Dive Brief:
- Active "cyber espionage" group Seedworm — also known as MuddyWater — has claimed 131 victims across 30 organizations since September, according to a Symantec report.
- Seedworm has been around since at least 2017. The group can access a network using variants of the Powermud backdoor and tools for stealing passwords, reverse shell creation, privilege escalation and makecab.exe, presumably for compressing stolen data for upload, according to the report.
- Seedworm is the only known hacker group to leverage the Powermud backdoor. The group can control its Powermud backdoor "from behind a proxy network" that can effectively hide the genuine command-and-control location.
Dive Insight:
The motivations of hacker groups usually fall between profit and destruction. The Seedworm group wants to "secure actionable intelligence that could benefit their sponsor's interests," according to Symantec.
The group's tactics are a continued evolution through its Powermud backdoor and tools that evade detection. The group has even used GitHub to host its malware and other tools available to the public.
One-fourth of Seedworm's victims were in telecommunications, followed by IT services in government agencies at 16% and oil and gas entities at 14%. The data held by these industries paints a broader picture of the type of information Seedworm wished to access.
Information can be leveraged in several ways. Last year, researchers concluded the CCleaner supply chain attack was intended to compromise leading companies' intellectual property. Samsung, VMware, Sony and Microsoft were among the list of targets.
When espionage comes into question, companies have to be aware of how that information can be used against them. In Marriott's case, its data breach will allow its hackers to create individual profiles of impacted guests. Hackers can compile stolen data to execute a secondary attack, like a personalized phishing scheme or blackmail.