Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Report: Iranian APT Hexane Targets Israeli Companies

Over the past several months, an Iran-linked threat actor tracked as Hexane has attempted to breach numerous Israeli organizations using supply chain tools, according to a new report from security vendor ClearSky.

Over the past several months, an Iran-linked threat actor tracked as Hexane has attempted to breach numerous Israeli organizations using supply chain tools, according to a new report from security vendor ClearSky.

Active since at least 2018 and also tracked as Lyceum and SiameseKitten, Hexane was previously seen targeting companies in the oil and gas and telecommunications sectors in the Middle East and Africa.

Recent activity attributed to the Hexane actor, however, shows a change in both targeting and tactics. The group, ClearSky says, has established large infrastructure that allows it to impersonate known companies, which it has been doing in recent attacks. The group also upgraded its toolset.

Following a May 2021 attack on an IT company in Israel, Hexane launched a second wave of assaults in July 2021, this time targeting additional organizations in the country.

In this campaign, a typical attack starts with the attackers identifying both the potential victim and a human resources department employee to impersonate. Next, the adversary establishes a phishing website to impersonate the targeted organization, creates tailored lure files, and sets up a fake LinkedIn profile to impersonate the HR department employee.

Next, the attackers contact the potential victim to make them a job offer and lure the victim to a phishing website, but deploy malware only after additional lure files have been downloaded. The Milan malware is deployed to establish a connection with the infected machine, after which the DanBot RAT is downloaded.

[ Related: Mysterious ‘MeteorExpress’ Wiper Linked to Iranian Train Cyberattack ]

The infected machine is then used to harvest information and conduct espionage, as well as to move laterally within the network.

Advertisement. Scroll to continue reading.

As ClearSky points out, the campaign is similar to the “dream job” attacks attributed to the North Korean Lazarus group last year, but also to an OilRig (APT34) campaign in the first quarter of 2021.

On the phishing website, Hexane would detail jobs in France, Israel, and the UK. Two lure files are presented to the victim, both designed to deploy a backdoor onto their computer. This operation then continues with the deployment of a RAT onto the same machine.

“This dual infection is another development of the group’s attack methods. We believe that these attacks and their focus on IT and communication companies are intended to facilitate supply chain attacks on their clients. According to our assessment, the group’s main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks,” ClearSky added.

Related: Iran-Linked Hackers Expand Arsenal With New Android Backdoor

Related: Leaked Files From Offensive Cyber Unit Show Iran’s Interest in Targeting ICS

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.