The Nigerian Communications Commission (NCC) has once again informed the public of the existence of another hacker gang conducting cyberespionage in the African telecoms arena, in keeping with its commitment to keep stakeholders in the country’s telecoms industry informed, educated, and protected.
According to NCC, an Iranian hacking group known as Lyceum (also known as Hexane, Siamesekitten, or Spirlin) has been reported to be targeting telecommunication companies, Internet Service Providers (ISPs), and Ministries of Foreign Affairs in Africa with upgraded malware in recent politically motivated cyber spying.
The advanced persistent threat (APT) organization has already been linked to attacks on Middle Eastern oil and gas firms. The group’s focus now appears to have shifted to the technology industry. In addition, the APT is in charge of a campaign against the Ministry of Foreign Affairs of an undisclosed African government.
Lyceum’s initial onslaught routes, according to the attackers’ manner of operation, include credential stuffing and brute-force attacks. As a result, after a victim’s machine has been infiltrated, the attackers monitor specific targets. Lyceum will attempt to deploy two types of malware in this mode: Shark and Milan (known together as James).
Backdoors are backdoors in both cases. Shark, a 32-bit executable is created in C# and .NET and creates a configuration file for DNS tunneling or Hypertext Transfer Protocol (HTTP) C2 connections, while Milan is a 32-bit Remote Access Trojan (RAT) that obtains data.
Both can communicate with the command-and-control (C2) servers of the group. The APT has a C2 server network of over 20 domains that links to the group’s backdoors, including six that were previously unrelated to the threat actors.
Individual accounts at firms of interest are typically targeted, and once breached, these accounts are used as a springboard to launch spear-phishing assaults against high-profile officials in an organization, according to reports.
According to the report, these attackers not only seek out data on subscribers and related third-party organizations, but once infiltrated, threat actors or their sponsors can also utilize these industries to monitor individuals of interest.
However, in order to protect against such threats, the NCC wishes to re-echo ngCERT findings that telecom businesses and ISPs alike must implement numerous layers of security in addition to continuous network monitoring.
Consumers of telecom services and the general public are recommended to:
- Use firewalls consistently (software, hardware, and cloud firewalls).
- Enable a Web Application Firewall to aid in the detection and prevention of web application-based attacks by inspecting HTTP traffic.
- Use up-to-date antivirus software to identify and prevent a wide range of malware, trojans, and viruses that APT hackers may use to infect your computer.
- Make advantage of Intrusion Prevention Systems to keep an eye on your network.
- Create a secure sandboxing environment that allows you to open and operate untrusted programs or codes without jeopardizing your operating system’s security.
- Make sure to use a virtual private network (VPN) to prevent APT hackers from gaining initial access to your company’s network.
- Enable anti-spam and anti-malware protection in your email apps, and train your personnel on how to spot potentially hazardous communications.