The Secureworks Counter Threat Unit (CTU) has discovered that the threat group LYCEUM is targeting organisations in sectors of strategic national importance, including oil and gas and possibly telecommunications. The previously unobserved threat group has been targeting critical infrastructure for more than 12 months, with research indicating that the group may have been active from as early as April 2018.
Domain registration suggests that the group targeted South African organisations in mid-2018. However, in May this year the threat group launched a campaign against oil and gas organisations in the Middle East.
When looking into how the LYCEUM threat group initially accesses an organisation, the research team discovered this is done so by using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.
The compromised accounts were then used to the targeted executives such as those in human resources (HR) and IT personnel. Recipients are more likely to open a message if it originates from an internal address.
Compromising individual HR accounts can yield more information and provide greater account access – that can then be used in additional spearphishing operations within the organisation. IT personnel have access to high-privilege accounts and documentation that can help threat actors to gain vital information, without the need to blindly navigating the network.
LYCEUM is an emerging threat to energy organisations in the Middle East, but organisations should not assume that future targeting will be limited to this sector. Critical infrastructure organisations in particular should take note of the threat group’s tradecraft.
Aside from deploying novel malware, LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls. Password spraying, DNS tunnelling, social engineering and abuse of security testing frameworks are common tactics, particularly from threat groups operating in the Middle East. So organisations need to be diligent.
CTU researchers recommend multi-factor authentication, increased visibility via endpoint detection response and logging, as well as conducting preparedness exercises as a few key measures that organisations can take to provide broad protection and detection capabilities.