There is a new activity group targeting industrial control systems (ICS) called HEXANE, researchers said.
The group has been targeting oil and gas companies in the Middle East, including Kuwait as a primary operating region, according to research by industrial security provider, Dragos.
HEXANE also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks, researchers said. HEXANE drops malware to establish footholds for follow-on activity, researchers said.
“Although the group appears operational since at least mid-2018, activity accelerated in early- to mid-2019. This timeline, targeting, and increase of operations coincides with an escalation of tensions within Middle East, a current area of political and military conflict,” researchers said in a post.
HEXANE’s telecommunications targeting appears to follow a trend demonstrated by other activity groups where they are targeting third-party organizations along the supply chains of targets.
One case in point occurred in 2018, when Dragos said it identified the activity group XENOTIME targeting several industrial original equipment manufacturers (OEMs), and hardware and software suppliers. By compromising devices, firmware, or telecommunications networks used by targets within ICS, malicious activity could potentially enter the victim through a trusted vendor, bypassing much of the entity’s security stack.
HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE, Dragos researchers said.
All are ICS-targeting activities focusing largely on oil and gas, and some of the behaviors and recently observed tactics, techniques, and procedures (TTPs) are similar.
HEXANE remains mostly focused on critical infrastructure, but divided between ICS verticals and telecommunications operations.
On top of that, its infrastructure and capabilities — such as using malicious domains patterned after general IT themes and newly identified detection evasion schemes — are different from related groups.
Dragos said HEXANE does not possess the access nor capability to disrupt ICS networks at this time.