06 December 2021
Iranian-backed criminals have been hacking into ISPs and telecoms companies since July this year, according to a new Accenture report.
The group known as Lyceum, which also goes by Hexane or Spirlin, has been in existence since 2017 and been linked to malicious campaigns targeting Middle Eastern oil and gas companies.
From July-October this year, it carried out attacks on Internet providers and telcos organisations in Israel, Morocco, Tunisia, and Saudi Arabia, according to researchers from Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT). In addition, the APT is responsible for a malicious campaign against an unnamed African country’s foreign affairs department.
“Telecommunications companies and ISPs are high-level targets for cyber espionage threat actors because once compromised, they provide access to various organisations and subscribers in addition to internal systems that can be used to leverage malicious behaviour even further,” said security researchers.
Lyceum appears to be using two families of malware, Shark and Milan, according to the most recent operation analysed in a joint report by researchers at Accenture and Prevailion.
Shark backdoor is a 32-bit executable file written in C# and .NET, and it executes commands and exports data from infected systems. Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and send it to servers derived from domain-building algorithms (DGAs).
Both backdoors communicate via DNS and HTTPS with the command and control (C2) servers. Shark also uses a DNS tunnel.
Researchers said they also identified beaconing from a reconfigured or a new Lyceum backdoor in late October 2021.