CyberWire Daily - Encore: Seedworm digs Middle East intelligence. [Research Saturday]
Episode Date: December 26, 2020Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas faci...lities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Seedworm is a organization or a group that we have been following since 2017.
That's Al Cooley. He's director of product management at Symantec. The research we're discussing today is titled Seedworm. Group compromises government agencies, oil and gas,
NGOs, telecoms, and IT firms. We have a regular list of cyber adversaries that as an intelligence organization, we track and monitor and
Seedworm is amongst them. And I suspect, I don't recall back early 2007, how we first started on
the tracking of Seedworm. But typically, we have proactive threat hunting activities that we undertake as an intelligence organization where we go out and both look to update the profiles of cyber actors we follow as well as discover new ones.
And I suspect that's how they came on our radar through one of our regular hunting activities.
Yeah, well, let's dig into some of the specifics here about Seedworm and the specific things that you all outline in this publication here. In this particular case, how did they catch your attention?
This is kind of interesting. They actually caught our attention as part of one of the
activities I just talked about, which is regularly updating our profile of APT28,
which is a group that is of high interest to many of our customers. So we routinely
seek out changes in their activity. And so that's what we were doing. We're actually
looking for APT28 activity, which we did indeed find. We were looking at a system
in the embassy of Mid-Eastern Entity. And there was indeed APT28 activity there.
But as we investigated, we uncovered evidence of seedworm activity based upon our previous
knowledge of that group. So this obviously is of interest to us as an intelligence organization.
So we did some digging and investigation and we uncovered evidence of
activity that was not previously known. We were not only able to see the initial entry point,
but we're able to track subsequent activities after the entry and see their lateral movement
activity. Is the conclusion then that seedworm has some sort of relationship with APT28?
No, we don't think that's the case.
You know, certainly that's something you go and investigate.
Because as you know, there have been cases in the past where what was thought as two
independent activities have turned out to be somewhat related.
That wasn't the case here.
We continue to track these as two separate activities. It just happens
to be that they were on the same system, obviously a system which was thought to have interesting
data since they were both there. I see. So let's dig into some of the details about Seedworm
itself. Can you take us through how does it work? How does it get in and what does it do once it's
there? Sure, sure. Always interesting and kind of the heart of what we're trying to communicate to your audience
so that they can better prepare themselves.
So in a typical seed worm compromise, the compromise is initiated via an email, which
would contain a malicious macro enabledenabled Microsoft Word document.
And that, of course, delivers the custom malware that they're known for using.
Once the victim opens the Lure PowerMUD document,
PowerMUD is the name of the malware that they use, the custom malware.
So once they open that Lure document and enable macros, then the malicious code executes.
macros, then the malicious code executes. Now, obviously, they do some social engineering and do some preparation of the email and the document to make it look attractive.
So once the malicious code executes, it gathers system configuration information, and that might
be IP information, OS, username, and so forth, and registers that with the CNC infrastructure.
And then it goes on to retrieve additional commands. One of the interesting things we saw
is that a seed worm attempts to hide their own CNC infrastructure behind a proxy network of
compromised web servers. So they are trying to be somewhat discreet in that respect.
The folks who spin up Seedworm, what sort of tools are they using?
Is it off-the-shelf stuff?
Are they customizing their own tools?
What's the breakdown there?
Yeah, it's actually a combination.
So they do have their own malware.
There was or is the PowerMUD backdoor, which is a custom tool
created by or on the behest of that group. And a new tool we discovered in this publication,
which we call PowerMUDdy. So two backdoors that are custom to them, and those perform
relatively similar functions. The new variant, PowMuddy, that is a
code rewrite, the older Powermuddy backdoor that had been enhanced and evolved over a period of
time, likely for the purpose of ensuring it remains able to avoid detection or trying to
avoid detection. So the backdoors are a custom tool that they've developed.
And then they also use either off-the-shelf or customized versions of some open source tools.
So these would be things like Lasagna for finding passwords and harvesting passwords,
CrackMap Exec, which would help them with lateral movement.
So those types of tools are either used as is or with customization.
And then interestingly, we found that they were using a GitHub repository too.
That's kind of interesting.
When we looked in there, we found custom PowerShell scripts that mapped to activities we had seen in compromised sites,
as well as customization around some of those off-the-shelf tools that we had seen in victims.
So a combination of custom and off-the-shelf tools.
Now, you also discovered a Twitter account that you think might be associated with the group?
Yes, yes. And so, you know, this is the case where once you discover something like the GitHub
account, we look for similarities in other media to the profile of the account we discovered at
GitHub. And we found a profile at Twitter that aligned pretty closely to the account in GitHub. And then when we went
and looked at the activities of that Twitter account, we could see that the individual who
set up that account was following researchers that wrote on Seedworm. We also discovered that
they were following people who did enhancements to the tools they use. So that confirmed our thought that these two accounts are associated with the Seedworm group.
