Names | Hexane (Dragos) Cobalt Lyceum (SecureWorks) ATK 120 (Thales) | |
Country | [Unknown] | |
Motivation | Information theft and espionage | |
First seen | 2017 | |
Description | (Dragos) Dragos identified a new activity group targeting industrial control systems (ICS) related entities: Hexane. Dragos observed this group targeting oil and gas companies in the Middle East, including Kuwait as a primary operating region. Additionally, and unlike other activity groups Dragos tracks, Hexane also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks. The threat actor shows similarities with other groups such as APT 33, Elfin, Magnallium and OilRig, APT 34, Helix Kitten, Chrysene, both active since at least 2017 and involved in attacks on oil and gas companies. Anyway, experts pointed out that the Hexane group has differed TTPs and has its own arsenal. | |
Observed | Sectors: Energy, Oil and gas, Telecommunications. Countries: Kuwait and Middle East, Central Asia and Africa. | |
Tools used | DanBot, DanDrop, Decrypt-RDCMan.ps1, Get-LAPSP.ps1, kl.ps1. | |
Information | <https://dragos.com/resource/hexane/> <https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign> |
Last change to this card: 07 January 2021
Download this actor card in PDF or JSON format
Previous: Hades
Next: Hidden Lynx, Aurora Panda
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1234 | |
![]() |
report@thaicert.or.th | |
![]() |
Download PGP key |