Threat actors believed to be affiliated with Iran has been linked to series of targeted attacks aimed at telecommunication operators and internet service providers (ISPs) in Morocco, Saudi Arabia and Isreal and a few ministries of foreign affairs (MFA) in Africa.
The group tracked as Lyceum is believed to have occurred between July and October 2021 however names of victims remains undisclosed.
Researchers at Accenture Cyber Threat Intelligence have stated that the latest revelations throw light on the web-based infrastructure used by Lyceum, over 20 of them, enabling the identification of “additional victims and provide further visibility into Lyceum’s targeting methodology,” adding that “at least two of the identified compromises are assessed to be ongoing despite prior public disclosure of indicators of compromise.”
Lyceum (aka Hexane or Spirlin) which is believed to have been in existence since 2017, is known to target sectors of strategic national importance for purposes of cyber espionage, while also retooling its arsenal with new implants, and expanding its sights to include ISPs and government agencies. The new and updated malware and TTPs have enabled the hacking group to mount attacks against two entities in Tunisia, Russian cybersecurity firm Kaspersky disclosed last month.
They have been observed using using credential stuffing and brute-force attacks as initial attack vectors to obtain account credentials and gain foothold into targeted organizations and leveraging on that access to drop and execute post-exploitation tools.
Shark and Milan (named “James” by Kaspersky) two distinct malware families — are the primary implants deployed by the threat actor, each allowing for the execution of arbitrary commands and exfiltration of sensitive data from the compromised systems to a remote attacker-controlled server.
ACTI and PACT also said it located beaconing from a reconfigured or potentially a new Lyceum backdoor in late October 2021 originating from a telecommunications company in Tunisia and an MFA in Africa, indicating that the operators are actively updating their backdoors in light of recent public disclosures and attempting to bypass detection by security software.
“Lyceum will likely continue to use the Shark and Milan backdoors, albeit with some modifications, as the group has likely been able to maintain footholds in victims’ networks despite public disclosure of [indicators of compromise] associated with its operations,” the researchers said.