New Group Joins the Middle East Cyber-Espionage War
Middle Eastern Oil & Gas entities and telecoms across Asia and Africa susceptible to New Lyceum APT
With center focus on the local energy sector, a new group has emerged. The hacking group has been claimed to be responsible for targeting the Middle East since the mid of 2018. Lyceum/Hexane have been tracked by cyber-security firms.
According to a report, Cyber-security firm Dragos confirmed that the group had targeted Oil and Gas companies in the Middle East multiple times, with major focus being Kuwait.
Telecommunication providers in Middle East, Central Asia and Africa have also been targeted, with Dragos claiming it as a stepping stone to network focused man-in-the-middle and similar attacks, with main focus of Lyceum being the energy sector.
Secureworks, in a report shared with ZDNet, said that they had spotted an increased Lyceum activity in May, after its testing and development of a malware scanning service in February of this year, further confirming that it was targeting Oil and Gas companies.
LYCEUM ATTACKS; HISTORICALLY SIMILAR?
The attacks, where Lyceum hackers used password spraying in organizations, in order to crack their emails. Secureworks, termed it as a very easy, yet effective pattern. After which, they used these compromised accounts to initiate spear-phishing emails to the prey’s colleagues and would send infected Excel files, containing a payload named DanDrop, a VBA macro script that would infect the victim with DanBot, a C# remote access trojan (RAT), to distribute malware, prime targets being higher level staff in its second stage.
Lyceum Hackers would then resort to use the DanBot to run PowerShell scripts, later movement, or keylogging functionality.
Similarities with Iranian groups
The attacks resemble those employed by other hacking groups, which were targeted at financial entities and theft of information. Having said this, Dragos and Secureworks have not linked this to any specific country, but did acknowledge the fact that these bear resemblance to APT33 & 34, groups linked to Iran.
While Rafe Pilling, a senior security researcher at Secureworks Counter Threat Unit, told ZDNet in an email, that they lack any specific technical evidence to link it with Iran, clarifying that Lyceum did use techniques that were similar to those observed from Iranian Groups in the past.
Lyceum is expected to stay focused on its activities targeting the Middle East energy sector, until security firms can muster more evidence to link them to a specific country.
