Presentation information

Lyceum reborn: counterintelligence in the Middle East

Aseel Kayal (Kaspersky), Mark Lechtik (Kaspersky) & Paul Rascagneres (Kaspersky)
live only
16:30 UTC on Day 1
WEDNESDAY 30 SEPTEMBER
The Lyceum group (also known as Hexane) is a little-known threat actor that was revealed in a handful of cases targeting high-profile targets in the Middle East and Africa. With activity dating back to as early as April 2018, the group has earned its notoriety by attacking telecommunications companies as well as critical systems in Middle Eastern oil and gas organizations. All the while it has kept a low profile, drawing little attention from security researchers.

During the past year we were able to reveal a new cluster of the group’s activities in the Middle East. We learned that the group upped its game and tapped into the core of a select few major organizations that lie at the heart of a single country in the Middle East. The highly targeted nature of this campaign and the assets the actors sought to obtain suggest that we witnessed a premeditated and well-orchestrated counter-intelligence operation.

In this talk we will reveal some of the fine-grained details about the espionage story that underlies our investigation. Through analysis notes and the investigation timeline, we will focus on the novel malware variants in the group’s arsenal that we discovered, its sophisticated methods of data exfiltration and lateral movement in the network. Additionally, we will describe some of our unique and formerly unknown findings, ranging from artifacts that aid in attributing this group to another high-profile and infamous APT, to commands typed in terminals of compromised machines by the group’s own operators.
Aseel Kayal
Kaspersky Aseel is a malware analyst at Kaspersky's GReAT (Global Research and Analysis Team). Her research mainly focuses on threat groups and attacks active in the Middle East region. Aseel received her Bachelor’s degree in computer science and English literature, and speaks Arabic, Hebrew and English. Some of her work has been presented at security conferences such as Virus Bulletin, CCC, Botconf and TheSASCon.
Mark Lechtik
Kaspersky Mark Lechtik is a senior security researcher at Kaspersky`s GReAT (Global Research & Analysis Team), based in Israel. After previously working as a researcher and manager in Check Point’s malware research team, he is focused mainly on analysing malware of all shapes and forms, digging up its underlying stories and profiling the actors behind it. Today he is tasked with breaking down implants and campaigns in the realm of APT and putting it all into intelligence reports for Kapserky’s customers. Mark has previously presented some of his work at security conferences including REcon, CCC, CARO Workshop, AVAR and TheSASCon.
Paul Rascagneres
Kaspersky Paul Rascagneres is a security researcher within Kaspersky GReAT (Global Research & Analysis Team). As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for ten years, mainly focusing on malware analysis, malware hunting and more specifically on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.
arrow left Back

Lyceum reborn: counterintelligence in the Middle East

16:30 - 17:00 UTC Thu 7 Oct 2021
Aseel Kayal (Kaspersky), Mark Lechtik (Kaspersky) & Paul Rascagneres (Kaspersky)
The Lyceum group (also known as Hexane) is a little-known threat actor that was revealed in a handful of cases targeting high-profile targets in the Middle East and Africa. With activity dating back to as early as April 2018, the group has earned its notoriety by attacking telecommunications companies as well as critical systems in Middle Eastern oil and gas organizations. All the while it has kept a low profile, drawing little attention from security researchers.

During the past year we were able to reveal a new cluster of the group’s activities in the Middle East. We learned that the group upped its game and tapped into the core of a select few major organizations that lie at the heart of a single country in the Middle East. The highly targeted nature of this campaign and the assets the actors sought to obtain suggest that we witnessed a premeditated and well-orchestrated counter-intelligence operation.

In this talk we will reveal some of the fine-grained details about the espionage story that underlies our investigation. Through analysis notes and the investigation timeline, we will focus on the novel malware variants in the group’s arsenal that we discovered, its sophisticated methods of data exfiltration and lateral movement in the network. Additionally, we will describe some of our unique and formerly unknown findings, ranging from artifacts that aid in attributing this group to another high-profile and infamous APT, to commands typed in terminals of compromised machines by the group’s own operators.
Aseel Kayal
Kaspersky Aseel is a malware analyst at Kaspersky's GReAT (Global Research and Analysis Team). Her research mainly focuses on threat groups and attacks active in the Middle East region. Aseel received her Bachelor’s degree in computer science and English literature, and speaks Arabic, Hebrew and English. Some of her work has been presented at security conferences such as Virus Bulletin, CCC, Botconf and TheSASCon.
Mark Lechtik
Kaspersky Mark Lechtik is a senior security researcher at Kaspersky`s GReAT (Global Research & Analysis Team), based in Israel. After previously working as a researcher and manager in Check Point’s malware research team, he is focused mainly on analysing malware of all shapes and forms, digging up its underlying stories and profiling the actors behind it. Today he is tasked with breaking down implants and campaigns in the realm of APT and putting it all into intelligence reports for Kapserky’s customers. Mark has previously presented some of his work at security conferences including REcon, CCC, CARO Workshop, AVAR and TheSASCon.
Paul Rascagneres
Kaspersky Paul Rascagneres is a security researcher within Kaspersky GReAT (Global Research & Analysis Team). As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for ten years, mainly focusing on malware analysis, malware hunting and more specifically on advanced persistent threat (APT) campaigns and rootkit capabilities. He previously worked for several incident response teams within the private and public sectors.