Lyceum APT Group Adds ISPs to Its Target ListExpanded Espionage Activity Includes African Ministry, Middle East Telcos and ISPs
The advanced persistent threat group Lyceum, which is known for targeting organizations in the energy and telecommunications sectors in the Middle East, has expanded its ongoing espionage activity to include internet service providers, or ISPs, according to researchers.
The threat group has targeted unidentified ISPs and telecommunication operators in Israel, Morocco, Tunisia and Saudi Arabia, as well as an African Ministry of Foreign Affairs, between July and October 2021, according to Accenture’s Cyber Threat Intelligence, or ACTI, group and Prevailion’s Adversarial Counterintelligence Team, or PACT.
"At least two of the identified compromises are assessed to be ongoing, despite prior public disclosure of indicators of compromise," the researchers note.
Telecommunications companies and ISPs are high-level targets for cyberespionage activities because they provide access to a range of organizations and subscribers and to their own internal systems, which can be used to leverage further malicious activities, the researchers note.
Companies within these industries can be used by threat actors or their sponsors to surveil individuals of interest, the researchers say. Targets - such as a ministry of foreign affairs in Africa, for instance - are highly sought-after as they have valuable intelligence on the current state of bilateral relationships between countries and insight into future dealings, they add.
The activities of Lyceum - which also goes by the names Hexane, Spirlin and Siamesekitten - can be traced back to 2018, according to Kaspersky. Its targets also include critical systems, such as oil and gas organizations in the Middle East, Africa and Central Asia, the cybersecurity company says.
The group is believed to be linked to Iranian groups, according to researchers at security firm ClearSky (see: Iranian Group Targets Israeli Firms)
"Telecommunications providers can enhance their defenses against such attacks by educating employees about social engineering. Email is the most common medium for such attacks, but Iranian attackers also frequently use LinkedIn for reconnaissance and as a medium for social engineering. Social engineering is a common component of the initial attack vectors that Iranian cyberespionage groups, including Lyceum, typically use," says Paul Prudhomme, head of threat intelligence advisory at IntSights, a Rapid 7 company.
"Iranian attackers often invest more in relatively elaborate social engineering schemes than other state-sponsored actors. In the case of Lyceum, that group has previously used social engineering to gain initial access to the accounts and machines of employees at targeted companies, either by posing as recruiters with job offers at another company or by compromising genuine accounts at the same company and using those accounts to send malware to more employees,” Prudhomme notes.
How Lyceum Works
The group's initial attack vector includes accessing an organization's systems using account credentials obtained via password spraying or brute-force attacks and delivering weaponized maldocs via spear-phishing from the compromised accounts to the targeted executives, human resources staff and IT personnel, according to security service provider Secureworks.
"The recipient is more likely to open a message if it originates from an internal address," the blog notes.
Researchers at ACTI and PACT identified Lyceum operators using two primary malware families, dubbed Shark and Milan, but also known together as James. These backdoors can communicate via DNS and HTTP(S) for C2 communication, they say.
"Lyceum is likely updating its backdoors in light of recent public research into its activities to try and stay ahead of defensive systems. The group has continued its targeting of companies of national strategic importance," the researchers note.
The backdoor Shark is a 32-bit executable written in C# and .NET. It configures files that contain at least one C2 domain, which is used with a domain-generating algorithm for DNS tunneling or HTTP C2 communications, the researchers say.
Milan is a 32-bit RAT written in Visual C++ and .NET, and it "retrieves data by generating requests using the hard-coded domain and then requesting one of a number of active server pages-related URL paths," according to the researchers.
"When the ACTI and PACT team queried the Prevailion dataset for the known, hard-coded URL paths observed in Milan samples, the team observed continued beaconing in October from an IP address that resolved to a telecommunications operator in Morocco," they note.
They identified that the beaconing is possibly a new Lyceum backdoor, which was observed egressing from a telecommunications company in Tunisia as well as from a ministry of foreign affairs in Africa.
"The URL syntax of the newly reconfigured backdoor is similar to those generated in the newer version of Milan. However, because the URL syntax is configurable, it is likely that the Lyceum operators reconfigured the URL syntax used by Milan to circumvent intrusion detection systems (IDS) and intrusion prevention systems (IPS) that were encoded to detect the previous Milan beacon syntax," they say.
Lyceum is expected to continue to use the Shark and Milan backdoors and with some modifications, the group is likely to maintain footholds in victims' network despite public disclosure of IOCs, according to the researchers.
"It is important to remind companies that no one is immune to being victimized. The public and private sectors need to invest now to ratchet up prevention and detection and improve resilience. We can meet fire with fire," says Sam Curry, chief security officer at Cybereason.
"Sure, a threat actor might get in, but so what? We can make that mean nothing. We can slow them down. We can limit what they see. We can ensure fast detection and ejection. We can, in short, make material breaches outdated. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses," Curry notes.
Other Lyceum Activity
In October, Kaspersky reported that Lyceum attacked two entities in Tunisia with an updated malware arsenal.
The ACTI and PACT researchers revealed a cluster of the group’s activities in the Middle East and said that the group’s endeavors were focused on entities within one country: Tunisia. The victims, the researchers observed, were all high-profile Tunisian organizations in industries such as telecommunications and aviation (see: Lyceum Group Targets Two Tunisia-Based Entities).
In August 2021, cybersecurity firm ClearSky said Lyceum had targeted Israeli companies in a supply chain attack campaign. The attackers lured victims with fake job offer emails that directed recipients to websites downloading malware.