Groups attacking ICS systems XI: Hexane/Lyceum

ICS cyber security blog guest post:
Groups attacking ICS systems XI: Hexane/Lyceum

03 April 2021 – icscybersec

The attackers known as Hexane/Lyceum (Hexane is the name given to this group attacking ICS systems by Dragos, Lyceum by MITRE ATT&CK for ICS framework) have been active since 2018 at the latest and have seen an increase in activity since early-mid 2019.

Their methods include targeted phishing attacks (typically using Excel files to collect legitimate user data along with targeting malware), man-in-the-middle attacks, using Visual Basic macros and PowerShell scripts, as well as standard HTTP and DNS protocols in their attacks.

The Hexane/Lyceum group also adds to the list of attackers who prefer to attack companies that can then more easily gain access to the systems of their real targets (in this group’s case, oil and gas companies in addition to telecoms).

Hexane/Lyceum, according to Dragos’ analysis, shows some similarities with Magnallium/APT33 and Chrysene/APT34, all three groups focus on companies in the oil and gas sector and further similarities can be found in their TTPs (tactics, techniques, and procedures).

For those interested in the subject and the group, in addition to Dragos’ article cited above, the MITRE ATT&CK for ICS Hexane/Lyceum paper may be of interest.


The original guest post was published on the ICS cyber security blog.

Translated by DeepL.