Researchers have investigated the activities of an Iranian threat group called Lyceum and found that the group is focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). Lyceum is also referred to as Hexane, Spirlin, and Siamesekitten and has been active since 2017. The group has been linked to campaigns against Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector. On Thursday, Accenture Cyber Threat Intelligence and Prevailing Adversarial Counterintelligence released a report detailing the threat group’s recent campaigns.

Lyceum was spotted by Accenture and Prevailion targeting ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia. Additionally, the cybersecurity firms found that the threat group is responsible for a campaign against the African ministry of foreign affairs. At the time of the report’s release, the cybersecurity teams stated that there are still several identified compromises that remain active. Lyceum typically uses credential stuffing attacks and brute-force attacks as an initial attack vector. Individual companies of interest are usually targeted, and then later used as a springboard to launch spear-phishing attacks against thigh profile executives in an organization.

Read More: Iranian hackers targeting telecoms, ISPs