Symantec Research: Cyber Espionage Group Has Compromised Dozens of Organizations Globally Since September

Dec 18, 2018 04:13 pm
MOUNTAIN VIEW, Calif. -- 

Symantec Corp. (NASDAQ: SYMC), the world’s leading cyber security company, announced it has uncovered extensive insights into a cyber espionage group responsible for a recent series of cyber attacks. Seedworm (also known as MuddyWater or Zagos), gathers intelligence on targets spread primarily across the Middle East and has successfully compromised dozens of organizations – including well-known multinational organizations, government agencies, telecommunications, and oil and gas firms – since late September 2018.

Symantec’s DeepSight Managed Adversary and Threat Intelligence (MATI) researchers found evidence of Seedworm/MuddyWater and the espionage group APT28 (aka Swallowtail, Fancy Bear) on a computer of a Middle Eastern country’s embassy last September, leading to the discovery of a new backdoor, techniques, and tools used by the group. Researchers at Symantec uncovered the group’s initial entry point and were able to follow the group’s subsequent activities.

After first compromising a system through a backdoor, Seedworm appears to run a tool that steals passwords saved in users’ web browsers and email and use open-source tools to obtain Windows authorization credentials. Since as early as 2017, the group appears to have repeatedly updated their backdoor to evade detection and to thwart security researchers. Symantec’s research further reveals that Seedworm/MuddyWater uses GitHub and a handful of publicly available tools, which they then customize to carry out their work.

Seedworm’s motivations are much like many cyber espionage groups, seeking actionable information about their targeted organizations and individuals. The cyber espionage group accomplished this with a preference for speed and agility over operational security, which ultimately led to Symantec’s identification of their key operational infrastructure.

Symantec has notified the appropriate public and private sector partners regarding Seedworm’s latest targets, tools and techniques.

For more information on Symantec’s research into Seedworm/MuddyWater: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

Symantec has the following protections in place to help prevent attacks from Seedworm/ MuddyWater:

File-based protection

Network-based protection

Symantec’s Seedworm research marks the 20th research-focused blog since May 2018 that Cyber Threat Alliance (CTA) members have shared prior to publication. By sharing threat intelligence, CTA members are able to swiftly protect their customers against global threats.

About Symantec

Symantec Corporation (NASDAQ: SYMC), the world's leading cyber security company, helps organizations, governments and people secure their most important data wherever it lives. Organizations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec's Norton and LifeLock product suites to protect their digital lives at home and across their devices. Symantec operates one of the world's largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.

Jennifer Duffourg
Symantec
+33 6 73 06 50 43
[email protected]

Jenn Foss
Edelman
(503) 471-6804
[email protected]