A LYCEUM threat group targeting critical infrastructure entities – including oil and gas and telecommunications organizations in the Middle East – went undetected for more than a year, according to researchers at the Dell SecureWorks Counter Threat Unit (CTU).
“Stylistically, the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33),” the CTU said in a blog post recounting the threat group’s activities that began in mid-2018. “However, none of the collected malware or infrastructure associated with LYCEUM has direct links to observed activity from these or other known threat groups” so there is “insufficient technical evidence to support an attribution assessment.”
The LYCEUM group initially aimed at targets in South Africa but by May 2019 had oil and gas organizations in the Middle East in its sights. “This campaign followed a sharp uptick in development and testing of their toolkit against a public multi-vendor malware scanning service in February 2019,” the researchers wrote.
The hackers first gain access to account credentials through password spraying or brute-force attacks then deliver DanBot malware – typically to executives, HR staff, and IT personnel – through malicious Excel documents attached to spearphishing emails. The malware then deploys tools such as the DanDrop VBA macro, the kl.ps1 PowerShell-based keylogger, Decrypt-RDCMan.ps1 (which is part of the PoshC2 framework and Get-LAPSP.ps1 PowerView-based script from the PowerShell Empire framework.
"Although we haven't found evidence – yet – that Lyceum is specifically targeting industrial control networks, their tools and techniques are highly consistent with past attacks on OT infrastructure,” said Phil Neray, vice president of industrial cybersecurity for CyberX, who noted that “remote access to the OT network, with the goal of causing damage and disruption” typically follow phishing attacks and privileged credential theft. “We've seen this in almost all past attacks on critical infrastructure including the 2017 TRITON attacks on a petrochemical facility in the Middle East, and the Ukrainian grid attacks of 2015 (Black Energy) and 2016 (Industroyer).”
The best strategy to defend against sophisticated adversaries like Lyceum “is to continuously monitor for suspicious activity and rapidly respond before they blow up or shut down your plant,” said Neray. “In the TRITON attacks, for example, the adversaries were in the environment for months or years before being discovered, after which a forensic analysis found clear evidence of Mimikatz credential-stealing software and repeated RDP sessions to the plant's engineering workstations from within the IT network -- but no one knew about it because there was no monitoring in place."