Lyceum hacker group targeting Middle East energy sector

A blog post from Secureworks’ Cyber Threat Unit Research Team has shined a light on the activities of a threat group gaining traction. The group, dubbed Lyceum by Secureworks researchers, was first discovered around May 2019 but is thought to have flown under the radar. According to CTU researcher calculations, Lyceum began their activity most likely around April 2018.

Lyceum focuses their attacks on “sectors of strategic national importance, including oil and gas and possibly telecommunications,” and data shows their attacks are now focusing on the Middle East. Lyceum’s methods are not the most finessed but are certainly effective. The threat group initially gains access to an organization by stealing account credentials through password spraying or brute-forcing. Once in, Lyceum begins sending spear-phishing emails in large quantities in hopes of infecting the network with DanBot malware. DanBot, once released, unleashes numerous post-exploitation tools. The tools are mostly PowerShell-based, including kl.ps1 which is a PowerShell keylogger.

Secureworks states the following about DanBot:

A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files... The DNS channel of DanBot’s C2 protocol uses both IPv4 A records and IPv6 AAAA records for communication. The HTTP channel has evolved slightly since the early 2018 samples but retains common elements throughout.

It is not known at this time what is driving Lyceum to target Middle Eastern energy companies. Before this, they were focused on targets in South Africa, so political motives via nation-states or cyberterrorism can likely be ruled out. At this point, it is pure conjecture what Lyceum’s motives are, but regardless of this, energy companies, in particular, should beef up their security protocols in anticipation of Lyceum’s attacks.

Featured image: Flickr / Jonathan Cutrer

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Losing your edge? 7 free tools to keep you focused at work

Staying focused at work in an always-connected world is hard! Here’s how to use tech — and some free tools…

9 hours ago

What’s next in the evolution of biometrics and facial recognition technology?

Facial recognition technology has matured to the point of being reliable — for better or for worse. What does the…

13 hours ago

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

16 hours ago

AI cyber risks: What to look out for when deploying AI technology

Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.

1 day ago

Review: Office 365 synchronizing and administration tool CiraSync

CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…

2 days ago

HIPAA IT compliance: Privacy and security rules you must know

HIPAA is the mandatory health regulation that must be followed strictly. But if you’re an IT pro in the health-care…

2 days ago