Critical infrastructure is one of the favorite targets for the sophisticated attacks carried out by APTs (advanced persistent threats). What makes these APTs really dangerous is the fact that their attacks are never random, and always have a specific target. If an advanced cyberattack managed to paralyze the water supply, or interrupt hospital service, the APT would have achieved its goal: weakening an “enemy” country.

LYCEUM, a new threat

In July, we saw a new example of this activity against critical infrastructure when an APT called XENOTIME, which was infamous for attacking oil companies in the Middle East, started to gain access to electric company networks in the United States.

Now, a new APT called LYCEUM has been detected compromising gas and oil companies in the Middle East. According to Dell SecureWorks researchers, the group may have been active since April 2018. Domain registrations suggest that LYCEUM carried out attacks in South Africa last year, possibly against the telecoms sector. The group’s focus seems to be obtaining and expanding access within the target network.

A wide range of tactics

To access company accounts, the LYCEUM attackers use a tactic called password spraying. This is where attackers use a list of the most common passwords to try to access a large number of accounts in a brute force attack. Once the account has been compromised, the group uses it to carry out a spear phishing attack against users in the company, attaching malicious Excel files to the emails.

One noteworthy characteristic of this campaign is the attackers’ sense of irony. Many of the emails used email subjects related to security best practices. For example, one email contained a malicious attachment called ‘The 25 worst passwords of 2017’.

When a user clicks on the attached Excel file, a piece of malware called DanBot is deployed. DanBot is a remote access Trojan (RAT), which can be used to execute arbitrary commands, and to upload and download files. Another tool used by LYCEUM is called kl.ps, which is a customized keylogger.

The origin of LYCEUM

Despite the information gathered, the researchers don’t seem to be able to pinpoint the exact origin of LYCEUM. They have, however, seen some similar tactics to those used by this cybercriminal group. Rafe Pilling from SecureWorks explains: “It was intriguing to discover a new group with a similar style to established Iranian threat groups but otherwise no distinguishing technical characteristics that allow it to be linked to any previously documented activity.”

How to defend against this threat

Attackers making their way into any company or organization is a major concern. But when these organizations control something as important as a country’s energy, protecting against these threats is absolutely vital.

The use of a technique like password spraying highlights the importance of strong passwords. Obvious combinations like qwerty or 1234 must never be used. It is also important never to recycle passwords for multiple accounts—if a password is used for several services, a data breach could reveal credentials that can then be used in a credential stuffing attack.

The use of malicious attachments in this campaign serves as a reminder of the importance of being cautious with the files we receive via email. In the case of LYCEUM, this is particularly relevant, since the use of spear phishing means that the emails seem to come from a colleague. Employees need to question whether the colleague supposedly sending the email would really include an attachment of this type.

Another vital element to protect against these threats are advanced cybersecurity solutions. Panda Adaptive Defense constantly monitors all running processes on IT systems. It stops any suspicious process before it can run. This means that, even if a malicious file is included in an email, it won’t put your company at risk.