CyberWire Daily - A collaboration stumbles upon threat actor Lyceum. [Research Saturday]
Episode Date: January 22, 2022Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss joint research done by Accenture’s Cyber Threat Intelligence (ACTI) group and ...Prevailion’s Adversarial Counterintelligence Team (PACT). The teams dug into recently publicized campaigns of the cyber espionage threat group Lyceum (aka HEXANE, Spirlin) to further analyze the operational infrastructure and victimology of this actor. The team’s findings corroborate and reinforce previous ClearSky and Kaspersky research indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East. Additionally, the research expands on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. Although all victim-identifying information has been redacted, this report seeks to provide these targeted industry and geographic verticals with additional knowledge of the threat and mitigation opportunities. The research can be found here: Who are latest targets of cyber group Lyceum? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We were doing research on a totally different threat actor group, actually,
and stumbled upon some indicators that were very unique and interesting to us.
That's Robert Boyce.
He's the global lead for cyber incident response and transformation services at Accenture.
The research we're discussing today is titled,
Who are the latest targets of cyber group Lyceum?
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context. Simplifying security management with AI-powered automation. And detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
As we started to dig into it, we started to stumble upon Lyceum as a threat actor going
after different industries that we had not known them to be going after before. And so as we were just digging into this more, you know, we started to see a pattern developed.
Well, let's walk through it together.
I mean, as this came on your radar and you started to unpack it, how did the story unfold?
Yeah.
So as we were going through this, we did this research in collaboration with theailion's adversarial counterintelligence team.
So it was a great collaboration.
And we were able to use the Accenture threat intelligence team's knowledge of C2 infrastructure together with telemetry that Prevailion, their research team had.
team had. And we were able to start seeing a number of interesting patterns develop built on some of the work that ClearSky and Kaspersky was doing in the same space on the same threat actor.
Well, let's walk through some of those together. I mean, what did you see that formed a pattern here?
You know, as it's pretty well known now, through some of the research that was published by ClearSky and Kaspersky, this threat actor was using two known malware programs, Shark and Milan.
We started to see that within those, there was some patterns that we were able to do further research on that wasn't really researched previously. So as an example,
the SHARC had some very interesting components of their algorithm that had very specific syntax,
and we were able to start developing some regular expressions, and again, looking through Prevalence telemetry and starting to see actually a slightly different victimology emerge that was not really traditional for lyceum
previously. Well, let's just back up for a second here. I mean, what is your sense in terms of
who they're targeting? What part of the world and what sort of verticals are they going after?
Lyceum has been pretty well known since they've been active, we think, since around 2017. And at that point,
they were going after targets that were significant to sectors of strategic intelligence importance
for Iran, Lysium being an Iranian threat group. And what they had focused on initially was really
oil and gas companies and telecommunication companies in the Middle East. And then through our research, we've started to see that evolve. And so between July and October of this year,
we've started to see them target internet service providers and telecommunication operators in
Israel, Monaco, Tunisia, and Saudi Arabia. And we've actually also seen some evidence of them
targeting at least one Ministry of Foreign Affairs of an African nation.
Yeah, that's fascinating. So I suppose, I mean, perhaps that they had some success with this
endeavor with their initial targets and then over time have expanded it to other areas.
Yes. I mean, Lysim, as far as we can tell, is very focused on espionage, again, on the targets of strategic national importance.
And so we do believe that they're now just continuing the momentum they had in those areas and now continuing to go in those different countries that we had mentioned and different industries.
Well, you mentioned both Shark and Milan, which are the tools that they are using here. Can we dig into each of those individually? Can you describe to us what exactly are they and what are their capabilities?
Yeah, I mean, they're pretty well known backdoor malware families. And the fascinating thing to me, at least, is both of these have two different C2 communication channels, one through DNS
and one through HTTP.
Why is that?
Is this for redundancy to have more than one way to reach out?
Yeah, so I think there's multiple reasons.
One reason, DNS is really not on the radar of most SOC analysts. And so being able to, even though it's a little bit harder to operate,
meaning it's a little less reliable, it's a lot slower,
it stays under the radar.
And so if you think about threat actor groups that are associated with espionage,
this is a great way to stay under the radar and try to fulfill their mission.
HTTP can absolutely be used as a backup channel if one gets compromised,
but the HTTP channel is really more so for moving large amounts of data faster.
And I believe that's why they're using both of those channels.
So in terms of initial exposure here, how would one find themselves a victim here? How are they
initially getting in? Do you have any sense as far as that goes?
Clear Sky and Kaspersky talked about this a lot in their research, but it's very traditional,
to be honest. They focus on spear phishing and taking advantage of unpatched systems
with an internet point of presence. Nothing really too unique on the initial compromise.
Now, how about persistence? How are they able to stay on the systems they get into?