Yeah, interesting as you pull that thread.
Let's walk through some of who they're targeting and how they're going about doing it.
In terms of the victims that they're going after here, what were you seeing there?
Yeah, it's interesting.
victims that they're going after here. What were you seeing there? Yeah, it's interesting. From a victimology perspective, we did an in-depth dive into
roughly a two-month period. So from late September to mid-November of last year,
we found 131 unique victims compromised over that rough two-month period. And we're pretty lucky because we have
a large repository of sensor information that we as a large cybersecurity company have available
to us. So we're able to see a lot of activities that were difficult for many people to find.
So yeah, so we found 131 unique victims that are compromised over that two-month period.
Yeah, so we found 131 unique victims that had compromised over that two-month period.
Most of them were located in the Mideast, so that would be places like Pakistan, Turkey,
Saudi Arabia, and places like that. But there were some that were in both the European Union and North America.
But when we did a little bit of poking into those victims, we found many links from those
victims back to the Mideast.
So the Mideast seems to be the common thread that we see amongst a lot of the victims.
You can also look at the victims from an industry perspective, because that gives you some different
insights into what they might be after.
And they included government agencies, oil and gas production companies, and some non-governmental
agencies, which tends to point you in the direction of cyber espionage. We also saw
a reasonable number of victims in the service industries, IT and telecom services. So those
aren't typically thought to be victims themselves, but more as a vehicle towards getting further
information on the end victims because they're likely to be providing services to those victims.
Hmm. Now, in terms of what they're after, do you have any visibility there? What do you suppose
their goal is here? Yeah. Typically, a cyber espionage group is tasked by their sponsors to getting
information, actionable information on issues that are important to the sponsor at that point in time.
So that can be information on organizations involved in discussions that are going on that are important to them, individuals who may be driving actions
in either geographies or topics of interest to them. So that's typically what they're tasked
with getting. I see. Now, in terms of folks protecting themselves against these specific
attacks, what are your recommendations? There's a variety of things that people can do.
Certainly, you want to make sure you have in place both network and endpoint protections because there are detections available for the malware that they're using. And in fact,
when we looked at the victims that we studied, we did feel that those protections were firing. So certainly put
those in place. Other things you can do is the monitoring of administrative tools. Those should
be monitored and you should not see anybody using administrative tools that's not an administrator
in your organization. So if an end user is using an administrative tool, that is something you
should definitely take a look at. Other things you can do are the basic things an end user is using an administrative tool, that is something you should definitely take a look at.
Other things you can do are the basic things around end user education.
Don't download documents you are not familiar with.
Don't open them.
Don't enable macros.
All those basic housekeeping.
Organizations can also monitor or block access to the network locations that we've outlined in our publication.
So the command and control infrastructure, you can be monitoring connections to there.
And you can also do searches for the hashes that we provided for the files.
So there's quite a range of things that people can do to protect themselves. So what's your estimation of the level of sophistication of this group?
This group has been quite active, as we saw from the number of victims. They appear to be
successful, as we saw from the number of victims. But I would not put them on the sophisticated end of the spectrum. They seem to be focused on speed, agility, and getting the information they want rather than stealth and caution.
So I would not put them on the sophisticated end of the spectrum.
But I would say they are obviously being affected with the tools they're using.
And how about persistence? When you've discovered
them and alerted organizations to their presence and taken action to get them out of the system,
what's that process been like? Do they come back and try to get back in or what do you see there?
No, I think it appears that they're targeting changes over time. So it doesn't appear that targets of interest on day
X are necessarily targets of interest on day Y. There may be some exceptions to that, but
that's a judgment based upon the analysis we've done.
Are there any sort of overarching take-homes? When you look at the big picture of
what a group like this represents in the larger ecosystem, if you will, of the folks that we're defending against,
any thoughts on where they sit in that ranking? Yeah, I would say these are not folks that I
would put at the high end of the importance list to our customers. Certainly, they are being successful at getting information
that is relevant to their sponsors, but they don't have the large impact and footprint that
would put them at the high end of our customers' concern list. They're certainly active and need
to be paid attention to, but I wouldn't put them at the high end of our customers' concern list. They're certainly active and need to be paid attention
to, but I wouldn't put them at the high end of that list.
Our thanks to Al Cooley from Symantec for joining us. The research is titled Seedworm,
Group Compromises Government Agencies, Oil and Gas, NGOs, Telecoms, and IT Firms.
We'll have a link in the show notes.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for
listening. Thank you.