The Lyceum group (also known as Hexane) is a little-known threat actor that was revealed in a handful of cases targeting high-profile targets in the Middle East and Africa. With activity dating back to as early as April 2018, the group has earned its notoriety by attacking telecommunications companies as well as critical systems in Middle Eastern oil and gas organizations. All the while it has kept a low profile, drawing little attention from security researchers.

During the past year we were able to reveal a new cluster of the group’s activities in the Middle East. We learned that the group upped its game and tapped into the core of a select few major organizations that lie at the heart of a single country in the Middle East. The highly targeted nature of this campaign and the assets the actors sought to obtain suggest that we witnessed a premeditated and well-orchestrated counter-intelligence operation.

In this talk we will reveal some of the fine-grained details about the espionage story that underlies our investigation. Through analysis notes and the investigation timeline, we will focus on the novel malware variants in the group’s arsenal that we discovered, its sophisticated methods of data exfiltration and lateral movement in the network. Additionally, we will describe some of our unique and formerly unknown findings, ranging from artifacts that aid in attributing this group to another high-profile and infamous APT, to commands typed in terminals of compromised machines by the group’s own operators.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, contact them on Twitter at @CurlyCyber, @_marklech_ and @r00tbsd.