Lyceum APT Group a Fresh Threat to Oil and Gas CompaniesReports Say Group Also Targeting Telecom Firms
An emerging cyber espionage group that apparently started its work in South Africa last year is now focusing on targeting critical control systems for oil and gas companies in the Middle East, according to researchers at two cybersecurity firms.
The threat group - called "Lyceum" by Secureworks and "Hexane" by Dragos - also has targeted telecommunications providers in the Middle East, Africa and Central Asia, "potentially as a stepping stone to network-focused man-in-the-middle and related attacks," Dragos reseachers say.
Secureworks, a unit of Dell, says that domain registrations indicate that Lyceum, which may have been active as early as April 2018, attacked targets in South Africa in the middle of last year. The group expanded its geographical reach in May when it launched a campaign against oil and gas companies in the Middle East after it had made a "sharp uptick in development and testing of their toolkit against a public multivendor malware scanning service in February."
Dragos said organizations in Kuwait appear to be a primary target for the group.
"Currently, Lyceum appears to be operating at a fairly small scale, which has contributed to maintaining their low profile," Rafe Pilling, senior security researcher at Secureworks' counter threat unit, tells Information Security Media Group, adding that no operations in the United States have been detected.
"Geographical locations are less of a concern for cyber groups, and it is likely that geo-political issues are driving their operations rather than geography. ... Multinational U.S. companies with subsidiaries in the Middle East may be at an elevated risk from Lyceum targeting. However, these types of organizations should already be considering the risk of APT [advanced persistent threat]-style intrusions and deploying appropriate controls and countermeasures."
Tactics and Techniques
Lyecum's tactics and techniques are similar to other APT groups, such as Colbalt Gypsy - which is related to OilRig, Crambus and APT34 - and Cobalt Trinity, which also is known as Elfin and APT33, according to Secureworks. None of the malware or infrastructure related to Lyceum, however, can be directly linked to these other threat groups, the researchers say.
Lyceum's attacks begin with password-spraying - essentially trying to access large numbers of email accounts by using commonly used passwords - and brute-force techniques to gain access to a company's network via compromised accounts, according to Secureworks. Once the group successfully compromises accounts, Lyecum sends spear-phishing emails to a victim's colleagues that carry malicious Excel attachments that deliver DanBot, a C# first-stage remote access Trojan, or RAT, that can execute commands and upload and download files, Secureworks says.
The targets of the malicious documents sent out after the initial email compromise appear to be executives, IT staff and human resources professionals, who are more likely to open the email if it comes from an internal address, Secureworks says.
The Excel XLS file delivers DanDrop, a VBA micro script that is used to extract the DanBot payload from the document and then install the malware via a scheduled task. While the basic form of DanDrop has remained the same, the bad actors have made some improvements to make it more difficult to detect and rework some of its functionality, Secureworks says in its report. The DanBot RAT downloads and runs other malware, primarily kl.ps1, a PowerShell-based keylogger, Decrypt.RDCMan.ps1, part of the PoshC2 penetration-testing framework, and Get-LAPSP.ps1, a PowerView-based script from the PowerShell Empire framework, Secureworks says.
"The DanBot RAT appears relatively immature and under active development," Secureworks' Pilling says. "However, the threat actor tradecraft seems a little better and suggests some prior experience. This mismatch is interesting. We're considering the possibility that this is a new toolkit being used by a splinter of an existing threat group or a threat actor that has prior experience compromising large organizations."
Lyceum apparently was operating for a year before being detected, Pilling says. It has a style similar to Iranian threat groups, although there are "no distinguishing technical characteristics that allow it to be linked to previously documented activity," he says. "They don't appear to be making big changes in response to defender actions. It's more like they are testing out new features or ideas than responding to a problem they've encountered."
The threat actors need to get reliable access to a targeted organization before running follow-on activities, such as supply-chain attacks against partners, suppliers or customers, theft of IP or sensitive data, or disruptive and destructive attacks, like others run in the energy sector in the Middle East, including the Shamoon 1,2 and 3 and Triton/Hatman incidents, Pilling explains.
"Attacks focusing on industrial control systems and operational technology environments are always a concern for the energy sector, and, although relatively rare, it's usually the case that the adversary's path to OT environments runs through corporate IT networks," Pilling adds.
Telecom Sector Targeted
Dragos' report found the group's efforts against telecommunications firms "follow a trend demonstrated by other activity groups. ICS adversaries are increasingly targeting third-party organizations along the supply chains of potential targets. ... By compromising devices, firmware, or telecommunications networks used by targets within ICS, malicious activity could potentially enter the victim environment through a trusted vendor, bypassing much of the entity's security stack."
The work of Lyceum is similar to that of such groups as Magnallium and Chrysene, Dragos researchers say. Like Magnallium - which Dragos recently detected was targeting U.S. government and financial organizations as well as oil and gas companies - Lyceum/Hexane also increased its activity this year.
"However, the collection of Hexane behaviors, tools, and victimology makes this a unique entity compared to these previously observed activity groups," the Dragos report states. "For instance, Hexane's observed victimology is mostly focused on critical infrastructure, but divided between ICS verticals and telecommunications operations. Additionally, its infrastructure and capabilities - such as using malicious domains patterned after general IT themes and newly identified detection evasion schemes - are different from related groups."
Pilling says organizations can take steps to protect themselves against threats like Lyceum, including checking standard indications of compromise against their own logging, using multifactor authentication on internet-facing services and leveraging endpoint visibility tools to detect the lateral movement of bad actors that have gotten inside the corporate network.