EXECUTIVE SUMMARY
Iran-linked hackers have been conducting a global spying campaign, breaching at least nine organizations across four continents. The targets spanned industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services. The attackers appear to be motivated by a desire to gather intelligence on organisations holding material of value to Tehran, including intellectual property on high-tech manufacturing, research, and intelligence on rival governments. The campaign is linked to the Iranian Ministry of Intelligence and Security (MOIS) and is attributed to the espionage group Seedworm.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Iran-linked hackers have been conducting a global spying campaign, breaching at least nine organizations across four continents. The targets spanned industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services. The attackers appear to be motivated by a desire to gather intelligence on organisations holding material of value to Tehran, including intellectual property on high-tech manufacturing, research, and intelligence on rival governments. The campaign is linked to the Iranian Ministry of Intelligence and Security (MOIS) and is attributed to the espionage group Seedworm.[emaillocker id="1283"]
The attackers used a variety of techniques, including DLL sideloading, Node.js-based implant chain, and PowerShell scripts, to deliver malware and establish persistence on compromised systems. The malware was delivered using legitimate binaries from Fortemedia and SentinelOne, which were used to sideload malicious DLLs. The attackers used a Node.js script to orchestrate the delivery of the malware, and PowerShell scripts were used for reconnaissance, screenshot capture, and credential theft. The attackers also used a public file-transfer service, sendit.sh, to exfiltrate stolen data.
The campaign demonstrates a significant step up in operational hygiene from the Seedworm that was known of two or three years ago, with techniques including orchestration through Node.js, DLL sideloading, and exfiltration through public consumer services. The campaign is significant for organisations as it demonstrates a sophisticated and well-orchestrated attack chain that can evade detection and cause significant disruption. The use of legitimate binaries and public file-transfer services makes it difficult to detect and recover from the attack. Organisations should take defensive actions to protect themselves, including patching, monitoring, and implementing endpoint protection. They should also ensure that backup systems are in place to quickly restore systems and data in the event of an attack. By taking these steps, organisations can reduce the risk of being compromised by the Seedworm group and other similar threat actors.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Credential Access | T1003.002 | OS Credential Dumping | Security Account Manager |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Collection | T1113 | Screen Capture | — |
REFERENCES:
The reports contain further technical details:
https://www.security.com/threat-intelligence/iran-seedworm-electronics