Iranian state-backed Seedworm hackers lurk inside US-Israeli critical networks – signaling a possible cyber campaign targeting US banking, aviation, and tech sectors, researchers warn.

The Iranian-linked APT (advanced persistent threat) has maintained access to multiple organizations since early February, according to a new threat intelligence report by Symantec and Carbon Black published Thursday.

The threat hunters say Seedworm – a known group that CISA has labeled “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS)" – exploited a previously unknown backdoor, subsequently named “Dindoor,” to gain unauthorized access to multiple systems.

Also known as Static Kitten, MuddyWater, and TEMP.Zagros, "the classic espionage group," is thought to be positioning itself to carry out future attacks on behalf of the Ayatollah's disintegrating government – although it's unknown whether the Seedworm is currently operating from within Iran, or outside of the Middle East.

Since Operation Epic Fury began, Iran has been in a near-complete internet blackout, with NetBlocks reporting on Thursday that the digital blockade "has now exceeded 120 hours, with connectivity still flatlining around 1% of ordinary levels.”

“Given the current escalations between the US. and Iran, it is likely that critical national infrastructure (CNI) is at high risk of attack, as well as organizations supporting these entities,” the research states.

Seedworm breaches banks, airport, and tech firm

Seedworm is said to have infiltrated a US bank, a software company with Israeli operations, an airport, and several non-governmental organizations in both the US and Canada – all of which have reported suspicious network activity since the US-Israel strikes on Tehran began on February 28th.

Although none of the targeted entities have been named, researchers say “the software company is a supplier to the defense and aerospace industries, among others, and has a presence in Israel.”

In at least one incident targeting the tech firm, the attackers attempted to exfiltrate data “using Rclone to a Wasabi cloud storage bucket,” but it remains unclear whether the group succeeded.

The hackers were said to have gained access to the networks by leveraging “Deno, the secure runtime for JavaScript and TypeScript” to execute the Trojan.

Researchers say they were able to identify the APT through a signed “Dindoor” certificate – found in several of the targeted networks – that was issued to “Amy Cherne,” a signature already affiliated with the Islamic Republic-linked hacker group.

Additionally, the research shows the group leveraging a second Python backdoor – known as Fakeset – discovered on the US airport network and a nonprofit network. The signed Fakeset certificates were also issued to “Amy Cherne,” as well as to “Donald Gay,” another previously affiliated Seedworm signature.

Researchers warn critical infrastructure at risk

The Seedworm threat group has been active since 2017 and is known to develop and deploy its own custom malware, according to the report.

Once exclusively focused on entities in the Middle East, the group was said to have expanded its scope to include targeting CNI in Asia, Africa, Europe, and North America.

These critical high-risk sectors are essential for national security and public safety, including energy (power grids, oil and gas pipelines, and nuclear), healthcare, water, telecommunications, transportation, and finance, as well as government, defense, and emergency services.

The threat hunters warn that organizations “with exposed terminal operating systems, schedules, and trucking/rail interfaces are at high risk, as well as passenger processing systems, baggage systems, and contractor networks.”

In addition to the Seedworm threat, multiple cyber alerts and increased activity warnings have been issued since the US-Israeli bombing campaign – naming pro-Iranian groups such as the Handala Hack Team, the FAD Team, RipperSec, APT IRAN, Cyber Fatta, and a newly formed alliance between DDoS hacktivists NoName057(16) and the Cyber Islamic Resistance (CIR), among others.

To harden networks against these kinds of intrusions, the researchers urge at-risk organizations to “strengthen monitoring capabilities and ensure resilience across infrastructure where possible," including:

• Network segmentation across operational technology networks
• Restricting remote access to infrastructure systems
• Monitoring contractor VPN access
• Maintaining offline backups of critical configuration systems

The security report also reminds defenders to monitor for early indicators of unauthorized access attempts along the attack chain, such as “vulnerability scanning, credential attacks, and reconnaissance activity.”

---

Unlock more exclusive Cybernews content on YouTube.