The Nigerian Communications Commission (NCC) has alerted the public to the existence of yet another hacking group orchestrating cyber espionage in the African telecoms space.
NCC public affairs director Dr Ikechukwu Adinde said in a statement Monday in Abuja.
Mr Adinde said this was in line with NCC’s commitment to continuously keep stakeholders in the country’s telecommunications sector informed, educated and protected.
“An Iranian hacking group known as the Lyceum (also known as Hexane, Siamesekitten or Spirlin), has been reported to target telecommunications.
“It also targets Internet Service Providers (ISPs) and Ministries of Foreign Affairs (MFA) in Africa.
“It’s with the malware upgraded in a recent politically motivated attack geared towards cyber espionage.
“Information on this cyberattack is contained in the latest advisory issued by the Nigerian Computer Emergency Response Team (ngCERT).
“NgCERT rated the likelihood and level of damage from the new malware as high,” he added.
He cited an advisory report as saying, “The hacking group is known to focus on infiltrating the networks of carriers and ISPs.”
Mr Adide said that between July and October 2021, Lyceum was involved in attacks on ISPs and telecommunications organizations in Israel, Morocco, Tunisia and Saudi Arabia.
He explained, however, that the group has been linked with Advanced Persistent Threat, APT, to campaigns that have hit Middle Eastern oil and gas companies in the past.
“Now the group seems to have focused on the technology sector.
“In addition, the APT is responsible for a campaign against the foreign ministry of an anonymous African government.
“By the way attackers operate, Lyceum’s initial attack vectors include credential stuffing and brute force attacks.
“So once a victim’s system is compromised, attackers perform surveillance on specific targets.
“In this mode, Lyceum will attempt to deploy two different types of malware: Shark and Milan (known together as James),” he said.
The NCC spokesperson further explained that the two pieces of malware were backdoors, Shark, a 32-bit executable written in C # and .NET.
“They generate a configuration file for Domain Name System (DNS) tunnelling or Hypertext Transfer Protocol (HTTP) C2 communications.
“However, Milan – a 32-bit Remote Access (RAT) Trojan horse recovers the data,” he said.
He said the two were able to communicate with the group’s Command and Control (C2) servers.
Mr Adide said the APT maintains a network of C2 servers that connect to the group’s backdoors, made up of more than 20 domains.
“These include six who were previously not associated with the threat actors.
“According to reports, the individual accounts of companies of interest were generally targeted.
“Once these accounts were hacked, they would be used as a springboard to launch spear-phishing attacks against high-level executives in an organization. “
Mr Adinde said the reports also suggested that these attackers are not just looking for data on subscribers and connected third-party companies.
“But, once compromised, threat actors or their sponsors can also use these industries to monitor people of interest.”
However, he indicated that to guard against such threats, the NCC has taken up the reports of ngCERT which multiply the layers of security,
This is in addition to the constant monitoring of the network that was required by carriers and ISPs to avoid potential attacks.
In particular, he advised telecom consumers and the general public to ensure consistent use of firewalls (software, hardware and cloud firewalls).
Mr Adinde said individuals should enable a web application firewall to help detect and prevent attacks from web applications by inspecting HTTP traffic.
“Install up-to-date antivirus programs to help detect and prevent a wide variety of malware, Trojans and viruses, which APT hackers will use to exploit your system.
“Implement the use of intrusion prevention systems that monitor your network.
“Create a secure sandboxing environment that allows you to open and run untrusted programs or code without risking harm to your operating system.
“Make sure you are using the Virtual Private Network (VPN) to prevent APT hackers from easily accessing your corporate network.
“Activate spam and malware protection for your email applications and teach your employees how to identify potentially malicious emails,” he said.
Mr Adide further insisted that, for further technical assistance, individuals contact “ngCERT at firstname.lastname@example.org”.
“The NCC reiterates its commitment to actively monitor and monitor the cyber activities of the sector.
“He will always keep Nigerian telecom stakeholders informed of potential threats in cyberspace.
“This is to ensure that the networks that provide essential services are secure and those telecommunications consumers are protected from victims of cyberattacks,” he said.