HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE's targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity. [1]

ID: G1001
Contributors: Dragos Threat Intelligence
Version: 1.0
Created: 17 October 2018
Last Modified: 24 May 2022

Techniques Used

Domain ID Name Use
ICS T0853 Scripting

HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools. [2] [3]

ICS T0865 Spearphishing Attachment

HEXANE has used malicious documents to drop malware and gain access into an environment. [1]

ICS T0869 Standard Application Layer Protocol

HEXANE communicated with command and control over HTTP and DNS. [1]

ICS T0859 Valid Accounts

HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization. [4]