements specifically
for CDR data, including mandatory encryption, access logging, anomaly detection,
and strict data retention limits that minimize the volume of CDR data available
for exfiltration at any given time.
Lebanese Cedar proved that a Hezbollah-linked cyber unit could breach 250+ servers at major telecom operators across the Middle East using nothing more than exploits for publicly patched vulnerabilities.
The campaign harvested call detail records--the foundation of signals intelligence--from carriers serving tens of millions of subscribers.
Lebanon's Law No. 81 is irrelevant to a non-state armed group operating outside the reach of domestic law, and the absence of a DPA ensures there is no Lebanese authority even theoretically capable of investigating.
The law without teeth cannot restrain actors who never acknowledged its authority to begin with.