Threat Actor Profile
Description
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (36)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['HEXANE', 'Lyceum', 'Siamesekitten', 'Spirlin'],
'created': '2018-10-17T00:14:20.652Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber '
'espionage threat group that has targeted oil & gas, '
'telecommunications, aviation, and internet service provider '
'organizations since at least 2017. Targeted companies have '
'been located in the Middle East and Africa, including Israel, '
'Saudi Arabia, Kuwait, Morocco, and Tunisia. '
"[HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear "
'similar to [APT33](https://attack.mitre.org/groups/G0064) and '
'[OilRig](https://attack.mitre.org/groups/G0049) but due to '
'differences in victims and tools it is tracked as a separate '
'entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum '
'October 2021)(Citation: ClearSky Siamesekitten August '
'2021)(Citation: Accenture Lyceum Targets November 2021)',
'external_references': [{'external_id': 'G1001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1001'},
{'description': '(Citation: Accenture Lyceum Targets '
'November 2021)',
'source_name': 'Spirlin'},
{'description': '(Citation: ClearSky Siamesekitten '
'August 2021)',
'source_name': 'Siamesekitten'},
{'description': '(Citation: SecureWorks August 2019)',
'source_name': 'Lyceum'},
{'description': 'Accenture. (2021, November 9). Who '
'are latest targets of cyber group '
'Lyceum?. Retrieved June 16, 2022.',
'source_name': 'Accenture Lyceum Targets November '
'2021',
'url': 'https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns'},
{'description': 'ClearSky Cyber Security . (2021, '
'August). New Iranian Espionage '
'Campaign By “Siamesekitten” - '
'Lyceum. Retrieved June 6, 2022.',
'source_name': 'ClearSky Siamesekitten August 2021',
'url': 'https://www.clearskysec.com/siamesekitten/'},
{'description': 'Dragos. (n.d.). Hexane. Retrieved '
'October 27, 2019.',
'source_name': 'Dragos Hexane',
'url': 'https://dragos.com/resource/hexane/'},
{'description': 'Kayal, A. et al. (2021, October). '
'LYCEUM REBORN: COUNTERINTELLIGENCE '
'IN THE MIDDLE EAST. Retrieved June '
'14, 2022.',
'source_name': 'Kaspersky Lyceum October 2021',
'url': 'https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf'},
{'description': 'SecureWorks 2019, August 27 LYCEUM '
'Takes Center Stage in Middle East '
'Campaign Retrieved. 2019/11/19 ',
'source_name': 'SecureWorks August 2019',
'url': 'https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign'}],
'id': 'intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3',
'modified': '2024-08-14T15:24:19.141Z',
'name': 'HEXANE',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Dragos Threat Intelligence',
'Mindaugas Gudzis, BT Security'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '2.3'}