Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

'Highly Active' Seedworm Group Hits IT Services, Governments

Since September, the cyber espionage actors have targeted more than 130 victims in 30 organizations including NGOs, oil and gas, and telecom businesses.

Cyber espionage group Seedworm has been on a tear recently, extending its  targets to the telecom, IT services, and oil and gas industries.

According to new research from Symantec's DeepSight Managed Adversary and Threat Intelligence (MATI) team, Seedworm - aka MuddyWater - is constantly evolving, as well as relying on publicly available tools to launch hundreds of successful attacks. Seedworm has been in operation since at least 2017, with its most recent activity occurring this month. Recent attacks aimed to collect data on targets mostly in the Middle East, Europe, and North America.

In September, the researchers found evidence of Seedworm and the APT28 (Fancy Bear, Swallowtail) espionage group on a machine located in the Brazil-based embassy of an oil-producing country. Two active groups on one computer was a red flag: at first, principal cyber intelligence analyst Jonathan Wrolstad thought they might be the same one. As it turned out, it was two attack groups operating independently inside the embassy's network.

"Because this victim was an embassy, it was likely to receive interest from a lot of cyber espionage groups," Wrolstad explains. "We assess it was just a coincidence that these two groups were on the same victim at exactly the same time."

The team continued looking into Seedworm and discovered new intelligence on the group, which he says likely operates out of the Middle East. Targets typically include embassies and government agencies within countries in the region; however, lately attackers have been adding oil and gas firms, telecom companies, and IT services to their list of victims.

Of the 131 victims the attackers targeted from mid-Sept. to late Nov. 2018, 39% were in Pakistan, 14% in Turkey, 8% in Russia, and 5% in Saudi Arabia. One-quarter were telecommunications firms, 16% were government agency IT services, and 14% were in oil and gas production.

While there is no definitive reason why Seedworm is focused on telecommunications and IT services, Wrolstad speculates they could be interested in gaining access to customers of those firms. That said, targets in the oil and gas industry point to added financial motivation.

Changing Tools and Techniques

Seedworm values speed and agility over operational security, a trait that helped researchers uncover more details on their operations, Wrolstad explains. They regularly adopt new tactics and techniques to stay hidden and consistently improve their operations over time.

Analysts could pinpoint the group's entryway and subsequent activity, which include new variants of their so-called Powermud backdoor, a new backdoor (Powermuddy), and custom tools to steal passwords, create reverse shells, escalate privilege, and use Windows' cabinet creation tool.

"Powermud is a tool they've been using since at least early 2017, and they've been updating it the entire time," says Wrolstad. Both Powermud and Powermuddy are PowerShell-based tools, and Powermuddy is not an evolution of the earlier tool but a new one altogether, he says.

Seedworm began using its new backdoor earlier this summer, which he expects they created to continue evading detection. Neither backdoor is more effective than the other, however, he adds.

Powermud is controlled from behind a proxy network to conceal its command-and-control location. After they use Powermud or Powermuddy to compromise a machine, attackers deploy a tool to steal passwords saved in browsers and email accounts – a sign they're after email, social media, and chat access.

But, of course, it's not all they're after. Open source tools LaZagne and Crackmapexec help them snag Windows authorization credentials, researchers report, and Seedworm uses unmodified versions of these tools in addition to custom versions that aren't used by any other threat group. Publicly available tools let Seedworm's actors quickly update operations using others' code.

"They're using tools that are different from what we might have seen in the past," says Al Cooley, Symantec director of product management. "All of these are typical of a group as they evolve and try to stay effective."

Unlike threat groups that write new malware for each operation, Seedworm uses minimal effort to adapt and evolve while staying effective, says Wrolstad. "They are very agile and quick to adapt, and also very successful," he adds, pointing to the 130 successful compromises.

Comfortable in the Spotlight

It's common for nation-states to pay attention to press so they know what security researchers know about them, says Wrolstad, but Seedworm seems to like attention more than most.

"One thing that's interesting about this group is they do seem very aware of the research that goes on surrounding their activities," he explains. For example, one of their software tools has a command called "muddy," alluding to MuddyWater, a name other vendors use for Seedworm.

"There's evidence of [Seedworm] following the people who write on them so they can discover how those people are counseling organizations to protect themselves," says Cooley.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...