It doesn't appear to me, at least, that they're doing a lot of lateral movement in the systems
because they are still trying to stay quiet as they're looking around. But the persistence is really based on the,
again, the malware families.
So what are the recommendations there
in terms of detection and mitigation?
Yeah, this is where I think it becomes really interesting
because, again, the SOC analysts
aren't traditionally looking for the DNS traffic.
And I think there's an opportunity
for us to do a little bit better
in that as a community overall. So there's a couple of, you know, in addition to the indicators
that we have published as part of our joint research with Prevelia, you know, there's a
number of other things that we believe organizations can do, especially again, as it becomes, as it
comes to being better at detecting malicious activity through malware.
I didn't mention this, but each of these malware families was using a domain generating algorithm,
which really means that they're able to change domains very quickly and stay under the radar.
Because as you can imagine, if they were using just one domain,
it's very easy to start seeing a pattern develop and stop that communication, cutting off their C2 channel.
But as they're changing it consistently, that helps them stay under the radar quite extensively.
One of the things that SOC analysts should be looking for more is anomalies based on that.
So different domains are resolving to the same IP address
in a very short period of time.
It's very behavior-based, but something that modern SIMs
and other analytics tools are able to identify.
What other things come to your attention here
in terms of what to look out for?
Yeah, I think, honestly, to stop the initial penetration, which again,
we're talking about basic security hygiene and IT hygiene, patching systems and making sure we're
educating users. When we're looking for activities similar to this, right, it does come down to
being able to detect malicious or anomalous DNS requests and DNS traffic so that you can see if people are
leveraging DNS tunneling or DNS to issue commands within an environment similar to this threat actor.
And when we're looking for HTTP exfiltration, it's not really too different than we think about for
any type of data exfiltration leveraging HTTP, right? Large amounts of data that are leaving the system
over a shorter period of time.
The thing really is, is a lot of organizations
aren't doing this type of anomalous detections.
They're looking for more traditional threat vectors
or malicious activity.
So that's why threat groups leveraging these techniques
or why these techniques are being leveraged
by more threat groups are just becoming more prevalent in the attack chain.
The fact that you all partnered with Prevalent here strikes me as interesting in itself.
Can you give us some insights as to what these sort of partnerships provide for both partners here?
I mean, it strikes me that there's benefits for both sides.
Absolutely.
And I think this is quite honestly just something that industry in general needs to do more of.
I think we're really good at talking about information sharing, and I'm not really sure we're so good at actually doing it.
So we've been trying to partner with a number of different, you know, a number of our different partners within the intelligence community because they have access to data that we don't have, and we have insights that they don't have.
So as you said, there is absolutely an opportunity for both of us to get something out of this.
In this circumstance, Pavilion was able to leverage their telemetry that they're collecting,
and we were able to leverage our analysts who have been doing research in the,
you know, the backend communications and internet infrastructure that threat actors were using,
and marry those two things together to gain a lot of additional insights. All right, we were,
because of the partnership, we were able to identify additional victim sets as part of this,
and we were able to additionally identify a number of additional domains as part of this. And we were able to additionally identify a number of
additional domains as part of this as well. I think when the initial research was done,
there was six domains, I believe, that were identified. And through this partnership and
our research, I think we identified up to 20 that were being used by this threat actor.
And that's something that neither of us could have done on our own. So I think it's not only better for the two of us to be able to partner, but it's
also better for the community when we do this type of activity and this type of partnership.
Yeah, absolutely. So where do we stand today in terms of Lyceum themselves? Is there a sense
that they are still operating out there doing their thing?
Absolutely. And, you know, we started to see them change a little bit, not their tactics,
but I would say adjusting their malware, especially within Milan. You know, again,
part of our research identified that as we were going through the different, following the different threads of our research, we started to identify what we believe at first was a new backdoor used by Lyceum.
And now through that research, we believe that they've just modified some of the syntax in the Milan backdoor to be able to go undetected from the IOCs that are being now published.
the IOCs that are being now published.
So going undetected by intrusion detection, intrusion prevention systems,
because they've adjusted the tactic a little bit so they could avoid detection.
But we don't see them necessarily changing their overall tactic because they're quite successful right now.
So we see them continuing to use the two main malware groups, but probably
malware families, but probably still modifying them enough so current IOCs will not be able to
detect them. Is it fair to say that they exhibit a certain amount of discipline here,
which I suppose you would expect from an organization focused on espionage?
which I suppose you would expect from an organization focused on espionage?
Yeah, absolutely.
We haven't seen any evidence of them doing any destructive activities or bringing unwanted attention to themselves.
They seem to be as quiet as possible, maintain persistence as long as possible,
and gather information for as long as possible.
Our thanks to Robert Boyce from Accenture for joining us.
The research is titled, Who are the latest targets of cyber group Lyceum?
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.