Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Highly Active' Seedworm Group Hits IT Services, Governments

Since September, the cyber espionage actors have targeted more than 130 victims in 30 organizations including NGOs, oil and gas, and telecom businesses.

Cyber espionage group Seedworm has been on a tear recently, extending its  targets to the telecom, IT services, and oil and gas industries.

According to new research from Symantec's DeepSight Managed Adversary and Threat Intelligence (MATI) team, Seedworm - aka MuddyWater - is constantly evolving, as well as relying on publicly available tools to launch hundreds of successful attacks. Seedworm has been in operation since at least 2017, with its most recent activity occurring this month. Recent attacks aimed to collect data on targets mostly in the Middle East, Europe, and North America.

In September, the researchers found evidence of Seedworm and the APT28 (Fancy Bear, Swallowtail) espionage group on a machine located in the Brazil-based embassy of an oil-producing country. Two active groups on one computer was a red flag: at first, principal cyber intelligence analyst Jonathan Wrolstad thought they might be the same one. As it turned out, it was two attack groups operating independently inside the embassy's network.

"Because this victim was an embassy, it was likely to receive interest from a lot of cyber espionage groups," Wrolstad explains. "We assess it was just a coincidence that these two groups were on the same victim at exactly the same time."

The team continued looking into Seedworm and discovered new intelligence on the group, which he says likely operates out of the Middle East. Targets typically include embassies and government agencies within countries in the region; however, lately attackers have been adding oil and gas firms, telecom companies, and IT services to their list of victims.

Of the 131 victims the attackers targeted from mid-Sept. to late Nov. 2018, 39% were in Pakistan, 14% in Turkey, 8% in Russia, and 5% in Saudi Arabia. One-quarter were telecommunications firms, 16% were government agency IT services, and 14% were in oil and gas production.

While there is no definitive reason why Seedworm is focused on telecommunications and IT services, Wrolstad speculates they could be interested in gaining access to customers of those firms. That said, targets in the oil and gas industry point to added financial motivation.

Changing Tools and Techniques

Seedworm values speed and agility over operational security, a trait that helped researchers uncover more details on their operations, Wrolstad explains. They regularly adopt new tactics and techniques to stay hidden and consistently improve their operations over time.

Analysts could pinpoint the group's entryway and subsequent activity, which include new variants of their so-called Powermud backdoor, a new backdoor (Powermuddy), and custom tools to steal passwords, create reverse shells, escalate privilege, and use Windows' cabinet creation tool.

"Powermud is a tool they've been using since at least early 2017, and they've been updating it the entire time," says Wrolstad. Both Powermud and Powermuddy are PowerShell-based tools, and Powermuddy is not an evolution of the earlier tool but a new one altogether, he says.

Seedworm began using its new backdoor earlier this summer, which he expects they created to continue evading detection. Neither backdoor is more effective than the other, however, he adds.

Powermud is controlled from behind a proxy network to conceal its command-and-control location. After they use Powermud or Powermuddy to compromise a machine, attackers deploy a tool to steal passwords saved in browsers and email accounts – a sign they're after email, social media, and chat access.

But, of course, it's not all they're after. Open source tools LaZagne and Crackmapexec help them snag Windows authorization credentials, researchers report, and Seedworm uses unmodified versions of these tools in addition to custom versions that aren't used by any other threat group. Publicly available tools let Seedworm's actors quickly update operations using others' code.

"They're using tools that are different from what we might have seen in the past," says Al Cooley, Symantec director of product management. "All of these are typical of a group as they evolve and try to stay effective."

Unlike threat groups that write new malware for each operation, Seedworm uses minimal effort to adapt and evolve while staying effective, says Wrolstad. "They are very agile and quick to adapt, and also very successful," he adds, pointing to the 130 successful compromises.

Comfortable in the Spotlight

It's common for nation-states to pay attention to press so they know what security researchers know about them, says Wrolstad, but Seedworm seems to like attention more than most.

"One thing that's interesting about this group is they do seem very aware of the research that goes on surrounding their activities," he explains. For example, one of their software tools has a command called "muddy," alluding to MuddyWater, a name other vendors use for Seedworm.

"There's evidence of [Seedworm] following the people who write on them so they can discover how those people are counseling organizations to protect themselves," says Cooley.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...