Iranian Cyber ​​Group Targets Israel, Saudis and Africans: Report

New revelations about the Iran-based Lyceum cyberattack group targeting Israel, Saudi Arabia, Morocco, Tunisia and others in Africa have been uncovered in a report by two cyber intelligence firms on Tuesday.
The two companies, Accenture, which has a major Israeli branch, and US-based Prevalion, launched a cyberattack tracking investigation between July and October this year.

While cyber intelligence groups Clearsky and Kaspersky have published findings regarding Lyceum, even in August, the new report discloses details of the latest operations, including new victims, geographies and targeted industries. “

This latest report is a deep dive “to further analyze the operational infrastructure and victimology of this actor.”

The team’s findings corroborate the findings “that indicate a primary focus on computer network intrusion events targeting telecommunications providers in the Middle East.”

The Iranian flag flies in front of the UN office building in Vienna (credit: REUTERS / LISI NIESNER / FILE PHOTO)

However, the new research broadens this set of victims by identifying additional targets within Internet Service Providers (ISPs) and government agencies.

In particular, the report said that “at least two of the identified commitments are assessed to be ongoing despite prior public disclosure of Indicators of Compromise (IOC).”

The report identified six domains with a previously unknown connection to Lyceum (five of which are currently registered).

Additionally, the new discoveries “ultimately boosted Prevailion’s ability to attach more than 20 Lyceum domains, providing network telemetry of ongoing commitments.”

While the report said that Lyceum continues to target organizations in sectors of national strategic importance, including oil and gas organizations and telecommunications providers, as it has done since 2017, it added that the group has expanded its stated target to include ISPs. and government agencies.

One reason that telcos and ISPs are high-level targets for cyber espionage threat actors is “because once compromised, they provide access to various organizations and subscribers, as well as internal systems that can be used to further leverage malicious behavior.

Additionally, companies within these industries can also be “used by threat actors or their sponsors to monitor persons of concern.”

In one specific case, Lyceum targeted an office in the Foreign Ministry, which is “a highly sought after target because it has valuable information on the current state of the bilateral relationship and insights into future deals.”

In terms of tactics, the report says that “Domain Name System (DNS) tunneling appears to be used only during the early stages of backdoor implementation; subsequently, Lyceum operators use command and control (C2) HTTP (S) functionality encoded in the back doors. ”

During the campaign, Lyceum used two main malware families, named Shark and Milan (also known as James).

Following a trail left by the Shark malware, “the researchers were able to go from likely Israeli hosts to IP addresses targeting telecommunications and ISPs in Israel and Saudi Arabia.”

“The back door had beacons consisting of these victims from September through October 2021,” the report says.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *