HEXANE
Uses third-party connections from telecom providers for network access to industrial organizations.
THREAT DESCRIPTION
Dragos identified a new activity group targeting industrial control systems (ICS) related entities: HEXANE. Dragos observed this group targeting oil and gas companies in the Middle East, including Kuwait as a primary operating region. Additionally, and unlike other activity groups Dragos tracks, HEXANE also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.
HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. Although the group appears operational since at least mid-2018, activity accelerated in early- to mid-2019. This timeline, targeting, and increase of operations coincides with an escalation of tensions within Middle East, a current area of political and military conflict.
HEXANE’s telecommunications targeting appears to follow a trend demonstrated by other activity groups. ICS adversaries are increasingly targeting third-party organizations along the supply chains of potential targets. For instance, in 2018, Dragos identified the activity group XENOTIME targeting several industrial original equipment manufacturers (OEMs), and hardware and software suppliers. By compromising devices, firmware, or telecommunications networks used by targets within ICS, malicious activity could potentially enter the victim environment through a trusted vendor, bypassing much of the entity’s security stack.
HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE. All are ICS-targeting activities focusing largely on oil and gas, and some of the behaviors and recently observed tactics, techniques, and procedures (TTPs) are similar. Like HEXANE, MAGNALLIUM also increased its activity in early- to mid-2019. Dragos identified recent MAGNALLIUM activity targeting US government and financial organizations as well as oil and gas companies, attempting to gain access to computers at target organizations.
However, the collection of HEXANE behaviors, tools, and victimology makes this a unique entity compared to these previously-observed activity groups.
For instance, HEXANE’s observed victimology is mostly focused on critical infrastructure, but divided between ICS verticals and telecommunications operations. Additionally, its infrastructure and capabilities — such as using malicious domains patterned after general IT themes and newly identified detection evasion schemes — are different from related groups. Dragos categorizes activity groups based on the Diamond Model of Intrusion Analysis and groups activity by the observed actions, capabilities, and demonstrated – not implied or assumed – intentions. These attributes can be combined to construct and implement defensive strategies.
At this time, Dragos assesses with moderate confidence that HEXANE does not possess the access nor capability to disrupt ICS networks.
Full reports on HEXANE and all other activity groups including TTPs and strategies to defend against them are available to WorldView Threat Intelligence subscribers.
HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. Although the group appears operational since at least mid-2018, activity accelerated in early- to mid-2019. This timeline, targeting, and increase of operations coincides with an escalation of tensions within Middle East, a current area of political and military conflict.
HEXANE’s telecommunications targeting appears to follow a trend demonstrated by other activity groups. ICS adversaries are increasingly targeting third-party organizations along the supply chains of potential targets. For instance, in 2018, Dragos identified the activity group XENOTIME targeting several industrial original equipment manufacturers (OEMs), and hardware and software suppliers. By compromising devices, firmware, or telecommunications networks used by targets within ICS, malicious activity could potentially enter the victim environment through a trusted vendor, bypassing much of the entity’s security stack.
HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE. All are ICS-targeting activities focusing largely on oil and gas, and some of the behaviors and recently observed tactics, techniques, and procedures (TTPs) are similar. Like HEXANE, MAGNALLIUM also increased its activity in early- to mid-2019. Dragos identified recent MAGNALLIUM activity targeting US government and financial organizations as well as oil and gas companies, attempting to gain access to computers at target organizations.
However, the collection of HEXANE behaviors, tools, and victimology makes this a unique entity compared to these previously-observed activity groups.
For instance, HEXANE’s observed victimology is mostly focused on critical infrastructure, but divided between ICS verticals and telecommunications operations. Additionally, its infrastructure and capabilities — such as using malicious domains patterned after general IT themes and newly identified detection evasion schemes — are different from related groups. Dragos categorizes activity groups based on the Diamond Model of Intrusion Analysis and groups activity by the observed actions, capabilities, and demonstrated – not implied or assumed – intentions. These attributes can be combined to construct and implement defensive strategies.
At this time, Dragos assesses with moderate confidence that HEXANE does not possess the access nor capability to disrupt ICS networks.
Full reports on HEXANE and all other activity groups including TTPs and strategies to defend against them are available to WorldView Threat Intelligence subscribers.
Date: Since 2018
ADVERSARY
- Similarities to CHRYSENE, MAGNALLIUM
CAPABILITIES
- Initial access via MS Excel documents containing embedded binary
- C2 via DNS & HTTP
- Evasion via task scheduling and in-memory .NET compilation
VICTIM
- Oil & Gas; Telecommunications
- Middle East, Central Asia, Africa
INFRASTRUCTURE
- Adversary-owned infrastructure from European hosting providers
- Spoofs legitimate IT domains
ICS IMPACT
- Seeking to access IT networks of ICS-related companies
