By Annie Fixler and Mark Montgomery
February 5, 2021
Hezbollah’s cyber operatives are back in the game, according to a new report by Israeli firm ClearSky Cyber Security. After years of apparent inactivity, the group’s reappearance is part of a larger trend in which non-state actors increasingly acquire sophisticated cyber tools that exploit insufficient investments in cyber defense.
ClearSky identified suspicious network activity in early 2020 and discovered an updated version of custom-built remote access malware previously used only by an Advanced Persistent Threat (APT) group known as Lebanese Cedar or Volatile Cedar. Another Israeli cybersecurity firm, Check Point, uncovered the group in 2012 and concluded that it originated in Lebanon. At the time, other researchers linked the group to Hezbollah, although Check Point itself did not make a positive attribution.
Yaniv Balmas, the head of cyber research at Check Point, said that the new report’s findings are consistent with his company’s assessment of Lebanese Cedar. While Balmas reiterated that Check Point has not identified the organization within Lebanon responsible for this APT, he noted that the victim profile “could match the motives of Hezbollah.”
ClearSky noted that Lebanese Cedar also used a piece of malware built by Iranian hackers responsible for the 2011–13 distributed denial of service attacks against the U.S. financial system. ClearSky caveated the finding by noting that its researchers are “unable to determine the nature of the relationship” between Lebanese Cedar and the Iranian hackers. However, ClearSky said, the existence of Iranian code “may point to a connection” with the regime in Iran.
In the non-cyber domain, Hezbollah has relied on the Islamic Republic to develop its military capabilities. For example, Iran has transferred components for manufacturing precision-guided missiles and has helped Hezbollah set up conversion and assembly facilities in Lebanon, with the goal of establishing domestic production capability. Iran has also provided Hezbollah with drone technology.
A similar dynamic is happening with technology and cyber capabilities. Iran built Hezbollah’s secure telecommunications network and supplies the funding and technical know-how for Hezbollah’s robust cyber warfare training program. Former Israeli national security advisor Yaakov Amidror went so far as to call Hezbollah Iran’s cyber “sub-contractor.”
While Hezbollah’s cyber operatives receive backing from the Islamic Republic, the broader challenge for cyber defenders is that “cyber capabilities, unlike nuclear capabilities, can be built or obtained without access to national resources and power,” explained the congressionally mandated Cyberspace Solarium Commission in March 2020.
“While it might be difficult to buy sophisticated kinetic weapons on the black market,” the Commission added, “for both states and criminal groups it is easy to buy malware to support brazen cyberattacks.”
More than five years ago, John Riggi, the FBI’s then-cyber section chief, warned that terrorist groups have “strong intent” but “thankfully, low capability. But the concern is that they’ll buy that capability.” A joint 2019 U.S. government-private sector study of the “proliferation and commodification of cyber offensive capabilities” observed an “increasing ability to buy cyber tools on a commercial basis.” In the case of terrorist groups like Hezbollah, this is particularly concerning because they are “often not susceptible to diplomatic or military suasion in the same manner as nation-states.”
The increased likelihood of the use of cyber tools is enhanced by another dynamic—the increased effectiveness of the cyber tools available to terrorist groups like Hezbollah and other non-state actors. In this latest global espionage campaign, Lebanese Cedar used not only custom, self-developed tools, but also a far greater number of tools readily available to malicious actors on the internet. The accessibility of sophisticated open-source and dark web tools is increasing the capability of non-state cyber actors exponentially.
The ClearSky report points to the second part of this dynamic: the increasing interconnectivity of networks. The cybersecurity firm identified 250 compromised servers including hosting servers and other information technology and managed service providers in the United States and the United Kingdom which the hackers leveraged to hit targeted countries in the Middle East. The interconnectivity of networks is providing an exponentially greater attack surface for malicious actors.
Following the attacks of Sept. 11, 2001, faced with an adversary that did not respond to traditional forms of deterrence, the United States developed new financial tools to punish states that host terrorist groups and individuals or groups that could be persuaded not to finance a terrorist group’s activities in the first place.
The cyber domain is again forcing the United States and its allies to reevaluate assumptions about deterrence. But instead of rethinking the credibility of deterrence, the United States should focus on deterrence by denial. By investing in cyber defense, the government and private sector can collaborate to reduce vulnerabilities and thus deny all cyber adversaries the ability to achieve their objectives. “This form of denial is especially important for deterring non-state actors, such as extremists and criminals,” observed the Cyberspace Solarium Commission.
A better defense will require not only investments in network security but also better threat information sharing with the private sector and with allies and partners. The United States also needs national critical infrastructure resilience strategies to communicate to adversaries that their malicious cyber operations will fail.
Foundation for Defense of Democracies