Iranian APT group Lyceum (aka HEXANE, Spirlin) has expanded its focus to infiltrate the networks of telecom companies and Internet Service Providers (ISPs), says a report by Prevailion Adversarial Counterintelligence (PACT) and Accenture Cyber Threat Intelligence (ACTI).
Key findings
The report suggests that between July and October, Lyceum had launched several politically motivated attacks with an active focus on cyberespionage.
The recent campaign has been launched against ISPs and telecom organizations across Israel, Morocco, Tunisia, and Saudi Arabia.
The APT group has targeted an African ministry of foreign affairs and a Tunisian telecoms company with a new backdoor similar to newer versions of Milan.
Attack tactics
Lyceum uses credential stuffing and brute-force techniques as initial attack vectors.
Once a victim’s system is compromised, the attackers conduct surveillance on specific targets.
Lyceum has been observed using two distinct malware families dubbed Shark and Milan (known together as James).
Both backdoors are encoded with DNS and HTTP(s) communication capability with C2 functionality, with Shark using DNS tunneling.
A brief about Lyceum
Active since 2017, Lyceum has historically targeted high-level service providers to collect valuable intelligence on foreign nations.
In October, the group had targeted two entities in Tunisia with two different malware variants - James and Kevin.
In August, Lyceum had targeted Israeli organizations such as ChipPc and Software AG via job offer-related lures.
During its initial days, the group was targeting oil and gas organizations in the Middle East with malicious tools such as DanaBot, Dandrop, Kl.ps1, Decrypt-RDCMan.ps1, and Get-LAPSP.ps1.
Wrapping up
Lyceum has continued targeting organizations with strategic national importance. Despite public disclosure of IOCs associated with its operations, the group has tried and stayed ahead of defensive systems, which makes it a dangerous threat.