Symantec uncovers Seedworm cyber espionage group
Symantec Corp. of Mountain View, CA announced on December 18 it has uncovered extensive insights into a cyber espionage group responsible for a recent series of cyber attacks. Seedworm (also known as MuddyWater or Zagos), gathers intelligence on targets spread primarily across the Middle East and has successfully compromised dozens of organizations – including well-known multinational organizations, government agencies, telecommunications, and oil and gas firms – since late September 2018.
Symantec’s DeepSight Managed Adversary and Threat Intelligence (MATI) researchers found evidence of Seedworm/MuddyWater and the espionage group APT28 (aka Swallowtail, Fancy Bear) on a computer of a Middle Eastern country’s embassy last September, leading to the discovery of a new backdoor, techniques, and tools used by the group. Researchers at Symantec uncovered the group’s initial entry point and were able to follow the group’s subsequent activities.
After first compromising a system through a backdoor, Seedworm appears to run a tool that steals passwords saved in users’ web browsers and email and use open-source tools to obtain Windows authorization credentials. Since as early as 2017, the group appears to have repeatedly updated their backdoor to evade detection and to thwart security researchers. Symantec’s research further reveals that Seedworm/MuddyWater uses GitHub and a handful of publicly available tools, which they then customize to carry out their work.
Seedworm’s motivations are much like many cyber espionage groups, seeking actionable information about their targeted organizations and individuals. The cyber espionage group accomplished this with a preference for speed and agility over operational security, which ultimately led to Symantec’s identification of their key operational infrastructure.
Symantec has notified the appropriate public and private sector partners regarding Seedworm’s latest targets, tools and techniques.