State-linked threat groups and hacktivists are accelerating threat activity against the U.S. and allied countries since a widespread bombing campaign began in late February against Iranian military and government assets.
An Iran-linked advanced persistent threat group tracked as Seedworm has been spotted on the networks of several U.S. companies, according to a blog post published Thursday from researchers at Symantec and Carbon Black.
The APT Group, more commonly known as Muddy Water, began a series of hacks in early February and has targeted a U.S. bank, the Israeli operations of a U.S. software firm that services the defense and aerospace industry, a U.S. and Canadian non-government organization and a U.S. airport, according to the blog post.
A previously unknown backdoor, which researchers call Dindoor, was found on the software company’s network. The backdoor was also spotted on the bank and Canadian nonprofit network.
The backdoor leverages Deno, which is a secure runtime for Javascript and Typescript, in order to execute, according to the blog.
Researchers said the backdoors were installed beginning on Feb. 7 at one organization and Feb. 14 at other organizations.
“So, while this activity began before the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning, it put Seedworm in a potentially dangerous position to launch attacks,” Brigid O Gorman, senior intelligence analyst, Symantec and Carbon Black Threat Hunter Team, told Cybersecurity Dive.
Hackers attempted to exfiltrate data from the U.S. software company using RClone and a Wasabi cloud storage bucket. Researchers did not immediately know whether the theft was successful.
Researchers found a Python-based backdoor on the networks of a U.S. airport and U.S. nonprofit.
Seedworm is known to be a subsidiary of the Iranian Ministry of Intelligence and Security.
As previously reported, pro-Iran and pro-Russia hacktivists have stepped up threat activity since the launch of the bombing campaign.
A pro-Iranian FAD Team is claiming credit for hacking personally identifiable information from Pennbury Township, Pa., according to Flashpoint researchers.
The U.S. financial services sector has also been on alert for a potential attack similar to Operation Ababil, which was a series of coordinated DDoS attacks from 2011 to 2013, Flashpoint researchers told Cybersecurity Dive.
