Lyceum hacker group targeting Middle East energy sector

A blog post from Secureworks’ Cyber Threat Unit Research Team has shined a light on the activities of a threat group gaining traction. The group, dubbed Lyceum by Secureworks researchers, was first discovered around May 2019 but is thought to have flown under the radar. According to CTU researcher calculations, Lyceum began their activity most likely around April 2018.

Lyceum focuses their attacks on “sectors of strategic national importance, including oil and gas and possibly telecommunications,” and data shows their attacks are now focusing on the Middle East. Lyceum’s methods are not the most finessed but are certainly effective. The threat group initially gains access to an organization by stealing account credentials through password spraying or brute-forcing. Once in, Lyceum begins sending spear-phishing emails in large quantities in hopes of infecting the network with DanBot malware. DanBot, once released, unleashes numerous post-exploitation tools. The tools are mostly PowerShell-based, including kl.ps1 which is a PowerShell keylogger.

Secureworks states the following about DanBot:

A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files... The DNS channel of DanBot’s C2 protocol uses both IPv4 A records and IPv6 AAAA records for communication. The HTTP channel has evolved slightly since the early 2018 samples but retains common elements throughout.

It is not known at this time what is driving Lyceum to target Middle Eastern energy companies. Before this, they were focused on targets in South Africa, so political motives via nation-states or cyberterrorism can likely be ruled out. At this point, it is pure conjecture what Lyceum’s motives are, but regardless of this, energy companies, in particular, should beef up their security protocols in anticipation of Lyceum’s attacks.

Featured image: Flickr / Jonathan Cutrer

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

10 hours ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

14 hours ago

Microsoft warns of COVID-19-related spear-phishing campaign

COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…

17 hours ago

Ansible: Introduction to this open-source automation platform

In this first of several articles on Ansible, we give you a high-level overview of…

1 day ago

Microsoft Build 2020: All the major announcements

Microsoft Build 2020 may have been a virtual event, but there was some real news,…

2 days ago

Conquer the world with PowerShell global variable

In Power Shell, every variable has a certain scope, but a PowerShell global variable is…

2 days ago