Seedworm cyberespionage group targeted government agencies, IT firms, NGOs and more
- The hacker group has targeted over 130 victims across 30 organizations.
- Seedworm, aka MuddyWater, has been active since at least 2017 and has launched campaigns against entities in the Middle East, Europe, and North America.
The cyberespionage group Seedworm, also known as MuddyWater has been highly active this past year. Security researchers discovered that the hacker group has targeted over 130 victims across 130 organizations.
According to security researchers at Symantec, Seedworm and Fancy Bear - the Kremlin-linked cyberespionage group - were found targeting the same system of a Brazil-based embassy of an oil-producing nation. Researchers also discovered a new variant of the Powermud backdoor and an entirely new backdoor dubbed Powermuddy.
Seedworm was found using custom hacking tools to steal passwords, create reverse shells, launch privilege escalation attacks, and more.
“Seedworm likely functions as a cyber espionage group to secure actionable intelligence that could benefit their sponsor’s interests. During the operations, the group used tools consistent with those leveraged during past intrusions including Powermud, a custom tool used by the Seedworm group, and customized PowerShell, LaZagne, and Crackmapexec scripts,” Symantec researchers said in a report.
Powermud, which is a backdoor associated solely with Seedworm, is hidden behind a proxy network to mask the location of the malware’s C2. Typically, Powermud or Powermuddy is installed after the initial compromise is complete. The backdoor then steals passwords from victims’ web browsers and emails, gaining access to victims’ social media and email accounts.
The hacker group uses open-source tools like LaZagne and Crackmapexec to obtain Windows authorization credentials. The group also has been using multiple online accounts to carry out its malicious campaigns. Seedworm relies on publicly accessible hacking tools to rapidly update their tools and scale up attacks.
Who was targeted?
Symantec researchers discovered that Seedworm’s victims were primarily located in Pakistan and Turkey. However, the hacker group also launched attacks against targets in Russia, Saudi Arabia, Afghanistan, Jordan and elsewhere.
“The telecommunications and IT services sectors were the main targets. Entities in these sectors are often "enabling victims" as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise,” Symantec researchers said. “Successfully compromising victims in these two industries provides additional clues about the sophistication and skills of the Seedworm group.”
The oil and gas sector was the second most targeted, with 11 victims from one Russian firm compromised. Seedworm also targeted universities, public healthcare organizations, and NGOs.