Secureworks and Dragos experts have published reports on the discovery of the cyber spy group Lyceum (aka Hexane). The main goals of this hack group are energy sector, oil and gas companies in the Middle East and telecommunications companies in Africa and Asia.
Dragos experts write that Lyceum has repeatedly attacked the energy sector and oil and gas companies in the Middle East, and Kuwait is the main region of the group’s activities.
“HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. Although the group appears operational since at least mid-2018, activity accelerated in early- to mid-2019. This timeline, targeting, and increase of operations coincides with an escalation of tensions within Middle East, a current area of political and military conflict”, — report Dragos researchers.
In addition, hackers have repeatedly attacked telecommunications service providers in the Middle East, Central Asia and Africa. Researchers believe that these attacks were just another step on the road from deploying more serious campaigns with the use of man-in-the-middle techniques.
In turn, Secureworks experts report that in May of this year, they also recorded a surge in Lyceum activity in relation to oil and gas companies. According to researchers, before that, from February 2019, attackers were actively testing the updated toolkit, in particular, checking it using a public malware scanner.
Experts say that the grouping does not differ in an innovative approach and operates with very simple, but proven methods. For example, for hacking individual email accounts in target organizations, attackers use brute force and password spraying (they try different usernames with the same password, hoping to find a badly protected account).
Having successfully compromised someone’s mail, hackers use this account to send phishing emails to colleagues of the victim. Such messages contain malicious Excel files that are designed to infect other users in the same organization with malware. The main objectives for the second phase of attacks and phishing, as a rule, are the leaders, human resources and IT personnel of the organization.
The payload in Excel files is DanDrop, a VBA macro script that infects victims with the DanBot remote access Trojan written by C #. In the future, attackers use DanBot to download and launch additional malware: these are mainly PowerShell scripts for password theft, subsequent movement, or with the functionality of a keylogger.
Read also: Cisco Developers Fixed IMC Supervisor and UCS Director Vulnerabilities
Although researchers at Dragos and Secureworks have not yet linked Lyceum to any particular country, experts from both companies note that the tactics and methods of grouping resemble the work of APT33 and APT34, well-known cyber spy groups associated with Iran.Secureworks researchers recommend the following to provide broad protection and detection capabilities that apply to a spectrum of threats:
- Implement multi-factor authentication (MFA) — Every corporate remote access service available on the Internet, including cloud applications such as Office 365/Outlook, external virtual private networks (VPNs), and single sign-on (SSO) pages, should require users to provide a one-time password in addition to their regular password.
- Increase visibility via endpoint detection, response, and logging — Incident response efforts are often hampered by a lack of visibility in the environment. Endpoint monitoring tools are essential for detecting suspicious activity in the environment after other controls have been evaded.
- Conduct preparedness exercises — Technology solutions cannot address all cybersecurity risks. Employees are both vulnerabilities and assets. Fostering a culture that focuses on security awareness and makes it easy for staff to work efficiently in a crisis reduces the overall frequency, impact, and cost of security incidents.
- Incident response — Table-top exercises can benefit organizations at different stages. This training will enable staff to contact the correct people inside and outside the organization when an incident occurs.
- Phishing awareness — Continuously reinforcing phishing awareness training and giving users an easy way to report suspicious messages helps to detect phishing campaigns early.