Symantec Threat Intelligence – Espionage Group Compromises Government Agencies and Key Infrastructure Corporations
Symantec researchers have discovered the cyber espionage group, dubbed Seedworm (aka MuddyWater or Zagos), has upped its
ante in recent months, infiltrating more than 30 organisations since late September. Seedworm has successfully
infiltrated telecommunications firms, government agencies, NGOs, the oil & gas sector and IT services firms predominantly in the Middle East as well as multinational organisations and other
companies based in Europe and the U.S.
Symantec researchers have also discovered a new Powermud backdoor, a GitHub repository used by the group to store their
scripts, as well as several post-compromise tools, such as LaZagne and Crackmapexec, used to compromise victims once
they have established a foothold in their network.
When Seedworm compromises a network, one of the first things it does is try to steal passwords saved in the users’ web
browsers and email, demonstrating that access to the victim’s email, social media and chat accounts is one of its
Since early 2017, Seedworm has continually updated their Powermud backdoor to avoid detection. Powermud is a custom tool
used by the Seedworm group and is the only group known to use this backdoor. They’ve also gone into GitHub and used a
handful of publicly available tools to carry out their work. Relying on the publicly available code is what allows it to
change its operations so quickly.