The Nigerian Communications Commission (NCC) has urged companies and individuals to update their safety measures as the telecommunication services industry is the primary focus of a group of hackers originating from Iran.
The hackers are known as Lyceum or Hexane, Siamesekitten, or Spirling. The hackers are reportedly targeting telecom providers, internet service providers (ISPs), and ministries of foreign affairs in Africa with upgraded malware in recent politically motivated attacks oriented in cyber espionage.
“The NCC, as the operator of the telecom sector’s cyber threat response centre (CSIRT), hereby reiterates its commitment to active surveillance and monitoring of cyber activities in the sector and will always keep stakeholders in Nigeria’s telecommunications sector updated on potential threats within the cyber space. This is to ensure that the networks that deliver essential services are safe and that telecom consumers are protected from being victims of cyber-attacks,” Ikechukwu Adinde, director public affairs, NCC, said.
In recent times, Ethiopia and Nigeria have seen an increase of 20 percent and 23 percent, respectively, and South Africa, an increase of 14 percent, while Kenya’s number of attacks decreased by 13 percent.
“Even though the scourge of malware has always been of concern, the past 12 months have highlighted how hackers are refocusing their efforts to compromise consumer and corporate systems and gain access to critical data and information,” noted Bethwel Opil, enterprise sales manager at Kaspersky.
According to Gbolabo Awelewa, CTO/country manager, Infoprive Limited, “Lyceum APT Group is known for cyber espionage. With the use of backdoors created from custom-built malwares, the personal information of subscribers can be infiltrated from telecoms infrastructure. Personal information such as NIN, home address and contact details can be used to perform a spear-phishing attack on subscribers to further distribute the spread of the app’s group malware and also target high profile subscribers.”
He stated that people and security misconfiguration were the weakest links, as “the attack path utilised by Lyceum is known to be social engineering campaigns and the use of leak credentials to carry out credential stuffing as well as brute-forcing.”
According to an advisory issued by the Nigerian Computer Emergency Response Team (ngCERT), the probability and damage level of the new malware is very high.
Lyceum, which has been active since 2017, when they began campaigns against Middle Eastern oil and gas companies, but now appears to be focusing on telecom companies. A report by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Conterintelligence (PACT) published between July and October this year noted that Lyceum was spotted in attacks against ISPs and telecom organisations across Israel, Morocco, Tunisia, and Saudi Arabia.
“Lyceum will likely continue to use the Shark and Milan backdoors, albeit with some modifications, as the group has likely been able to maintain footholds in victims’ networks despite public disclosure of (indicators of compromise) associated with its operations,” the researchers said.
The hackers’ mode of operation begins with credential stuffing and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In that mode, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (called together as ‘James’ by Kaspersky).
The two malwares are backdoors. Shark, a 32-bit executable written in C# and .NET, generates a configuration file for domain name system (DNS) tunnelling or Hypertet Transfer Protocol (HTTP) C2 communications; whereas Milan – a 32-bit Remote Access Trojan (RAT) retrieves data.
Both are able to communicate with the group’s command-and-control (C2) servers. The advanced persistent threat (APT) maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.
The hackers usually target individual accounts at companies of interest and once these are breached, they are used as springboards to launch spear-phishing attacks against high-profile executives in an organisation. The attackers not only steal subscribers and connected third-party companies’ data, they can also use these industries to survey individuals of interest.
The NCC therefore listed seven measures that can help companies and subscribers stay safe. This include enabling a web application firewall to help detect and prevent attacks coming from web applications by inspecting HTTP traffic; install up-to-date antivirus programmes to help detect and prevent a wide range of malware, trojans, and viruses, which APT hackers will use to exploit your system; implement the use of instruction prevention systems that monitors network.
Others are create a secure sandboxing environment that allows a user to open and run untrusted programmes or codes without risking harm to the operating system; ensure the use of virtual private network (VPN) to prevent an easy opportunity for APT hackers to gain initial access to the company’s network; and enable spam and malware protection for email applications, and educate employees on how to identify potentially malicious emails.
A virtual private network, or VPN, is an encrypted connection over the internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorised people from eavesdropping on the traffic and allows the user to conduct work remotely. Many Nigerians in recent times have begun using VPNs as a measure to boycott a ban on Twitter services in the country.