IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Iranian hackers targeting telcos and ISPs using upgraded malware

New report shines a light on Lyceum cyberespionage group

Red skull and crossbones atop binary code

Iranian-backed hackers have been hacking into ISPs and telecoms companies since July this year, according to a new Accenture report.

The group is known as Lyceum, but also goes by Hexane or Spirlin, has operated since 2017 and been linked to malicious campaigns targeting Middle Eastern oil and gas companies. 

Between July and October this year, Lyceum carried out attacks on Internet providers and telecommunications organizations in Israel, Morocco, Tunisia, and Saudi Arabia, according to researchers from Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT). In addition, the APT is responsible for a malicious campaign against an unnamed African country’s foreign affairs department.

“Telecommunications companies and ISPs are high-level targets for cyber espionage threat actors because once compromised, they provide access to various organizations and subscribers in addition to internal systems that can be used to leverage malicious behavior even further,” said security researchers.

Lyceum appears to be using two families of malware, Shark and Milan, According to the most recent operation analyzed in a joint report by researchers at Accenture and Prevailion. 

Shark backdoor is a 32-bit executable file written in C# and .NET, and it executes commands and exports data from infected systems. Milan is a 32-bit remote access trojan (RAT) that can retrieve data from the compromised system and send it to servers derived from domain-building algorithms (DGAs).

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

Both backdoors communicate via DNS and HTTPS with the command and control (C2) servers. Shark also uses a DNS tunnel.

Researchers said they also identified beaconing from a reconfigured or a new Lyceum backdoor in late October 2021.

“The observed beacons were seen egressing from a telecommunications company in Tunisia as well as an MFA in Africa,” they said.

Researchers added that the URL syntax of the newly reconfigured backdoor is like those generated in the newer version of Milan. However, because the URL syntax is configurable, the Lyceum operators likely reconfigured the Milan URL syntax to circumvent intrusion detection systems (IDS) and intrusion prevention systems (IPS) encoded to detect the previous Milan beacon syntax.

Researchers said Lyceum is updating its backdoors in light of recent public research into its activities to stay ahead of defensive systems.

“The group has continued its targeting of companies of national strategic importance. Lyceum will likely continue to use the Shark and Milan backdoors, albeit with some modifications, as the group has likely been able to maintain footholds in victims’ networks despite public disclosure of IOCs associated with its operations,” they added.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022