Recent investigations have unveiled that a state-sponsored threat actor believed to have ties to Iran has conducted a series of targeted cyberattacks against internet service providers (ISPs) and telecommunications operators in countries such as Israel, Morocco, Tunisia, and Saudi Arabia. Additionally, a ministry of foreign affairs in Africa was also targeted, according to new intelligence findings.
The group, known as Lyceum, is reported to have executed these intrusions between July and October 2021, as documented by researchers from the Accenture Cyber Threat Intelligence (ACTI) team in conjunction with Prevailion’s Adversarial Counterintelligence Team (PACT). Specific details regarding the affected organizations have not been made public.
This latest analysis highlights the web-based infrastructure utilized by Lyceum, with over 20 associated entities identified. The researchers underscore that this could lead to the discovery of further victims and enhance understanding of the group’s targeting strategies. Notably, two of the reported breaches are assessed to be ongoing, despite previous disclosures of indicators of compromise.
Active since at least 2017, Lyceum, also known as Hexane or Spirlin, predominantly focuses on sectors of strategic national significance, engaging in cyber espionage. The threat group is observed to be modernizing its toolkit, further expanding its destructive capabilities to encompass ISPs and governmental bodies. Notably, the introduction of new malware variants and tactics was reported concerning attacks on entities in Tunisia, as disclosed by Russian cybersecurity firm Kaspersky.
Historically, Lyceum has employed credential stuffing and brute-force attacks as initial vectors to infiltrate target systems. By leveraging these compromised credentials, the group executes post-exploitation tools, establishing footholds within the networks of chosen organizations.
The primary tools employed by the actor include two malware families named Shark and Milan (the latter referred to as “James” by Kaspersky). Both families facilitate the execution of arbitrary commands and enable exfiltration of sensitive information from compromised systems to servers controlled by the attackers.
Recent findings from ACTI and PACT reveal that a reconfigured or potentially new backdoor associated with Lyceum was detected in late October 2021, originating from a telecommunications company in Tunisia as well as the African Ministry of Foreign Affairs. This indicates a proactive approach from Lyceum in updating its infiltration tools to circumvent detection mechanisms put forth by cybersecurity providers.
The researchers from ACTI and PACT assert that Lyceum is likely to persist with the use of Shark and Milan backdoors, albeit with some alterations. The group is believed to have maintained access to the networks of its victims, even in light of public announcements concerning indicators of compromise that underscore their tactics and operations.
