The LYCEUM threat group targets organisations in sectors of strategic national importance, including oil and gas and possibly telecommunications. The activity observed by Secureworks Counter Threat Unit (CTU) researchers focuses on obtaining and expanding access within a targeted network.
CTU research indicates that LYCEUM may have been active as early as April 2018. Domain registrations suggest that a campaign in mid-2018 focused on South African targets. In May 2019, the threat group launched a campaign against oil and gas organisations in the Middle East. This campaign followed a sharp uptick in development and testing of their toolkit against a public multi-vendor malware scanning service in February 2019.
Stylistically, the observed tradecraft resembles activity from groups such as COBALT GYPSY (which is related to OilRig, Crambus, and APT34) and COBALT TRINITY (also known as Elfin and APT33). However, none of the collected malware or infrastructure associated with LYCEUM has direct links to observed activity from these or other known threat groups. As of this publication, there is insufficient technical evidence to support an attribution assessment.
When CTU researchers first published information about LYCEUM to Secureworks Threat Intelligence clients, no public documentation on the group existed. Since then, reporting has emerged that refers to the threat group as HEXANE.
The LYCEUM toolkit
LYCEUM initially accesses an organisation using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.
CTU researchers have observed LYCEUM using the following tools:
• DanBot — A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files
• DanDrop — A VBA macro embedded in an Excel XLS file used to drop DanBot
• kl.ps1 — A PowerShell-based keylogger
• Decrypt-RDCMan.ps1 — Part of the PoshC2 framework
• Get-LAPSP.ps1 — A PowerView-based script from the PowerShell Empire framework
Conclusion
LYCEUM is an emerging threat to energy organisations in the Middle East, but organisations should not assume that future targeting will be limited to this sector. Critical infrastructure organisations in particular should take note of the threat group’s tradecraft. Aside from deploying novel malware, LYCEUM’s activity demonstrates capabilities CTU researchers have observed from other threat groups and reinforces the value of a few key controls. Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics, particularly from threat groups operating in the Middle East.
While there are many security controls that could mitigate aspects of a LYCEUM intrusion, CTU researchers recommend the following to provide broad protection and detection capabilities that apply to a spectrum of threats:
Implement multi-factor authentication (MFA)
Increase visibility via endpoint detection, response, and logging
Conduct preparedness exercises including Incident response and phishing awareness