Security firm: Cyber espionage group Seedworm escalating attacks

A cyber espionage group called Seedworm is escalating its malicious web activities, hitting a variety of targets including government organizations and telecommunications companies over the past couple months, a security firm said Monday.

Symantec researchers said Seedworm has infiltrated more than 30 organizations since late September, with the targets predominately based in Pakistan and Turkey, but also in Saudi Arabia, Russia, Afghanistan and Jordan. Companies based in Europe and the U.S. with ties to the Middle East were also hit.

ADVERTISEMENT

"The telecommunications and IT services sectors were the main targets. Entities in these sectors are often 'enabling victims' as telecommunications providers or IT services agencies and vendors could provide Seedworm actors with further victims to compromise," the report says, noting the second most hit group were companies in the oil and gas sector.

Seedworm uses — and continues to update — a custom tool known as Powermud backdoor, which allows the group to evade detection in the computer systems they hack. Symantec said Seedworm is the only group known to use this backdoor. 

"After compromising a system, typically by installing Powermud or Powemuddy, Seedworm first
runs a tool that steals passwords saved in users’ web browsers and email, demonstrating that
access to the victim's email, social media, and chat accounts is one of their likely goals," the report reads.

In addition to discovering the new tool, the security firm say it has gained "extensive insights" into the group's activity by uncovering the Github repository where the group has stored their malicious scripts as well as post-compromise tools it uses on its victims after compromising their systems.

Symantec researchers described Seedworm, which is also known as MuddWater or Zagos, as a sophisticated group that continuously shifts its tactics, making it hard to track.

"Choosing to rely on publicly available tools allows Seedworm to quickly update their operations
by using code written by others and applying only small customizations. And they appear to
adopt some of the most effective and capable tools," the firm found.