December 20, 2023 at 12:33PM
Iran-backed cyberespionage group, Seedworm, is targeting telecommunication organizations in North and East Africa, using tools like PowerShell, SimpleHelp, and Venom Proxy. Seedworm has been active since 2017 and previously linked to Iran’s MOIS. This group typically relies on spear-phishing emails containing various legitimate remote administration tools. Seedworm’s targets include government and private organizations across various sectors in the Middle East region.
The meeting notes highlight the active cyberespionage activities of an Iran-backed group known as Seedworm, which is targeting telcos in North and East Africa, particularly in Egypt, Sudan, and Tanzania. The group is using PowerShell code to connect to a command-and-control framework called MuddyC2Go, as well as employing tools such as SimpleHelp remote access tool, Venom Proxy, custom keylogging tool, and other publicly available and living-off-the-land tools.
Symantec researchers have noted that Seedworm has been active for six years, with a history of spear-phishing emails containing archives, containing various legitimate remote administration tools. They have also observed the group now using password-protected RAR archives to evade detection by email security products.
Seedworm’s targets are primarily government and private organizations across various sectors, including telecommunications, local government, defense, and oil and natural gas. The group’s targets are mainly Iran’s neighbors in the Middle East, including Turkey, Israel, Iraq, United Arab Emirates, and Pakistan.
Additionally, it is mentioned that Iranian cyberespionage groups are recognized for establishing false identities on platforms like LinkedIn to persuade targets to open malicious links or attachments. The notes also touch upon how Iran began to invest in its cyber-operations program following the discovery of the Stuxnet cyber-espionage weapon and provide context about Iran’s IRGC and MOIS, including Seedworm’s association with MOIS.