Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

'Highly Active' Seedworm Group Hits IT Services, Governments

Since September, the cyber espionage actors have targeted more than 130 victims in 30 organizations including NGOs, oil and gas, and telecom businesses.

Cyber espionage group Seedworm has been on a tear recently, extending its  targets to the telecom, IT services, and oil and gas industries.

According to new research from Symantec's DeepSight Managed Adversary and Threat Intelligence (MATI) team, Seedworm - aka MuddyWater - is constantly evolving, as well as relying on publicly available tools to launch hundreds of successful attacks. Seedworm has been in operation since at least 2017, with its most recent activity occurring this month. Recent attacks aimed to collect data on targets mostly in the Middle East, Europe, and North America.

In September, the researchers found evidence of Seedworm and the APT28 (Fancy Bear, Swallowtail) espionage group on a machine located in the Brazil-based embassy of an oil-producing country. Two active groups on one computer was a red flag: at first, principal cyber intelligence analyst Jonathan Wrolstad thought they might be the same one. As it turned out, it was two attack groups operating independently inside the embassy's network.

"Because this victim was an embassy, it was likely to receive interest from a lot of cyber espionage groups," Wrolstad explains. "We assess it was just a coincidence that these two groups were on the same victim at exactly the same time."

The team continued looking into Seedworm and discovered new intelligence on the group, which he says likely operates out of the Middle East. Targets typically include embassies and government agencies within countries in the region; however, lately attackers have been adding oil and gas firms, telecom companies, and IT services to their list of victims.

Of the 131 victims the attackers targeted from mid-Sept. to late Nov. 2018, 39% were in Pakistan, 14% in Turkey, 8% in Russia, and 5% in Saudi Arabia. One-quarter were telecommunications firms, 16% were government agency IT services, and 14% were in oil and gas production.

While there is no definitive reason why Seedworm is focused on telecommunications and IT services, Wrolstad speculates they could be interested in gaining access to customers of those firms. That said, targets in the oil and gas industry point to added financial motivation.

Changing Tools and Techniques

Seedworm values speed and agility over operational security, a trait that helped researchers uncover more details on their operations, Wrolstad explains. They regularly adopt new tactics and techniques to stay hidden and consistently improve their operations over time.

Analysts could pinpoint the group's entryway and subsequent activity, which include new variants of their so-called Powermud backdoor, a new backdoor (Powermuddy), and custom tools to steal passwords, create reverse shells, escalate privilege, and use Windows' cabinet creation tool.

"Powermud is a tool they've been using since at least early 2017, and they've been updating it the entire time," says Wrolstad. Both Powermud and Powermuddy are PowerShell-based tools, and Powermuddy is not an evolution of the earlier tool but a new one altogether, he says.

Seedworm began using its new backdoor earlier this summer, which he expects they created to continue evading detection. Neither backdoor is more effective than the other, however, he adds.

Powermud is controlled from behind a proxy network to conceal its command-and-control location. After they use Powermud or Powermuddy to compromise a machine, attackers deploy a tool to steal passwords saved in browsers and email accounts – a sign they're after email, social media, and chat access.

But, of course, it's not all they're after. Open source tools LaZagne and Crackmapexec help them snag Windows authorization credentials, researchers report, and Seedworm uses unmodified versions of these tools in addition to custom versions that aren't used by any other threat group. Publicly available tools let Seedworm's actors quickly update operations using others' code.

"They're using tools that are different from what we might have seen in the past," says Al Cooley, Symantec director of product management. "All of these are typical of a group as they evolve and try to stay effective."

Unlike threat groups that write new malware for each operation, Seedworm uses minimal effort to adapt and evolve while staying effective, says Wrolstad. "They are very agile and quick to adapt, and also very successful," he adds, pointing to the 130 successful compromises.

Comfortable in the Spotlight

It's common for nation-states to pay attention to press so they know what security researchers know about them, says Wrolstad, but Seedworm seems to like attention more than most.

"One thing that's interesting about this group is they do seem very aware of the research that goes on surrounding their activities," he explains. For example, one of their software tools has a command called "muddy," alluding to MuddyWater, a name other vendors use for Seedworm.

"There's evidence of [Seedworm] following the people who write on them so they can discover how those people are counseling organizations to protect themselves," says Cooley.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.