Lyceum hacker group targeting Middle East energy sector

A blog post from Secureworks’ Cyber Threat Unit Research Team has shined a light on the activities of a threat group gaining traction. The group, dubbed Lyceum by Secureworks researchers, was first discovered around May 2019 but is thought to have flown under the radar. According to CTU researcher calculations, Lyceum began their activity most likely around April 2018.

Lyceum focuses their attacks on “sectors of strategic national importance, including oil and gas and possibly telecommunications,” and data shows their attacks are now focusing on the Middle East. Lyceum’s methods are not the most finessed but are certainly effective. The threat group initially gains access to an organization by stealing account credentials through password spraying or brute-forcing. Once in, Lyceum begins sending spear-phishing emails in large quantities in hopes of infecting the network with DanBot malware. DanBot, once released, unleashes numerous post-exploitation tools. The tools are mostly PowerShell-based, including kl.ps1 which is a PowerShell keylogger.

Secureworks states the following about DanBot:

A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files... The DNS channel of DanBot’s C2 protocol uses both IPv4 A records and IPv6 AAAA records for communication. The HTTP channel has evolved slightly since the early 2018 samples but retains common elements throughout.

It is not known at this time what is driving Lyceum to target Middle Eastern energy companies. Before this, they were focused on targets in South Africa, so political motives via nation-states or cyberterrorism can likely be ruled out. At this point, it is pure conjecture what Lyceum’s motives are, but regardless of this, energy companies, in particular, should beef up their security protocols in anticipation of Lyceum’s attacks.

Featured image: Flickr / Jonathan Cutrer

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

2 days ago

LSU hospitals latest health system hit by cyberattack

The LSU hospital system has experienced a breach of patient data after a cyberattack as…

2 days ago

Business email compromise cybercrime group members busted

Business email compromise cyberattacks have been on the rise, and now some allegedly prominent players…

3 days ago

Making retail mobile e-commerce apps more secure

Many e-commerce mobile apps are insecure, opening the businesses that use them to severe risks.…

4 days ago

With eyes on the ‘Zoom boom,’ Microsoft launches Teams apps for meetings

Microsoft continues to leverage its hot Microsoft Teams. With an eye on the popularity of…

4 days ago

Exchange 2019 and 2013: Is coexistence possible? Yes, here’s how

Exchange 2019 and 2013 coexistence can be achieved, but the road is winding and filled…

4 days ago