Hackers targeted a string of telecommunication operators and IT service organizations in the Middle East and Asia over the last six months, according to research published Tuesday.
The suspected espionage activity targeted organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos, according to the research from Symantec’s Threat Hunter Team. The “targeting and tactics are consistent with Iranian-sponsored actors,” researchers noted, but stopped short of tying the activity to the Iranian government.
Some of the evidence shows a link to Seedworm — otherwise known as MuddyWater — a prolific hacking group with suspected ties to Iran known for concerted espionage efforts dating back to at least 2015. The group previously threatened to kill security researchers who stumbled across one of its command-and-control servers. Its operators have also focused on academia and the tourism industry in multiple countries earlier this year, and governments and other telecommunications operators over the last several years.
Symantec researchers noted that the latest activity shows attackers relying on a mixture of legitimate remote administration and security assessment tools, publicly available malware, and no apparent use of custom malware. After breaching a network, the attackers typically attempted to steal credentials and move laterally across the network.
Some compromised organizations may have been used as stepping stones to find and target additional victims, while others may have been compromised solely to perform supply-chain type attacks on yet other organizations, according to the researchers.
Two IP addresses from this campaign were previously linked to Seedworm’s activity, but the researchers note the group regularly switches its infrastructure so conclusive attribution was not possible. There was, however, overlap in the tools used in this campaign and previous Seedworm activity, including tools identified by security firm Trend Micro as being associated with the group in March 2021.
If Iranian, the latest activity would fit into a broader pattern of suspected Iranian hacking activity over the past year, which ranges from interference in the 2020 U.S. presidential election to ransomware to possible hack-and-leak operations targeting Israeli citizens.