Security Experts:

Connect with us

Hi, what are you looking for?



‘Chrysene’ Group Targets ICS Networks in Middle East, UK

A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.

A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.

Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks.Chrysene hackers target ICS networks in the UK and Middle East

According to Dragos, Chrysene evolved from previous OilRig and Greenbug espionage activity – their tools, techniques and procedures overlap, but Chrysene has displayed significant advancements in technical capabilities compared to these other groups.

Chrysene specializes in initial penetration – it hacks into machines housed by the targeted organization and provides access to other groups for further exploitation.

The hackers have been active since last year and they have targeted petrochemical, oil, gas, and energy organizations in Iraq, Pakistan, Israel and the UK.

Dragos told SecurityWeek that there are indications of possible Chrysene activity targeting North American entities, but the company has not found definitive proof.

After taking a break in late 2017, Chrysene resumed its activities and started setting up new malware infrastructure. The group has targeted ICS networks, but its recent operations also involved watering hole attacks leveraging websites not related to industrial control systems (ICS).

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

“For now, the group appears to focus on penetrating networks and conducting ICS-specific reconnaissance,” Dragos said. “Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. Rather, CHRYSENE appears focused on initial network access and information gathering required for future activity directly targeting ICS resources.”

Last week, the security firm published a brief report on Allanite, a group linked to campaigns believed to have been conducted by Russia. In both cases, only high level information has been made public, but technical details are provided by Dragos to paying customers.

Related: Critical Infrastructure Threat Is Much Worse Than We Thought

Related: Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack

Related: Five Threat Groups Target Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.