Research Saturday 1.22.22
Ep 216 | 1.22.22

A collaboration stumbles upon threat actor Lyceum.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Robert Boyce: We were doing research on a totally different threat actor group, actually, and stumbled upon some indicators that were very unique and interesting to us.

Dave Bittner: That's Robert Boyce. He's the Global Lead for Cyber Incident Response and Transformation Services at Accenture. The research we're discussing today is titled, "Who are the latest targets of cyber group Lyceum?"

Robert Boyce: As we started to dig into it, we started to stumble upon Lyceum as a threat actor going after different industries that we had not known them to be going after before. And so as we were just digging into this more, you know, we started to see a pattern develop.

Dave Bittner: Well, let's walk through it together. I mean, as as you as this came on your radar and you started to unpack it. How did the story unfold?

Robert Boyce: Yeah. So, as we were going through this – and we did this research in collaboration with Prevailion's Adversarial Counterintelligence Team. So it was a great collaboration, and we were able to use the Accenture Threat Intelligence Team's knowledge of C2 infrastructure together with telemetry that Prevailion, their research team had. And you know, we were able to start seeing a number of interesting patterns develop, built on some of the work that ClearSky and Kaspersky was doing in the same space on the same threat actor.

Dave Bittner: Hmm. Well, let's walk through some of those together. I mean, what did you see that formed a pattern here?

Robert Boyce: You know, as it's pretty well-known now, through some of the research that was published by ClearSky and Kaspersky, this threat actor was using two known malware programs, Shark and Milan. You know, we started to see that, within those, there was some patterns that we were able to do further research on that wasn't really researched previously. So as an example, Shark had some very interesting components of their algorithm that had very specific syntax, and we were able to start developing some regular expressions, and again looking through Prevailion's telemetry and starting to see actually a slightly different victimology emerge that was not really traditional for Lyceum previously.

Dave Bittner: Well, let's just back up for a second here. I mean, who – what is your sense in terms of who they're targeting? What part of the world and what sort of verticals are they going after?

Robert Boyce: Lyceum has been pretty well-known since they've been active, we think since around 2017. And at that point they were going after targets that were significant to sectors of strategic intelligence importance for Iran – Lyceum being an Iranian threat group – and what they had focused on initially was really oil and gas companies and telecommunication companies in the Middle East. And then through our research, we started to see that evolve. And so, between July and October of this year, we've started to see them target internet service providers and telecommunication operators in Israel, Monaco, Tunisia, and Saudi Arabia. And we've actually also seen some evidence of them targeting at least one Ministry of Foreign Affairs of an African nation.

Dave Bittner: Yeah, that's fascinating. So, I suppose, I mean, perhaps they had some success with this endeavor with their initial targets and then over time have expanded it to other areas.

Robert Boyce: Yes. And Lyceum, as far as we can tell, is very focused on espionage. Again, on the, you know, the targets of strategic national importance. And so we do believe that they're now just continuing the momentum they had in those areas and now continuing to go in those different countries that we had mentioned, and different industries.

Dave Bittner: Well, you mentioned both Shark and Milan, which are the tools that they are using here. Can we dig into each of those individually? Can you describe to us what exactly are they and what are their capabilities?

Robert Boyce: Yeah. I mean, they're pretty well-known backdoor malware families. The fascinating thing – to me, at least – is both of these have two different C2 communication channels, one through DNS and one through HTTP.

Dave Bittner: Why is that? Is this for redundancy? To have more than one way to reach out?

Robert Boyce: Yeah, so I think there's multiple reasons. One reason, DNS is really not on the radar of most SoC analysts. And so being able to – even though it's a little bit harder to operate – meaning it's a little less reliable, it's a lot slower – you know, it stays under the radar. And so if you think about threat actor groups that are associated with espionage, this is a great way to stay under the radar and try to fulfill their mission. HTTP can absolutely be used as a backup channel if one gets compromised, but the HTTP channel is really more so for moving large amounts of data faster. And I believe that's why they're using both of those channels.

Dave Bittner: So, in terms of of initial exposure here, how would one find themselves a victim here? How are they initially getting in? Do you have any sense as far as that goes?

Robert Boyce: ClearSky and Kaspersky talked about this a lot in their research. But it's very traditional, to be honest. They focused on spearphishing and taking advantage of unpatched systems with an internet point of presence. Nothing really, you know, too unique on the initial compromise.

Dave Bittner: Now, how about persistence? How are they able to stay on the systems they get into?

Robert Boyce: It doesn't appear, to me, at least, that they're doing a lot of lateral movement in the systems, because they are trying to stay quiet as they're looking around, so the persistence is really based on the, again, the malware families.

Dave Bittner: So, what are the recommendations there in terms of detection and mitigation?

