New revelations have been uncovered about the Iran-based Lyceum cyberattack group targeting Israel, Saudi Arabia, Morocco, Tunisia and other African countries.
The two firms – Accenture, which has a branch in Israel, and US-based Prevailion – released research that traced cyberattacks between this July and October.
While cyber intelligence groups Clearsky and Kaspersky have previously published findings regarding Lyceum, including in August, the new report divulges “details on the latest operations, including new victims, geographies and industries being targeted... and is a deep dive “to further analyze the operational infrastructure and victimology of this actor.”
The research corroborates findings “indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East.”
However, the new research expands on this victim set by identifying additional targets within Internet service providers (ISPs) and government agencies.
“At least two of the identified compromises are assessed to be ongoing despite prior public disclosure of indicators of compromise [IOCs],” the report said.
It identified six domains with a previously unknown connection to Lyceum, five of which are currently registered.
Further, the new discoveries “eventually fueled Prevailion’s ability to annex over 20 Lyceum domains, which provided network telemetry of ongoing compromises.”
Lyceum continues to target organizations in sectors of strategic national importance, including oil and gas organizations and telecommunications providers, as it has since 2017, the report said, adding that the group has expanded its target set to include ISPs and government bodies.
One reason that telecommunications companies and ISPs are high-level targets for cyber-espionage threat actors is “because once compromised, they provide access to various organizations and subscribers in addition to internal systems that can be used to leverage malicious behavior even further.”
Moreover, companies within these industries can also be “used by threat actors or their sponsors to surveil individuals of interest.”
In one specific case, Lyceum targeted one of the Foreign Ministry’s offices, which are “highly sought-after targets because they have valuable intelligence on the current state of the bilateral relationship and insight into future dealings.”
Regarding tactics, the report said: “Domain name system (DNS) tunneling appears to be used only during the early stages of back-door deployment; subsequently, the Lyceum operators use the HTTP(S) command and control (C2) functionality encoded in the backdoors.”
During the campaign, Lyceum used two primary malware families, dubbed Shark and Milan (aka James).
Following a trail left by the Shark malware, “researchers were able to pivot from likely Israeli hosts to IP addresses resolving to telecommunication and ISPs in Israel and Saudi-Arabia,” the report said.
“The back door had consistent beaconing at these victims beginning in September through October 2021,” it said.
Following various leads, Accenture and Prevailion identified “beaconing from a reconfigured or possibly a new Lyceum back door in late October 2021. The observed beacons were seen egressing from a telecommunications company in Tunisia as well as an MFA [Ministry of Foreign Affairs] in Africa.”
The cyber intelligence firms “assess that Lyceum is likely updating its backdoors in light of recent public research into its activities to try and stay ahead of defensive systems.”
Lyceum “has likely been able to maintain footholds in victims’ networks despite public disclosure of IOCs associated with its operations,” the report said.
One specific file from Shark malware “was first submitted to a third-party malware repository on August 2, 2021, from a submitter who appears to be based in Israel. On September 27, 2021, the same third-party malware repository submitter also uploaded” another file, which the report then discussed in detail.