Connect with us

Hi, what are you looking for?



‘Chrysene’ Group Targets ICS Networks in Middle East, UK

A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.

A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.

Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks.Chrysene hackers target ICS networks in the UK and Middle East

According to Dragos, Chrysene evolved from previous OilRig and Greenbug espionage activity – their tools, techniques and procedures overlap, but Chrysene has displayed significant advancements in technical capabilities compared to these other groups.

Chrysene specializes in initial penetration – it hacks into machines housed by the targeted organization and provides access to other groups for further exploitation.

The hackers have been active since last year and they have targeted petrochemical, oil, gas, and energy organizations in Iraq, Pakistan, Israel and the UK.

Dragos told SecurityWeek that there are indications of possible Chrysene activity targeting North American entities, but the company has not found definitive proof.

After taking a break in late 2017, Chrysene resumed its activities and started setting up new malware infrastructure. The group has targeted ICS networks, but its recent operations also involved watering hole attacks leveraging websites not related to industrial control systems (ICS).

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

“For now, the group appears to focus on penetrating networks and conducting ICS-specific reconnaissance,” Dragos said. “Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. Rather, CHRYSENE appears focused on initial network access and information gathering required for future activity directly targeting ICS resources.”

Advertisement. Scroll to continue reading.

Last week, the security firm published a brief report on Allanite, a group linked to campaigns believed to have been conducted by Russia. In both cases, only high level information has been made public, but technical details are provided by Dragos to paying customers.

Related: Critical Infrastructure Threat Is Much Worse Than We Thought

Related: Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack

Related: Five Threat Groups Target Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...