Iranian State Hackers Are Attacking ISPs and Telcos
‘Lyceum’ Is an Iranian APT Group Targeting ISPs and Telecommunication Service Providers in the Middle East and Africa.
Last updated on November 10, 2021
‘Lyceum’ has been active since 2017 and is also known as Hexane, Siamesekitten, or Spirlin.
The advanced persistent threat (APT) organization has previously been connected to attacks on Middle Eastern oil and gas businesses, but it now appears that its focus has shifted to the IT industry.
Lyceum backdoor malware was noticed in attacks throughout Morocco, Tunisia, and Saudi Arabia.
Lyceum was found deploying two unique malware families, named Shark and Milan, in the most current campaign evaluated in a joint analysis by experts at Accenture and Prevailion.
Shark and Milan
As thoroughly explained by BleepingComputer, the Shark backdoor is a 32-bit program built-in C# and.NET that may be used to run instructions and steal data from affected computers.
Milan is a 32-bit remote access trojan (RAT) that can extract data from a compromised machine and send it to hosts generated using domain creation methods (DGAs).
Both backdoors connect with their command and control servers (C2) through DNS and HTTPS, with Shark additionally employing DNS tunneling.
Lyceum appears to be watching researchers who are researching their malware to upgrade its code and remain ahead of protective systems, according to the technical investigation, which indicated a continuous renewal of the beacons and payloads.
The most current build dates are from October 2021, and at least two of the detected compromises are still active, according to the researchers.
By annexing twenty of the actor’s domains and examining the telemetry data without pulling them down, the analysts were able to map the Lyceum victims.
The resultant study includes a fresh list of indications of compromise (IoCs) as well as different methods for detecting the two backdoors, potentially disrupting Lyceum’s continuing effort.
The hackers in question are thought to be politically motivated and only engaged in cyber espionage rather than disrupting their targets’ operations.
This is why they are concentrating their efforts on ISP network breaches, as compromising high-level service providers is a great method to gather important intelligence on other countries.
It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator. However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north African telecommunication companies. The ACTI/PACT research team therefore assess that the observed Milan activity is likely emanating directly from within the Moroccan telecommunications operator.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.