Lyceum hacker group targeting Middle East energy sector

A blog post from Secureworks’ Cyber Threat Unit Research Team has shined a light on the activities of a threat group gaining traction. The group, dubbed Lyceum by Secureworks researchers, was first discovered around May 2019 but is thought to have flown under the radar. According to CTU researcher calculations, Lyceum began their activity most likely around April 2018.

Lyceum focuses their attacks on “sectors of strategic national importance, including oil and gas and possibly telecommunications,” and data shows their attacks are now focusing on the Middle East. Lyceum’s methods are not the most finessed but are certainly effective. The threat group initially gains access to an organization by stealing account credentials through password spraying or brute-forcing. Once in, Lyceum begins sending spear-phishing emails in large quantities in hopes of infecting the network with DanBot malware. DanBot, once released, unleashes numerous post-exploitation tools. The tools are mostly PowerShell-based, including kl.ps1 which is a PowerShell keylogger.

Secureworks states the following about DanBot:

A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files... The DNS channel of DanBot’s C2 protocol uses both IPv4 A records and IPv6 AAAA records for communication. The HTTP channel has evolved slightly since the early 2018 samples but retains common elements throughout.

It is not known at this time what is driving Lyceum to target Middle Eastern energy companies. Before this, they were focused on targets in South Africa, so political motives via nation-states or cyberterrorism can likely be ruled out. At this point, it is pure conjecture what Lyceum’s motives are, but regardless of this, energy companies, in particular, should beef up their security protocols in anticipation of Lyceum’s attacks.

Featured image: Flickr / Jonathan Cutrer

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Cyber-extortion scheme targets Google AdSense users

A cyber-extortion scam targeting Google’s AdSense users is making waves. Here are the facts that…

15 hours ago

Need to check your Azure VM costs? Use this script

Nobody likes a surprise in their cloud bills. This handy script will help you check…

18 hours ago

Updating and extending PowerShell object’s type data

This neat PowerShell tip will help you write more efficient scripts by showing you how…

20 hours ago

Integrating Azure DevOps with your macOS: Step-by-step guide

Mac owners should not be missing out on the fun. This step-by-step guide shows you…

23 hours ago

Microsoft 365 administration: Configure your admin portal

Microsoft 365 is loaded with configurations, policies, and settings—some obvious, some buried. This Microsoft 365…

2 days ago