An Iran-linked ‘seedworm’ nexus has been linked to a cyberespionage campaign targeting telecom operators and IT services businesses in Pakistan, a utility company in the Middle East, and other regions across Asia, according to a report by Symantec.

The report states that the attacks on the Asian telcos during the previous six months have been linked to a group of hackers who have reportedly been running state-sponsored hacking cells from within Iran.

Cyberespionage tactics often use a potent mix of well-known malware called spear phishing and genuine network utilities to steal data and potentially disrupt supply chains.

The “seedworm” group in today’s highlight is reported to have struck a number of companies in Pakistan, Israel, Jordan, Kuwait, Laos, Saudi Arabia, Thailand, and the United Arab Emirates as part of its latest hacking campaign, which Symantec’s security experts have been following for the past six months.

These attacks used legitimate tools, off-the-grid tactics, and publicly available malware data. Although the identity of the attackers is unconfirmed, Symantec suggests the attacks were orchestrated by an Iranian group called “Seedworm”, a.k.a MuddyWater or TEMP.Zagros.

Zaki Khalid, a Rawalpindi-based strategic affairs analyst, told ProPakistani,

Iran has been regularly involved in state-sponsored information operations to skew the discourse within Pakistan in favor of its interests. This cyber espionage campaign is a broader attempt to spy for regional political interests. These actions are an ‘act of aggression’, as defined in Pakistan’s National Cyber Security Policy 2021. The federal government is bound to retaliate in a manner that creates effective deterrence.

How Were Telcos Targeted?

According to Symantec research, a typical attack in the newest campaign began with attackers penetrating a targeted network and then attempting to steal credentials in order to move laterally and deploy webshells onto Exchange Servers.

For ‘educational’ purposes, researchers deconstructed a specific attack on a certain Middle Eastern telecom company that was targeted by the alleged group in August. The first sign of compromise, in this case, was the development of a service to launch an unknown Windows Script File (WSF). Scripts were then utilized to issue domain, user, and remote service discovery commands, and PowerShell was then used to download and execute files and scripts. The researchers assumed that the attackers also used a remote access tool that purported to query Exchange Servers of other firms.

One feature of this attack against telcos is that the attackers may have attempted to pivot to other targets by connecting to Exchange Web Services (EWS) of other organizations operating in the same region.

In some cases, compromised environments were used to launch attacks against other corporations, while others were targeted for supply-chain attacks against other victims.

Whereabouts and Future

According to Symantec, some of the tools used in these attacks overlap with tools previously associated with Seedworm (including two identical versions of SharpChisel and Password Dumper), and two of the IP addresses are known to have been used in previous Seedworm attacks, implying that the Iranian group is behind the campaign.

While the group’s final purpose is unknown, its focus on telcos shows its gathering intelligence on the industry, and maybe seeking to pivot into large-scale communications espionage.

Notably, the Iranian group has previously targeted telcos in the Middle East and throughout Asia with hacks. A Symantec spokesperson described the activity detailed in the report as “a step up” for the hacker group in its focus, and a possible foreshadowing of more attacks to come.