Iranian state-sponsored threat group Seedworm has been targeting telcos, IT, and utility companies across the Middle East and Asia for the past six months, claims Symantec Threat Hunter Team. The threat group, also tracked as MuddyWater, has attacked organizations in the Middle East and neighboring regions in the past as well.

What has happened?

The recent cyberespionage campaigns are using a mix of spear-phishing, known malware, and genuine network utilities. All these tools and tactics are used to steal data and disrupt supply chains.
  • Symantec researchers analyzed an attack against a telecom firm in the Middle East that started in August, where the attackers created a service to launch an unknown Windows Script File (WSF).
  • The attacker appears to have attempted to infect other victims by targeting the telecom organization and connecting to the Exchange Web Services (EWS) of other organizations.
  • The campaign was found active in organizations in Thailand, Jordan, Pakistan, Saudi Arabia, the UAE, Kuwait, Laos, and Israel with publicly available malware, legitimate tools, and living-off-the-land tactics.

Attack vectors

The attackers are believed to be gaining entry to networks with the use of spear-phishing and stealing credentials for lateral movement.
  • For initial entry in one attack, the researchers observed a suspected ScreenConnect setup MSI delivered in a zipped file named Special discount program[.]zip, which arrived in a spear-phishing email.
  • Additionally, researchers spotted two IP addresses used in the campaign that were linked to Seedworm activity, along with some overlap in tools such as SharpChisel and Password Dumper.

The disruption of supply-chain

Researchers observed that the attackers made a deliberate attempt to target more and more organizations by mounting a supply-chain attack.
  • In one attack against a utility firm in Laos, the attackers were observed exploiting a public-facing service for gaining initial entry, as the first targeted machine was the IIS web server.
  • Then, attackers used PowerShell to spread malicious tools and scripts to the network and connected to a webmail server of a firm in Thailand, along with IT-related servers of another firm.

Conclusion

Seedworm’s focus on gathering telecom-related intelligence leaves only little for researchers to ponder upon as it cannot be predicted accurately how hackers will exploit it. Precautionary measures are still the best.

Cyware Publisher

Publisher

Cyware