Lyceum Hackers from Iran Target Telecoms
Reading Time: 2 minutes

According to new findings, Lyceum Hackers from Iran Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa.

The researchers from Accenture Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT) in a technical report said the intrusions staged by Lyceum have occurred between July and October 2021. The names of the victims have been withheld. 

The researchers further mentioned, the recent developments enabled them to find another 20 web-based infrastructures used by Lyceum. This led to identifying additional victims and providing further visibility on how Lyceum hackers operated. They also identified two compromises that are learned to be ongoing in spite of the prior public disclosure of indicators of compromise.

Lyceum aka Hexane or Spirlin has been active since 2017 and is known to target strategic national importance for purposes of cyber espionage. It keeps upgrading its arsenal with new implants and expanding its sights to include ISPs and government agencies. The hacking group has been able to mount attacks against two entities in 

According to Kaspersky, the new and updated malware and TTPs have enabled the hacking group to mount attacks against two entities in Tunisia, Russian last month. 

The Lyceum hackers are known to use credential stuffing and brute-force attacks as initial attack vectors to obtain account credentials. This enables them to gain a foothold into targeted organizations, leveraging the access as a springboard to drop and execute post-exploitation tools.

The threat actors deploy two distinct malware families ie. Shark and Milan (named “James” by Kaspersky). Each of these allows the execution of arbitrary commands and exfiltration of sensitive data from the compromised systems to a remote attacker-controlled server.

According to ACTI and PACT, they too have discovered the signals from a reconfigured or potentially a new Lyceum backdoor in late October 2021, this originated from a telecommunications company in Tunisia and an MFA in Africa. Thus indicating that the operators are actively updating their backdoors in light of recent public disclosures and attempting to bypass detection by security software.

The researchers said, “Lyceum will likely continue to use the Shark and Milan backdoors, albeit with some modifications, as the group has likely been able to maintain footholds in victims’ networks despite public disclosure of [indicators of compromise] associated with its operations.” 

Related Articles:

USA Signs Internet Freedom and No-Hack Pact Ignored Since 2018
Ex-Broadcom Engineer accused of Stealing Chip Technology To Share with New Chinese Employer
BusyBox Linux Utility for Embedded Devices Comes With 14 New Security Flaws