Out to Sea
description
IT-Researchers from ESET combined several previously discovered cyber-operations into the iranian cyber-espionage campaign "Out to Sea". The previously discovered cyber-operations were attributed to other groups at the time, namely Lyceum and Siamesekitten. IT-Reaseachers from ESET put these supposedly different groups together and attribute them to the known iranian state-sponsored hacking group OilRig. The last part of the cyber-campaign from September to December 2021 used an improved backdoor called Marlin.
sources attribution
Not available
sources politicalization
Not available
start
01.04.2018
end
01.12.2021
source incident detection disclosure
Incident disclosed by IT-security company
receiver
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
Israel
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
Tunisia
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
United Arab Emirates
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
Middle East (region)
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
South Africa
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
Morocco
label:
Not available
category:
State institutions / political system
Critical infrastructure
Energy
Critical infrastructure
Health
Critical infrastructure
Telecommunications
Corporate Targets (corporate targets only coded if the respective company is not part of the critical infrastructure definition)
country:
Saudi Arabia
inclusion criteria
Attack conducted by non-state group / non-state actor with political goals (religious, ethnic, etc. groups) / undefined actor with political goals
Attack conducted by a state-affiliated group (includes state-sanctioned, state-supported, state-controlled but officially non-state actors) (“cyber-proxies”) / a group that is generally attributed as state-affiliated
Attack on (inter alia) political target(s), not politicized
articles
Deep Dive into the Lyceum Danbot Malware
Threat Actor Adds New Marlin Backdoor to Its Arsenal
Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign
Lyceum group reborn
Who are latest targets of cyber group Lyceum?
New Iranian Espionage Campaign
https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf
added to database
15.08.2022
articles
Not available
attribution date
2022
attribution basis
IT-security community attributes attacker
attributing country
Not available
attributing actors
Not available
attribution type
Technical report (e.g., by IT-companies, Citizen Lab, EFF)
initiators
label:
OilRig/APT34/Cobalt Gypsy/Helix Kitten/Crambus/G0049
category:
Non-state actor, state-affiliation suggested
Non-state-group, state-affiliation suggested (widely held view for the attributed initiator (group), but not invoked in this case)
countries:
Iran, Islamic Republic of
legal attribution references
Not available
Incident/Operation Type
Data theft
Hijacking with Misuse
data theft
For private / commercial targets: non-sensitive information (incident scores 1 point in intensity)
disruption
none
hijacking
Hijacking, system misuse, e.g., through data theft and / or disruption (incident scores 2 points in intensity)
Physical Effects (temporal)
none
Physical Effects (spatial)
none
unweighted cyber intensity
3
Target / Effect Multiplier
Moderate - high political importance
weighted cyber intensity
Low / moderate intensity - 3
MITRE: Initial Access
Not available
MITRE: Impact
Not available
Common Vulnerability Scoring System: User Interaction
Not available
Zero Day
No
cyber conflict issue
International power
offline conflict issue
Unknown
offline conflict intensity
Unknown
casualties
No casualties as a direct result of the cyber incident
political response
Not available
state responsibility indicator
Not available
il breach indicator
Not available
response indicator
Not available
Evidence for Sanctions Indicator
Not available
legal response
Not available
impact indicator
Not available
