Threat Intelligence

12/10/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

'Highly Active' Seedworm Group Hits IT Services, Governments

Since September, the cyber espionage actors have targeted more than 130 victims in 30 organizations including NGOs, oil and gas, and telecom businesses.

Cyber espionage group Seedworm has been on a tear recently, extending its  targets to the telecom, IT services, and oil and gas industries.

According to new research from Symantec's DeepSight Managed Adversary and Threat Intelligence (MATI) team, Seedworm - aka MuddyWater - is constantly evolving, as well as relying on publicly available tools to launch hundreds of successful attacks. Seedworm has been in operation since at least 2017, with its most recent activity occurring this month. Recent attacks aimed to collect data on targets mostly in the Middle East, Europe, and North America.

In September, the researchers found evidence of Seedworm and the APT28 (Fancy Bear, Swallowtail) espionage group on a machine located in the Brazil-based embassy of an oil-producing country. Two active groups on one computer was a red flag: at first, principal cyber intelligence analyst Jonathan Wrolstad thought they might be the same one. As it turned out, it was two attack groups operating independently inside the embassy's network.

"Because this victim was an embassy, it was likely to receive interest from a lot of cyber espionage groups," Wrolstad explains. "We assess it was just a coincidence that these two groups were on the same victim at exactly the same time."

The team continued looking into Seedworm and discovered new intelligence on the group, which he says likely operates out of the Middle East. Targets typically include embassies and government agencies within countries in the region; however, lately attackers have been adding oil and gas firms, telecom companies, and IT services to their list of victims.

Of the 131 victims the attackers targeted from mid-Sept. to late Nov. 2018, 39% were in Pakistan, 14% in Turkey, 8% in Russia, and 5% in Saudi Arabia. One-quarter were telecommunications firms, 16% were government agency IT services, and 14% were in oil and gas production.

While there is no definitive reason why Seedworm is focused on telecommunications and IT services, Wrolstad speculates they could be interested in gaining access to customers of those firms. That said, targets in the oil and gas industry point to added financial motivation.

Changing Tools and Techniques

Seedworm values speed and agility over operational security, a trait that helped researchers uncover more details on their operations, Wrolstad explains. They regularly adopt new tactics and techniques to stay hidden and consistently improve their operations over time.

Analysts could pinpoint the group's entryway and subsequent activity, which include new variants of their so-called Powermud backdoor, a new backdoor (Powermuddy), and custom tools to steal passwords, create reverse shells, escalate privilege, and use Windows' cabinet creation tool.

"Powermud is a tool they've been using since at least early 2017, and they've been updating it the entire time," says Wrolstad. Both Powermud and Powermuddy are PowerShell-based tools, and Powermuddy is not an evolution of the earlier tool but a new one altogether, he says.

Seedworm began using its new backdoor earlier this summer, which he expects they created to continue evading detection. Neither backdoor is more effective than the other, however, he adds.

Powermud is controlled from behind a proxy network to conceal its command-and-control location. After they use Powermud or Powermuddy to compromise a machine, attackers deploy a tool to steal passwords saved in browsers and email accounts – a sign they're after email, social media, and chat access.

But, of course, it's not all they're after. Open source tools LaZagne and Crackmapexec help them snag Windows authorization credentials, researchers report, and Seedworm uses unmodified versions of these tools in addition to custom versions that aren't used by any other threat group. Publicly available tools let Seedworm's actors quickly update operations using others' code.

"They're using tools that are different from what we might have seen in the past," says Al Cooley, Symantec director of product management. "All of these are typical of a group as they evolve and try to stay effective."

Unlike threat groups that write new malware for each operation, Seedworm uses minimal effort to adapt and evolve while staying effective, says Wrolstad. "They are very agile and quick to adapt, and also very successful," he adds, pointing to the 130 successful compromises.

Comfortable in the Spotlight

It's common for nation-states to pay attention to press so they know what security researchers know about them, says Wrolstad, but Seedworm seems to like attention more than most.

"One thing that's interesting about this group is they do seem very aware of the research that goes on surrounding their activities," he explains. For example, one of their software tools has a command called "muddy," alluding to MuddyWater, a name other vendors use for Seedworm.

"There's evidence of [Seedworm] following the people who write on them so they can discover how those people are counseling organizations to protect themselves," says Cooley.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.