Threat Intelligence

12/10/2018
06:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

'Highly Active' Seedworm Group Hits IT Services, Governments

Since September, the cyber espionage actors have targeted more than 130 victims in 30 organizations including NGOs, oil and gas, and telecom businesses.

Cyber espionage group Seedworm has been on a tear recently, extending its  targets to the telecom, IT services, and oil and gas industries.

According to new research from Symantec's DeepSight Managed Adversary and Threat Intelligence (MATI) team, Seedworm - aka MuddyWater - is constantly evolving, as well as relying on publicly available tools to launch hundreds of successful attacks. Seedworm has been in operation since at least 2017, with its most recent activity occurring this month. Recent attacks aimed to collect data on targets mostly in the Middle East, Europe, and North America.

In September, the researchers found evidence of Seedworm and the APT28 (Fancy Bear, Swallowtail) espionage group on a machine located in the Brazil-based embassy of an oil-producing country. Two active groups on one computer was a red flag: at first, principal cyber intelligence analyst Jonathan Wrolstad thought they might be the same one. As it turned out, it was two attack groups operating independently inside the embassy's network.

"Because this victim was an embassy, it was likely to receive interest from a lot of cyber espionage groups," Wrolstad explains. "We assess it was just a coincidence that these two groups were on the same victim at exactly the same time."

The team continued looking into Seedworm and discovered new intelligence on the group, which he says likely operates out of the Middle East. Targets typically include embassies and government agencies within countries in the region; however, lately attackers have been adding oil and gas firms, telecom companies, and IT services to their list of victims.

Of the 131 victims the attackers targeted from mid-Sept. to late Nov. 2018, 39% were in Pakistan, 14% in Turkey, 8% in Russia, and 5% in Saudi Arabia. One-quarter were telecommunications firms, 16% were government agency IT services, and 14% were in oil and gas production.

While there is no definitive reason why Seedworm is focused on telecommunications and IT services, Wrolstad speculates they could be interested in gaining access to customers of those firms. That said, targets in the oil and gas industry point to added financial motivation.

Changing Tools and Techniques

Seedworm values speed and agility over operational security, a trait that helped researchers uncover more details on their operations, Wrolstad explains. They regularly adopt new tactics and techniques to stay hidden and consistently improve their operations over time.

Analysts could pinpoint the group's entryway and subsequent activity, which include new variants of their so-called Powermud backdoor, a new backdoor (Powermuddy), and custom tools to steal passwords, create reverse shells, escalate privilege, and use Windows' cabinet creation tool.

"Powermud is a tool they've been using since at least early 2017, and they've been updating it the entire time," says Wrolstad. Both Powermud and Powermuddy are PowerShell-based tools, and Powermuddy is not an evolution of the earlier tool but a new one altogether, he says.

Seedworm began using its new backdoor earlier this summer, which he expects they created to continue evading detection. Neither backdoor is more effective than the other, however, he adds.

Powermud is controlled from behind a proxy network to conceal its command-and-control location. After they use Powermud or Powermuddy to compromise a machine, attackers deploy a tool to steal passwords saved in browsers and email accounts – a sign they're after email, social media, and chat access.

But, of course, it's not all they're after. Open source tools LaZagne and Crackmapexec help them snag Windows authorization credentials, researchers report, and Seedworm uses unmodified versions of these tools in addition to custom versions that aren't used by any other threat group. Publicly available tools let Seedworm's actors quickly update operations using others' code.

"They're using tools that are different from what we might have seen in the past," says Al Cooley, Symantec director of product management. "All of these are typical of a group as they evolve and try to stay effective."

Unlike threat groups that write new malware for each operation, Seedworm uses minimal effort to adapt and evolve while staying effective, says Wrolstad. "They are very agile and quick to adapt, and also very successful," he adds, pointing to the 130 successful compromises.

Comfortable in the Spotlight

It's common for nation-states to pay attention to press so they know what security researchers know about them, says Wrolstad, but Seedworm seems to like attention more than most.

"One thing that's interesting about this group is they do seem very aware of the research that goes on surrounding their activities," he explains. For example, one of their software tools has a command called "muddy," alluding to MuddyWater, a name other vendors use for Seedworm.

"There's evidence of [Seedworm] following the people who write on them so they can discover how those people are counseling organizations to protect themselves," says Cooley.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.