Researchers have provided a deep dive into the activities of Lyceum, an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs).
Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.
According to a report published on Tuesday by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Counterintelligence (PACT), between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.
In addition, the APT is responsible for a campaign against an African ministry of foreign affairs.
The cybersecurity teams say that several of the “identified compromises” remain active at the time of publication.
Lyceum’s initial attack vectors include credential stuffing attacks and brute-force attacks. According to Secureworks, individual accounts at companies of interest are usually targeted — and then once these accounts are breached, they are used as a springboard to launch spear phishing attacks against high-profile executives in an organization.
The APT appears to be focused on cyberespionage. The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, “these industries can also be used by threat actors or their sponsors to surveil individuals of interest.”
Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan — a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups’ command-and-control (C2) servers.
The APT maintains a C2 server network that connects to the group’s backdoors, made up of over 20 domains, including six that were previously not connected with the threat actors.
The backdoor malware families have previously been disclosed by ClearSky and Kasperksy (.PDF).
Recently, the ACTI/PACT researchers found a new backdoor similar to newer versions of Milan which sent beacons linked to potential attacks against a Tunisian telecoms company and a government agency in Africa.
“It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator,” the researchers say. “However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
Denial of responsibility! NewsBit.us is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
