Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Iranian 'Seedworm' Cyber Spies Target African Telcos & ISPs

Seedworm, aka MuddyWater, drops PowerShell-based malware on victims using living-off-the-land techniques.

3 Min Read
An earthworm in soil
Source: Denis Crawford via Alamy Stock Photo

An Iran-backed cyberespionage group is actively targeting telcos in North and East Africa.

According to security researchers at Symantec, the latest cyberattacks by the advanced persistent threat (APT) it calls Seedworm (aka MuddyWater, APT34, Crambus, Helix Kitten, or OilRig) are targeting telecommunications-sector organizations in Egypt, Sudan, and Tanzania. One telco-sector organization in particular — previously infiltrated by Seedworm earlier in 2023 but so far unnamed — is bearing the brunt of the latest assaults.

Seedworm's Power(Shell) Play

The first evidence of malicious activity came from the execution of PowerShell code to connect into a command-and-control (C2) framework called MuddyC2Go, an infrastructure that researchers have previously linked to Seedworm.

"The attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with Seedworm activity, as well as using a custom keylogging tool, and other publicly available and living-off-the-land tools," Symantec researchers reported in a Dec. 19 analysis of the cyberattacks.

Living-off-the-land refers to the practice of using off-the-shelf technology and native operating system applications to hide malicious activity. By misusing legitimate applications, attackers avoid creating unusual traffic or activity on compromised network, thereby reducing their risk of detection.

Dark Reading has approached Symantec for comment on details of the latest run of attacks by Seedworm, as well as suggestions for possible counter-measures. 

Seeds of Doubt

Seedworm has been active for six years since 2017 and has been previously linked to Iran's Ministry of Intelligence and Security (MOIS). The group typically relies on spear-phishing emails containing archives, or links to archives, that include various legitimate remote administration tools, including the SimpleHelp and AnyDesk remote access utilities.

If the intended target opens the file inside the archive, it installs a remote administration tool that allows the attacker to execute additional tools and malware. More recently, the group has begun planting malware payloads within password-protected RAR archives in a bid to evade detection by email security products at targeted organizations, according to a recent blog post by security research firm Deep Instinct.

The latest malicious files being slung by the group contain an embedded PowerShell script that automatically connects to MuddyC2Go. This approach removes the need for the manual execution of scripts by the attackers.

Symantec's researchers found that Seedworm typically targets government and private organizations across various sectors, including telecommunications, local government, defense, and oil and natural gas. The group's targets are mostly Iran's neighbors in the Middle East region, including Turkey, Israel, Iraq, United Arab Emirates, and Pakistan.

Iran's Cyber Tradecraft

Iranian cyberespionage groups are known for establishing false personae on LinkedIn and elsewhere, in order to persuade targets to open malicious links or attachments rather than relying on unpatched vulnerabilities to hack into targeted organizations.

Iran started heavily investing in its cyber-operations program following the discovery of infamous Stuxnet cyber-espionage weapon in 2010. The Stuxnet malware infected the supervisory control and data acquisition (SCADA) systems at Iran's nuclear facilities, particularly its uranium enrichment centrifuges, and sabotaged their operation. Security researchers attributed the malware to a joint US and Israeli intelligence operation.

Iran's Islamic Revolutionary Guard Corps (IRGC) has since been linked disruptive and destructive attacks such as the Shamoon wiper malware attacks against oil and gas companies in Saudi Arabia and Qatar. By contrast, MOIS is a civilian intelligence service largely focusing on the clandestine acquisition of intelligence — Seedworm has been named as a subordinate element or unit within Iran's MOIS.

About the Author(s)

John Leyden, Contributing Writer

John Leyden is an experienced cybersecurity writer, having previously written for the Register and Daily Swig.

Image source: Dorota Szymczyk via Alamy Stock Photo

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights