Bringing cybersecurity globally to critical and complex key activities
ATK120 (aka: Lyceum, Hexane) threat group targets organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications. LYCEUM may have been active as early as April 2018. Domain registrations suggest that a campaign in mid-2018 focused on South African targets. In May 2019, the threat group launched a campaign against oil and gas organizations in the Middle East. This campaign followed a sharp uptick in development and testing of their toolkit against a public multi-vendor malware scanning service in February 2019. Its target core is very similar to that of the APT Xenotime (ATK91), and some similarities can be found with Magnallium and Chrysene. No definitive links can be established.
REFERENCES
Lindsey O’Donnell, ‘Oil and Gas Firms Targeted By New LYCEUM Threat Group’, 27 August 2019, https://threatpost.com/oil-and-gas-firms-targeted-by-new-lyceum-threat-group/147705/.
Binary Defense, ‘Malware and Other Attack Details on Hexane (LYCEUM) Group Released’, Binary Defense (blog), 28 August 2019, https://www.binarydefense.com/threat_watch/malware-and-other-attack-details-on-hexane-lyceum-group-released/.
COUNTER THREAT UNIT RESEARCH TEAM, ‘LYCEUM Takes Center Stage in Middle East Campaign’, 27 August 2019, https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign.
Howard Poston, ‘Inside the Lyceum/Hexane Malware’, Infosec Resources, 7 October 2020, https://resources.infosecinstitute.com/topic/inside-the-lyceum-hexane-malware/.
Dragos, ‘HEXANE’, 30 May 2020, https://www.dragos.com/threat/hexane/.