Researchers have delved into the operations of Lyceum. An Iranian threat group tasked with hacking telecommunications and internet service provider networks (ISPs).
Lyceum has been active since 2017 and is also known as Hexane, Siamesekitten, or Spirlin. The advanced persistent threat (APT) organization has previously been connected to attacks on Middle Eastern oil and gas businesses. Still, it now appears that its focus has shifted to the IT industry.
According to a study released on Tuesday by Prevailion Adversarial Counterintelligence (PACT) and Accenture Cyber Threat Intelligence (ACTI), Lyceum was used to attack ISPs and telecoms businesses in Israel, Morocco, Tunisia, and Saudi Arabia between July – October 2021.
Credential stuffing and brute-force operations are two of Lyceum’s first attack vectors. Individual accounts at firms of interest are often targeted, and once compromised, they are used as a springboard to conduct spear-phishing attacks against high-profile leaders in a company, according to Secureworks.
The APT seems to be primarily concerned with cyberespionage. Not only do these attackers seek data on subscribers and associated third-party organizations, but once infiltrated, “threat actors or their sponsors can also employ these industries to spy persons of interest,” according to the report.
Lyceum plans to use two different types of malware: Shark and Milan (known together as James). Shark, a 32-bit executable built-in C# and.NET that creates a configuration file for DNS tunneling or HTTP C2 connections, and Milan, a 32-bit Remote Access Trojan (RAT) that obtains data, are both backdoors. Both can connect with the command-and-control (C2) servers of the groups.
The APT has a C2 server network of over 20 domains that link to the group’s backdoors, including six previously unrelated to the threat actors. ClearSky and Kasperksy have previously revealed the backdoor malware families.
The ACTI/PACT researchers recently discovered a new backdoor that delivered beacons connected to future attacks against a Tunisian telecoms business and an African government agency, similar to later versions of Milan.