A group likely operating out of the Middle East has compromised 131 victims in 30 organizations since September, including telecommunications firms, a Russian oil and gas company and unidentified government embassies, new research shows.
The hackers have hit organizations in Pakistan, Russia, Saudi Arabia, Turkey, and North America, among other places, in an espionage operation designed to acquire “actionable information” on targets, cybersecurity company Symantec said Monday. After breaching a system, the group runs a password-stealing program with the likely aim of accessing victims’ email and social media accounts, researchers found.
The group, dubbed Seedworm by Symantec and MuddyWater by others, gained notoriety earlier this year for threatening to kill security researchers investigating it. That followed a spearphishing campaign from January to March against government and defense organizations in Central and Southwest Asia, which cybersecurity company FireEye documented.
While there has been no definitive public attribution of MuddyWater, Ben Read, FireEye’s senior manager of analysis, told CyberScoop the group’s activity “aligns with Iran’s interest.” For their part, Symantec’s research team said the group is likely backed by a nation-state.
Most of the victims for which Symantec identified a sector were telecom and IT service providers that offer attackers a foothold into other organizations. All 11 of the victims in oil and gas are part of one Russian company with a presence in the Middle East, Symantec said. The group also targeted the embassies of Middle Eastern countries in Europe.
The cache of new data from Symantec offer insight into MuddyWater’s tactics, techniques, and procedures. That includes a new backdoor the group uses for remote access to victim networks, a GitHub repository for storing malicious scripts, and several hacking tools for exploiting targets after they are compromised.
The research sprung from an intriguing discovery that highlights how, in the field of cyber-espionage, state-sponsored actors show up on the same victim network. In September, Symantec found evidence that both MuddyWater and Fancy Bear, the infamous hacking group linked with Russian intelligence, were on the network of an “oil-producing” nation’s embassy in Brazil.
“It is not common, but it is not unusual either that an embassy would have two different compromises due to their frequent targeting,” Jonathan Wrolstad, principal cyber intelligence analyst at Symantec, told CyberScoop. Malware on the embassy’s network distinguished the two groups, he added.
Like other advanced groups, MuddyWater has a knack for using open-source tools alongside their own custom resources. “Choosing to rely on publicly available tools allows Seedworm to quickly update their operations by using code written by others and applying only small customizations,” the research says.
There is no sign of MuddyWater letting up. FireEye’s Read said the group, which his company calls TEMP.Zagros, “has continued to target multiple countries in the Middle East and Central Asia,” with a focus on foreign affairs ministries and other government targets.