Robert Boyce: Yeah, this is where I think it becomes really interesting, because, you know, again, the SoC analysts aren't traditionally looking for the DNS traffic, and I think there's an opportunity for us to do a little bit better in that as a community overall. So there's a couple of – you know, in addition to the indicators that we have published as part of our joint research with Prevailion – there's a number of other things that we believe organizations can do, especially as it comes to being better at detecting malicious activity through malware.

Robert Boyce: I didn't mention this, but each of these malware families was using a domain generating algorithm, which really means that they're able to change domains very quickly and stay under the radar, because, as you can imagine, if they were using just one domain, it's very easy to start seeing a pattern develop and stop that communication, cutting off their C2 channel. But as they're changing it consistently, that helps them stay under the radar quite extensively.

Robert Boyce: One of the things that SoC analysts should be looking for more is anomalies based on that. So domains different domains that are resolving to the same IP address in a very short period of time. Right. It's very behavior-based, but something that, you know, modern SIEMs and other analytics tools are able to identify.

Dave Bittner: What other things come to your attention here in terms of what to look out for?

Robert Boyce: Yeah, I think, you know, honestly, just to stop the initial penetration – which, again, we're talking about basic security hygiene and IT hygiene – patching systems and making sure we're educating users. When we're looking for activity similar to this, it does come down to being able to detect malicious or anomalous DNS requests in DNS traffic so that you can see if people are leveraging DNS tunneling or DNS to issue commands within an environment, similar to this threat actor.

Robert Boyce: And when we're looking for HTTP exfiltration, it's not really too different than we think about for any type of data exfiltration leveraging HTTP, right? Large amounts of data that are leaving the system over a shorter period of time. The thing really is, is a lot of organizations aren't doing this type of anomalous detections. They're looking for more traditional threat vectors or malicious activity. So that's why threat groups leveraging these techniques, or why these techniques are being leveraged by a more threat groups are just becoming more prevalent in the attack chain.

Dave Bittner: The fact that you all partnered with Prevailion in here strikes me as interesting in itself. Can you give us some insights as to, you know, what these sort of partnerships provide for for both partners here? I mean it strikes me that there's benefits for both sides.

Robert Boyce: Yeah, absolutely. And I think this is quite honestly just something that industry in general needs to do more of. I think we're really good at talking about information sharing, and I'm not really sure we're so good at actually doing it. So we've been trying to partner with a number of different, you know, a number of our different partners within the intelligence community because they have access to data that we don't have, and we have insights that they don't have. So, as you said, there is absolutely an opportunity for both of us to get something out of this. In this circumstance, Prevailion was able to leverage their telemetry that they're collecting, and we were able to leverage our analysts who have been doing research in the, you know, the backend communications and internet infrastructure the threat actors are using, and marry those two things together to gain a lot of additional insights. Because of the partnership, we were able to identify additional victim sets as part of this, and we were able to additionally identify a number of additional domains as part of this as well.

Robert Boyce: I think when the initial research was done, there were six domains I believe that were identified, and through this partnership and our research, I think we identified up to twenty that were being used by this threat actor. And so that's something that neither of us could have done on our own. So I think it's, you know, it's not only better for the two of us to be able to partner, but it's also better for the community when we do this type of activity, this type of partnership.

Dave Bittner: Yeah, absolutely. So, where do we stand today in terms of Lyceum themselves? Is there a sense that they are still operating out there doing their thing?

Robert Boyce: Absolutely. And, you know, we started to see them change a little bit – not their tactics, but I would say, adjusting their malware, especially within Milan. You know, again, part of our research identified that as we were going through the different – following the different threads of our research, we started to identify what we believed at first was a new backdoor used by Lyceum, and now, through that research, we believe that they've just modified some of the syntax in the Milan backdoor to be able to go undetected from the IoCs that are being now published. So, you know, going undetected by intrusion detection and intrusion prevention systems, because they've adjusted the tactic a little bit so they could avoid detection. But we don't see them necessarily changing their overall tactic because they're quite they're quite successful right now. So we see them continuing to use the two main malware groups, but probably – the malware families – but probably still modifying them enough so current IoCs will not be able to detect them.

Dave Bittner: Is it fair to say that they exhibit a certain amount of discipline here, which I suppose you would expect from an organization focused on espionage?

Robert Boyce: Yeah. Absolutely. We haven't seen any evidence of them doing any destructive activities or bringing unwanted attention to themselves. They seem to be as quiet as possible, maintain persistence as long as possible, and gather information for as long as possible.

Dave Bittner: Our thanks to Robert Boyce from Accenture for joining us. The research is titled, "Who are the latest targets of cyber group Lyceum?" We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.