← threatfilter.dev / all groups / HEXANE

HEXANE

Also known as: Lyceum · Siamesekitten · Spirlin

Overview

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.

Targets

Defense · Education · Energy · Government · High-Tech · Military · Telecommunications

Regions

Israel · Middle East

Capabilities

Custom malware/implant development — ATT&CK: 5 attributed custom malware families

TTPs — 36 techniques across 11 tactics

Reconnaissance

T1589 Gather Victim Identity Information
T1589.002 Email Addresses
T1591.004 Identify Roles

Resource Development

T1583.001 Domains
T1583.002 DNS Server
T1585.001 Social Media Accounts
T1585.002 Email Accounts
T1586.002 Email Accounts
T1588.002 Tool
T1608.001 Upload Malware

Execution

T1053.005 Scheduled Task
T1059.001 PowerShell
T1059.005 Visual Basic
T1204.002 Malicious File

Collection

T1056.001 Keylogging

Command and Control

T1102.002 Bidirectional Communication
T1105 Ingress Tool Transfer

Exfiltration

T1567.002 Exfiltration to Cloud Storage

Tools & malware (12)

Milan · Ping · netstat · BITSAdmin · Shark · DnsSystem · DanBot · Empire · ipconfig · Mimikatz · Kevin · PoshC2

Reporting (3)

Who are latest targets of cyber group Lyceum? — Accenture
LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST — Kayal, A. et al
New Iranian Espionage Campaign By “Siamesekitten” - Lyceum — ClearSky Cyber Security