← All Threat Actors
Threat Actor Profile

HEXANE

ATK 120 DEV-0133 G1001 Lyceum ScorchedEpoch Siamesekitten Spirlin
▲ High Threat
[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
Origin

Known TTPs

System Network Configuration Discovery
Credentials from Password Stores
Command Obfuscation
Gather Victim Identity Information
System Information Discovery
Domains
Brute Force
Scheduled Task
Malicious File
Exfiltration to Cloud Storage
Social Media Accounts
Internet Connection Discovery
Windows Management Instrumentation Event Subscription
Local Groups
Remote System Discovery
Remote Desktop Protocol
Email Accounts
Password Spraying
Bidirectional Communication
Tool
Credentials from Web Browsers
PowerShell
Upload Malware
Email Addresses
Email Accounts
System Owner/User Discovery
Ingress Tool Transfer
System Network Connections Discovery
Process Discovery
Keylogging
Software Discovery
Visual Basic
Application Window Discovery
Identify Roles
DNS Server
Internal Spearphishing

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD