Seedworm digs Middle East intelligence
Dave Bittner: [00:00:02] Hello everyone, and welcome to the CyberWire's Research Saturday presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us
Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. They're empowering you to automate your security, see your networks, and protect your clouds. Juniper Networks has you covered, so your security teams can finally get back to fortifying your security posture. Learn more at juniper.net/security, or connect with Juniper on Twitter or Facebook. That's juniper.net/security. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:00:58] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Al Cooley: [00:01:39] Seedworm is an organization or a group that we have been following since 2017.
Dave Bittner: [00:01:47] That's Al Cooley. He's Director of Product Management at Symantec. The research we're discussing today is titled, "Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms."
Al Cooley: [00:02:01] We have a regular list of cyber adversaries that, as an intelligence organization, we track and monitor, and Seedworm is amongst them. And I suspect - I don't recall, back, early 2007, how we first started on the tracking of Seedworm, but typically, we have proactive threat-hunting activities that we undertake as an intelligence organization, where we go out and both look to update the profiles of cyber actors we follow, as well as discover new ones. And I suspect that's how they came on our radar - through one of our regular hunting activities.
Dave Bittner: [00:02:44] Yeah. Well, let's dig into some of the specifics here about Seedworm and the specific things that you all outline in this publication here. In this particular case, how did they catch your attention?
Al Cooley: [00:02:55] This is kind of interesting. They actually caught our attention as part of one of the activities I just talked about, which is regularly updating our profile of APT28, which is a group that is of high interest to many of our customers, so we routinely seek out changes in their activity. And so that's what we were doing. We were actually looking for APT28 activity, which we did indeed find. We were looking at a system in the embassy of Mid-Eastern entity, and there was indeed APT28 activity there. But as we investigated, we uncovered evidence of Seedworm activity based upon our previous knowledge of that group.
Al Cooley: [00:03:42] So, this obviously is of interest to us as an intelligence organization. So, we did some digging and investigation, and we uncovered evidence of activity that was not previously known. We were not only able to see the initial entry point, but we were able to track subsequent activities after the entry and see their lateral movement activity.
Dave Bittner: [00:04:04] Is the conclusion then that Seedworm has some sort of relationship with APT28?
Al Cooley: [00:04:09] No, we don't think that's the case. You know, certainly that's something you go and investigate...
Dave Bittner: [00:04:16] Yeah.
Al Cooley: [00:04:15] ...Because, as you know, there have been cases in the past where what was thought as two independent activities have turned out to be somewhat related. That wasn't the case here. We continue to track these as two separate activities, just happens to be that they were on the same system - obviously, a system which was thought to have interesting data, since they were both there.
Dave Bittner: [00:04:39] I see. So, let's dig into some of the details about Seedworm itself. Can you take us through - how does it work, how does it get in, and what does it do once it's there?
Al Cooley: [00:04:48] Sure, sure. Always interesting, and kind of the heart of what we're trying to communicate to your audience so that they can better prepare themselves. So, in a typical Seedworm compromise, the compromise is initiated via an email which would contain a malicious macro-enabled Microsoft Word document, and that of course delivers the custom malware that they're known for using.
Al Cooley: [00:05:14] Once the victim opens the lure Powermud document - Powermud is the name of the malware that they use, the custom malware - so once they open that lure document and enable macros, then the malicious code executes. Now, obviously, they do some social engineering, and do some preparation of the email in the document to make it look attractive.
Al Cooley: [00:05:37] So, once the malicious code executes, it gathers system configuration information - and that might be IP information, OS, username, and so forth - and registers that with the C&C infrastructure, and then it goes on to retrieve additional commands. One of the interesting things we saw is that Seedworm attempts to hide their own C&C infrastructure behind a proxy network of compromised web servers. So, they are trying to be somewhat discreet in that respect.
Dave Bittner: [00:06:13] The folks who spin up Seedworm - what sort of tools are they using? Is it off-the-shelf stuff? Are they customizing their own tools? What's the breakdown there?
Al Cooley: [00:06:23] Yeah, it's actually a combination. So, they do have their own malware. There was the - or is the Powermud backdoor, which is a custom tool created by, or on the behest of, that group. And a new tool we discovered in this publication which we call "Powemuddy." So, two backdoors that are custom to them, and those perform relatively similar functions. The new variant, Powemuddy, that is a code rewrite of the older Powermuddy backdoor that had been enhanced and evolved over a period of time, likely for the purpose of ensuring it remains able to avoid detection, or trying to avoid detection. So, the backdoors are a custom tool that they've developed.
Al Cooley: [00:07:12] And then they also use either off-the-shelf or customized versions of some open-source tools. So, these would be things like LaZagne, for finding passwords and harvesting passwords, CrackMapExec, which would help them with lateral movement. So, those types of tools are either used as-is or with customization.
Al Cooley: [00:07:37] And then, interestingly, we found that they were using a GitHub repository too. That's kind of interesting. When we looked in there, we found custom PowerShell scripts that mapped to activities we had seen and compromise sites, as well as customization around some of those off-the-shelf tools that we had seen in victims. So, a combination of custom and off-the-shelf tools.
Dave Bittner: [00:08:04] Now, you also discovered a Twitter account that you think might be associated with the group?
Al Cooley: [00:08:09] Yes. Yes. And so, you know, this is the case where, once you discover something like the GitHub account, we look for similarities in other media to the profile of the account we discovered at GitHub. And we found a profile at Twitter that aligned pretty closely to the account in GitHub. And then when we went and looked at the activities of that Twitter account, we could see that the individual who'd set up that account was following researchers that wrote on Seedworm. We also discovered that they were following people who did enhancements to the tools they use. So, that confirmed our thought that these two accounts are associated with the Seedworm group.
Dave Bittner: [00:08:57] Yeah, interesting, as you pull that thread. Let's walk through some of who they're targeting and how they're going about doing it. In terms of the victims that they're going after here, what were you seeing there?
Al Cooley: [00:09:08] Yeah, it's interesting - from a victimology perspective, we did a in-depth dive into roughly a two-month period. So, from late September to mid-November of last year, we found 131 unique victims compromised over that rough two-month period. And we're pretty lucky, because we have a large repository of sensor information that we, as a large cybersecurity company, have available to us. So we're able to see a lot of activities that would be difficult for many people to find.
Dave Bittner: [00:09:44] Right.
Al Cooley: [00:09:44] So, yeah. So, we found 131 unique victims that are compromised over that two-month period. Most of them were located in the Mid-East. So that would be places like Pakistan, Turkey, Saudi Arabia, and places like that. But there were some that were in both the European Union and North America. But when we did a little bit of poking into those victims, we found many links from those victims back to the Mid-East. So, the Mid-East seems to be the common thread that we see amongst a lot of the victims.
Al Cooley: [00:10:16] You can also look at the victims from an industry perspective, because that gives you some different insights into what they might be after. And they included government agencies, oil and gas production companies, and some nongovernmental agencies - which, you know, tends to point you in the direction of, you know, cyber espionage.
Al Cooley: [00:10:37] We also saw a reasonable number of victims in the service industries - IT and telecom services. So, those aren't typically thought to be victims themselves, but more as a vehicle towards getting further information on the end-victims, because they're likely to be providing services to those victims.
Dave Bittner: [00:10:59] Now, in terms of what they're after, do you have any visibility there? What do you suppose their goal is here?
Al Cooley: [00:11:06] Yeah, typically, a cyber espionage group is tasked by their sponsors to getting information - actionable information - on issues that are important to the sponsor at that point in time. So that can be information on organizations involved in discussions that are going on that are important to them, individuals who may be driving actions in either geographies or topics of interest to them. So that's typically what they're tasked with getting.
Dave Bittner: [00:11:40] I see. Now, in terms of folks protecting themselves against these specific attacks, what are your recommendations?
Al Cooley: [00:11:47] There's a variety of things that people can do. Certainly, you want to make sure you have in place both network and endpoint protections, because there are detections available for the malware that they're using. And in fact, when we looked at the victims that we studied, we did feel that those protections were firing. So, certainly put those in place.
Al Cooley: [00:12:13] Other things you can do is the monitoring of administrative tools. Those should be monitored and you should not see anybody using administrative tools that's not an administrator in your organization. So, if an end user is using an administrative tool, that is something you should definitely take a look at.
Al Cooley: [00:12:30] Other things you can do are the basic things around end-user education. Don't download documents you are not familiar with. Don't open them. Don't enable macros. All those basic housekeeping.
Al Cooley: [00:12:45] Organizations can also monitor or block access to the network locations that we've outlined in our publication. So, the command-and-control infrastructure, you can be monitoring connections to there. And you can also do searches for the hashes that we provided for the files. So, there's quite a range of things that people could do to protect themselves.
Dave Bittner: [00:13:11] So, what's your estimation of the level of sophistication of this group?
Al Cooley: [00:13:16] This group has been quite active, as we saw from the number of victims. They appear to be successful, as we saw from the number of victims. But I would not put them on the sophisticated end of the spectrum. They seem to be focused on speed, agility, and getting the information they want, rather than stealth and caution. So, I would not put them on the sophisticated end of the spectrum, but I would say they are obviously being effective with the tools they're using.
Dave Bittner: [00:13:48] And how about persistence? When you've discovered them and alerted organizations to their presence, and taken action to get them out of the system, what's that process been like? Do they come back and try to get back in, or what do you see there?
Al Cooley: [00:14:03] No, I think it appears that they're targeting changes over time. So, it doesn't appear that targets of interest on Day X are necessarily targets of interest on Day Y. There may be some exceptions to that, but that's a judgment based upon the analysis we've done.
Dave Bittner: [00:14:23] Are there any sort of overarching take-homes? When you when you look at the big picture of what a group like this represents in the larger ecosystem, if you will, of the folks that we're defending against, any thoughts on where they sit in that ranking?
Al Cooley: [00:14:38] Yeah, I would say these are not folks that I would put at the high end of the importance list to our customers. Certainly, they are being successful at getting information that is relevant to their sponsors, but they don't have the large impact and the footprint that would put them at the high end of our customers' concern list. They're certainly active and need to be paid attention to. But I wouldn't put them at the high end of that list.
Dave Bittner: [00:15:17] Our thanks to Al Cooley from Symantec for joining us. The research is titled "Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms and IT Firms." We'll have a link in the show notes.
Dave Bittner: [00:15:30] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:15:41] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:15:49] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. It's produced by Pratt Street Media. The coordinating producer is Jennifer Eiben; editor is John Petrik; technical editor is Chris Russell; executive editor is Peter Kilpe; and I'm Dave Bittner. Thanks for listening.