A new threat group discovered recently focuses on organizations in the oil and gas industry and attacking telecommunication providers most likely in an attempt to reach the main target.
Called Hexane by security researchers, the actor has been active since at least the middle of 2018 and ramped up actions at the beginning of 2019 and all through the middle of the year.
A distinct group
Uncovered by Dragos Inc, a cybersecurity company offering defenses for organizations managing critical infrastructure, Hexane seems to follow the lead of adversaries with the same interests.
By targeting third-party entities like telco service providers, Hexane’s intent is to infiltrate the supply chain of potential targets.
Although there are similarities with the way other groups operate (Magnallium, Chrysene – both collecting info on targets since at least 2017 ) in that it’s interested in oil and gas companies, Hexane is a unique entity, with different behavior, tools, techniques, and set of targets.
“For instance, HEXANE’s observed victimology is mostly focused on critical infrastructure, but divided between ICS verticals and telecommunications operations” – Dragos Inc.
Further evidence that it is an independent group is provided by its infrastructure and capabilities. The pattern observed for creating malicious domains (follows general IT themes) and the use of new techniques to evade detection distinguish it from the other groups tracked by Dragos. At the moment, the company tracks the activity of nine adversaries interested in industrial control systems (ICS).
Picks victims in the Middle East
According to the company, Hexane goes after companies in the Middle East, with Kuwait being a primary operating region. As for telcos, the adversary targets organizations in the greater Middle East, Central Asia, and Africa.
The most active period of the group coincides with the escalation of tensions in the Middle East due to political and military turmoil.
Victims of this threat actor were compromised via malicious documents that drop malware, paving the way for further stages of the attack.
Researchers at Dragos believe that Hexane has not yet developed capabilities for taking down ICS networks. However, they assess this with moderate confidence, based on the visibility into this adversary’s operations.