HEXANE

Uses third-party connections from telecom providers for network access to industrial organizations.

Threat group: Hexane
THREAT DESCRIPTION
Dragos identified a new activity group targeting industrial control systems (ICS) related entities: HEXANE. Dragos observed this group targeting oil and gas companies in the Middle East, including Kuwait as a primary operating region. Additionally, and unlike other activity groups Dragos tracks, HEXANE also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.

HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. Although the group appears operational since at least mid-2018, activity accelerated in early- to mid-2019. This timeline, targeting, and increase of operations coincides with an escalation of tensions within Middle East, a current area of political and military conflict.

HEXANE’s telecommunications targeting appears to follow a trend demonstrated by other activity groups. ICS adversaries are increasingly targeting third-party organizations along the supply chains of potential targets. For instance, in 2018, Dragos identified the activity group XENOTIME targeting several industrial original equipment manufacturers (OEMs), and hardware and software suppliers. By compromising devices, firmware, or telecommunications networks used by targets within ICS, malicious activity could potentially enter the victim environment through a trusted vendor, bypassing much of the entity’s security stack.

HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE. All are ICS-targeting activities focusing largely on oil and gas, and some of the behaviors and recently observed tactics, techniques, and procedures (TTPs) are similar. Like HEXANE, MAGNALLIUM also increased its activity in early- to mid-2019. Dragos identified recent MAGNALLIUM activity targeting US government and financial organizations as well as oil and gas companies, attempting to gain access to computers at target organizations.

However, the collection of HEXANE behaviors, tools, and victimology makes this a unique entity compared to these previously-observed activity groups.

For instance, HEXANE’s observed victimology is mostly focused on critical infrastructure, but divided between ICS verticals and telecommunications operations. Additionally, its infrastructure and capabilities — such as using malicious domains patterned after general IT themes and newly identified detection evasion schemes — are different from related groups. Dragos categorizes activity groups based on the Diamond Model of Intrusion Analysis and groups activity by the observed actions, capabilities, and demonstrated – not implied or assumed – intentions. These attributes can be combined to construct and implement defensive strategies.

At this time, Dragos assesses with moderate confidence that HEXANE does not possess the access nor capability to disrupt ICS networks.

Full reports on HEXANE and all other activity groups including TTPs and strategies to defend against them are available to WorldView Threat Intelligence subscribers.

Date: Since 2018

ADVERSARY

  • Similarities to CHRYSENE, MAGNALLIUM

CAPABILITIES

  • Initial access via MS Excel documents containing embedded binary
  • C2 via DNS & HTTP
  • Evasion via task scheduling and in-memory .NET compilation

VICTIM

  • Oil & Gas; Telecommunications
  • Middle East, Central Asia, Africa

INFRASTRUCTURE

  • Adversary-owned infrastructure from European hosting providers
  • Spoofs legitimate IT domains

ICS IMPACT

  • Seeking to access IT networks of ICS-related companies
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.