A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.
Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks.
According to Dragos, Chrysene evolved from previous OilRig and Greenbug espionage activity – their tools, techniques and procedures overlap, but Chrysene has displayed significant advancements in technical capabilities compared to these other groups.
Chrysene specializes in initial penetration – it hacks into machines housed by the targeted organization and provides access to other groups for further exploitation.
The hackers have been active since last year and they have targeted petrochemical, oil, gas, and energy organizations in Iraq, Pakistan, Israel and the UK.
Dragos told SecurityWeek that there are indications of possible Chrysene activity targeting North American entities, but the company has not found definitive proof.
After taking a break in late 2017, Chrysene resumed its activities and started setting up new malware infrastructure. The group has targeted ICS networks, but its recent operations also involved watering hole attacks leveraging websites not related to industrial control systems (ICS).
Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference
“For now, the group appears to focus on penetrating networks and conducting ICS-specific reconnaissance,” Dragos said. “Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. Rather, CHRYSENE appears focused on initial network access and information gathering required for future activity directly targeting ICS resources.”
Last week, the security firm published a brief report on Allanite, a group linked to campaigns believed to have been conducted by Russia. In both cases, only high level information has been made public, but technical details are provided by Dragos to paying customers.
Related: Critical Infrastructure Threat Is Much Worse Than We Thought
Related: Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
