The activity of the Lyceum APT group was first documented earlier in August by researchers at ICS security firm Dragos that tracked it as Hexane.
Security experts at Dragos Inc. reported that Hexane is targeting organizations in the oil and gas industry and telecommunication providers.
According to Dragos, the Hexane group has been active since at least the middle of 2018, it intensified its activity since early 2019 with an escalation of tensions within the Middle East.
Now experts at SecureWorks released a new report on Lyceum’s techniques, tactics, and procedures. The Lyceum APT group aims at intelligence gathering on its targets and doesn’t appear interested in sabotage.
Lyceum was observed using password spraying and brute-force attacks to compromise email accounts of targeted individuals.
“LYCEUM initially accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send
The threat actors carried out
“A malicious document (
Another tool used by the group is
The group also used the ‘Decrypt-RDCMan.ps1,’ that is a password decryption tool included in the PoshC2 framework for penetration testing. The tool is used to gather and decrypt passwords stored in the configuration file of the RDCMan remote desktop connection manager.
Lyceum attackers also used another PowerShell script dubbed ‘Get-LAPSP.ps1’ that collects data from the Active Directory via LDAP. Attackers used this tool once compromised the initial target.
Experts pointed out that Lyceum does not use sophisticated hacking techniques. Even if the threat actors appear to be focusing its campaign on industrial control systems (ICS) and operational technology (OT) staff, experts warn that the group could target other industries in the future.
“LYCEUM is an emerging threat to energy organizations in the Middle East, but organizations should not assume that future targeting will be limited to this sector. Critical infrastructure