Researchers have provided a deep dive into the activities of Lyceum; an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs).
Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.
According to a report published on Tuesday by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Counterintelligence (PACT), between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.
In addition, the APT is responsible for a campaign against an African ministry of foreign affairs.
The cybersecurity teams say that several of the “identified compromises” remain active at the time of publication.
Lyceum’s initial attack vectors include credential stuffing attacks and brute-force attacks. According to Secureworks, individual accounts at companies of interest are usually targeted — and then once these accounts are breached, they are used as a springboard to launch spear-phishing attacks against high-profile executives in an organization.
The APT appears to be focused on cyberespionage. The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, “threat actors or their sponsors can also use these industries to surveil individuals of interest.”
Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan — a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups’ command-and-control (C2) servers.
The APT maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.
The backdoor malware families have previously been disclosed by ClearSky and Kasperksy (.PDF).
The ACTI/PACT researchers recently found a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecoms company and a government agency in Africa.
“It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator,” the researchers say. “However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0