Connect with us

Hi, what are you looking for?



‘Chrysene’ Group Targets ICS Networks in Middle East, UK

A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.

A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.

Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks.Chrysene hackers target ICS networks in the UK and Middle East

According to Dragos, Chrysene evolved from previous OilRig and Greenbug espionage activity – their tools, techniques and procedures overlap, but Chrysene has displayed significant advancements in technical capabilities compared to these other groups.

Chrysene specializes in initial penetration – it hacks into machines housed by the targeted organization and provides access to other groups for further exploitation.

The hackers have been active since last year and they have targeted petrochemical, oil, gas, and energy organizations in Iraq, Pakistan, Israel and the UK.

Dragos told SecurityWeek that there are indications of possible Chrysene activity targeting North American entities, but the company has not found definitive proof.

After taking a break in late 2017, Chrysene resumed its activities and started setting up new malware infrastructure. The group has targeted ICS networks, but its recent operations also involved watering hole attacks leveraging websites not related to industrial control systems (ICS).

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

“For now, the group appears to focus on penetrating networks and conducting ICS-specific reconnaissance,” Dragos said. “Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. Rather, CHRYSENE appears focused on initial network access and information gathering required for future activity directly targeting ICS resources.”

Last week, the security firm published a brief report on Allanite, a group linked to campaigns believed to have been conducted by Russia. In both cases, only high level information has been made public, but technical details are provided by Dragos to paying customers.

Related: Critical Infrastructure Threat Is Much Worse Than We Thought

Related: Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack

Related: Five Threat Groups Target Industrial Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.