"Lyceum," an advanced persistent threat actor associated with numerous attacks on telecom organizations and oil and natural gas companies in the Middle East since 2017, has recently begun targeting Internet service providers (ISPs) and government organizations.

The increased focus on ISPs appears to be part of the group's effort to compromise organizations in order to gain access to a broad set of customers and subscribers, according to a new report this week from Accenture and Prevailion on Lyceum's activities.

Researchers from Prevailion’s adversarial counterintelligence team and Accenture’s cyber defense group analyzed recently publicized campaigns attributed to Lyceum by Kaspersky and ClearSky. The focus of the study was Lyceum's operational infrastructure and the group's victim profile.

"We were intrigued with this threat actor because of its suspected Iranian origins, which for us is very important due to the rise in Iranian cyber threats overall to the US and its allies," says Karim Hijazi, CEO of Prevailion.

The study corroborated some of the previous findings about the threat group's malware and tactics, while shedding new light on Lyceum's command-and-control (C2) infrastructure and victim targeting.

"We were able to identify 20 new domains associated with their C2 infrastructure, which gave us incredible visibility into their victimology," Hijazi says.

The data showed that Lyceum has begun infiltrating networks belonging to ISPs and governments in new and broader geographic areas than before. Accenture and Prevailion's study also showed that the threat actor has begun using either a new or reconfigured backdoor in its campaigns, Hijazi says.

Secureworks was the first to expose the Lyceum group's activities in an August 2019 report. At the time, the security vendor described the threat group as being initially focused on targets in South Africa and then in 2019, expanding its focus to oil and gas organizations in the Middle East. The threat actor's favored method for gaining initial access to a target network is to use legitimate account credentials obtained previously via brute-force or password spraying attacks. It then used the compromised accounts to send spear-phishing emails containing an attachment that, when opened, would download a .Net-based remote access Trojan called DanBot on infected systems. The attackers subsequently used DanBot to download other malware, Secureworks said.

Last month, researchers from Kaspersky said they had observed Lyceum targeting two entities in Tunisia. The security vendor said its investigation showed that the Lyceum group had evolved and shifted from using the original .Net-based DanBot malware to new versions written in C++. Kaspersky dubbed one of the versions "James" and the other "Kevin" and described both variants as using the same custom C2 protocols tunneled over HTTP or DNS that DanBot used. Kaspersky said it had also discovered Lyceum using one malware variant that did not appear to support any network communications at all.

New Targets
In their report this week, Accenture and Prevailion said that between July and October 2021, they had observed Lyceum backdoors on ISPs and telecom operators in Tunisia, Saudi Arabia, Morocco, and Israel. The group's presence was also observed on the network of a ministry of foreign affairs of a country in Africa. In these attacks, the threat actor used DNS tunneling during the early stages of backdoor deployment. They then switched to using HTTPs C2 functionality built into the backdoors for further communication, Prevailion and Accenture said in their report. The investigation showed that Lyceum has begun using a new or possibly reconfigured backdoor in its campaign likely because of the heightened focus on the threat group.

"They are using DNS tunneling, which is reminiscent of AnchorDNS used by Trickbot," Hijazi says. "What is notable is that this reconnaissance information doesn’t require a C2 connection. It can be collected directly from the DNS call, which makes it challenging to identify and stop."

Hijazi says Lyceum’s clear focus on ISP attacks is especially concerning.

"Lyceum appears to be looking for island-hopping opportunities, and ISPs are the perfect junction for this type of operation," he says. "They allow a threat actor to exploit trusted services to penetrate many different organizations simultaneously."

Such supply chain attacks have become increasingly common recently. SolarWinds remains the most visible example, but there have been numerous other incidents where attackers have targeted trusted and widely used software vendors and service providers. Examples include an attack on Kaseya in the summer that resulted in ransomware being deployed on systems belonging to numerous downstream customers of the company, and another on Accellion earlier this year that exposed data belonging to numerous companies.

The level of sophistication that Lyceum has shown suggests some level of government backing, Hijazi says. So far, at least, there is nothing to suggest Lyceum has compromised any US victims. But given the geopolitical tensions between the US and Iran, there is concern that Lyceum will make its way to the US eventually, Hijazi says.