Hizbullah hackers caught carrying out cyber espionage worldwide

By Nohad Topalian


Hizbullah chief Hassan Nasrallah is seen on broadcast screens at Hizbullah-owned al-Manar TV in Beirut in this file photo from January 16, 2010. [Anwar Amro/AFP]

BEIRUT -- A group of hackers linked to Hizbullah has breached 250 servers in various countries with the aim of stealing sensitive data and conducting cyber espionage, according to a new report.

In a January 28 report, cyber-security firm Clearsky revealed that suspicious networking activities and hacking tools had been found in a number of companies in early 2020, linked to a previously identified hacker group.

Based in Lebanon and dubbed "Lebanese Cedar" or "Volatile Cedar", the Hizbullah-linked hackers employ a methodology known as Advanced Persistent Threat (APT) -- a prolonged, clandestine attack on a specific target.

The latest attacks, which sought to compromise systems and gain information, were focused on telecom operators, internet service providers and hosting and infrastructure service providers in a number of countries, Clearsky said.


Protesters hold pictures of slain Lebanese activist and intellectual Lokman Slim, who was known for his anti-Hizbullah stance, during a rally in front of the Justice Palace in Beirut, on February 4, the same day he was found dead in his car. [STR/AFP]

The targeted companies were operating in countries including Lebanon, Jordan, Egypt, Israel, the United States and the United Kingdom, it said.

According to software technology company Check-Point and Kaspersky labs, the "Volatile Cedar" attack campaign began in late 2012, with the hackers relying primarily on a custom-made remote access Trojan named Explosive.

"The modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and manual vulnerability discovery," Check-Point said, noting that the group is "motivated by political and ideological interests".

"Once in control of a server, the attackers further penetrate the targeted internal network via various means, including manual online hacking as well as an automated USB [Universal Serial Bus] infection mechanism."

The attackers have targeted individuals, companies and institutions worldwide, among them defence contractor firms and educational institutions, it said.

Hizbullah's social media trolls

Hizbullah's malign cyber activities have not been limited to hacking.

Since about 2012, it has been attempting to expand its influence in the online arena and is now grooming social media operatives from across the region, teaching them how to set up and leverage fake accounts on various platforms.

It has been doing this through a Lebanon-based training network, where regional and foreign elements of Hizbullah and affiliated militias learn how to set up fake social media profiles and accounts, activists in Lebanon said.

They are taught skills such as how to digitally manipulate photographs and produce videos that spread the party's propaganda, while attempting to avoid censorship by the administrators of platforms such as Facebook and Twitter.

They also learn how to launch "defamation campaigns against certain opponents", political activist and Hizbullah opponent Lokman Slim told Al-Mashareq last week, days before he was shot dead in his car in south Lebanon.

The areas of Lebanon where Hizbullah wields influence serve as warehouses for Iranian missiles, Slim said, but they also house numerous media outlets.

These include the party's Al-Manar TV headquarters, as well as Al-Masirah TV, which is owned by Yemen's Houthis (Ansarallah), he said.

Hizbullah's media operations in these areas also include social media training camps for "an elite group" of its supporters from countries such as Yemen and Iraq, which are held at institutions affiliated with the party, Slim said.

The training camps operate under the auspices of institutes that are certified to operate as vocational schools, universities and religious seminaries, which provide them with "camouflage", he said.

'Electronic army'

Hizbullah has established an integrated network, known as its "electronic army", which operates on three tracks, said information security and digital transformation expert Roland Abi Najm.

On one track, it seeks "to deliver the information it wants to its constituency through news, text, pictures and video via social networking sites" in such a way that it will not be flagged, blocked or taken down by social media platforms.

On another, it seeks "to manipulate people's minds by spreading sectarian strife", he said, while a third area of operations involves hacking regional and international official and governmental bodies to obtain intelligence information.

Foreign operatives who receive training at Hizbullah's media camps in Lebanon "can train others upon their return to their home countries", Abi Najm said.

Account administrators learn how to conceal their whereabouts, he said, so that through deceptive practices they "may be working out of Lebanon or Iraq, but the social media accounts appear based in India, China, Egypt or North Korea".

Supporting the Iranian axis

"While weapons protect Hizbullah's political and sectarian project, the media and information technology protect its entire project," said Lebanese Centre for Research and Consulting director Hassan Qutb.

In addition to its own media outlets, through which it propagates its ideology and attacks its opponents, Hizbullah has set up numerous websites under various names, some of which are based outside Lebanon, he said.

These outlets drum up support for its agenda by creating, disseminating and promoting content that defends the Iranian axis and attacks the party's opponents, he said.

Iran itself has a similar campaign, with 255,000 employees collectively known as the Cyber Army attempting to participate in and influence social networks.

According to Qutb, Hizbullah has assembled "a group of technicians and experts in computer technology and a cyber army to protect Iran's project [of regional expansion as part of the Islamic Revolution] and attack its opponents".

This group operates by "hacking and disabling websites that attack Iran's policies, project and axis, as well as hacking the email accounts of some opponents", he said.

"It is the task of this team to use technology and techniques to manipulate news, images and videos and present them to friendly websites for posting as condemning evidence against [Hizbullah] opponents to harm their reputations," he said.

Hizbullah seeks to transfer this methodology to allied militias elsewhere in the region -- in countries such as Syria, Iraq and Yemen, where there is support for the Iranian axis -- in order to indoctrinate and mislead readers, he said.

Do you like this article?

0 Comment(s)

Comment Policy * Denotes Required Field 1500 / 1500