Espionage Campaign Targets Telecoms Organizations across Middle East and Asia

By Symantec Threat Hunter Team

December 14, 2021

Attackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company.

Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics. While the identity of the attackers remains unconfirmed, there is some evidence to suggest a link to the Iranian Seedworm (aka MuddyWater) group.  The targeting and tactics are consistent with Iranian-sponsored actors.

Attack outline

After breaching a targeted network, the attackers typically attempt to steal credentials and move laterally across the network. They appear to be particularly interested in Exchange Servers, deploying web shells onto them. In some cases, the attackers may be using compromised organizations as stepping stones to additional victims. Furthermore, some targets may have been compromised solely to perform supply-chain-type attacks on other organizations.

In most attacks, the infection vector is unknown. Evidence of a possible vector was found at only one target. A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named “Special discount”, suggesting that it arrived in a spear-phishing email.

Telecoms attack

In one attack against a telecoms firm in the Middle East, which began in August 2021, the first evidence of compromise was the creation of a service to launch an unknown Windows Script File (WSF). Scripts were then used to issue various domain, user discovery, and remote service discovery commands.

The attackers used PowerShell to download another WSF and run it. Net group was used to query for the “exchange trusted subsystem” domain group.

The attackers used Certutil to download a suspected Ligolo tunneling tool and launch WMI, which was used to get remote machines to carry out the following tasks:

  • Execute Certutil to download an unknown file
  • Execute Certutil to download an unknown WSF file and execute Wscript to launch this script
  • Execute PowerShell to download and execute content
  • Execute PowerShell to download a suspected web shell to an Exchange Server

Based on process lineage data, attackers seemed to use scripts extensively. These may be automated scripts used for collecting information and downloading additional tools. However, in one instance, a command asks cURL for help, suggesting that there may have been at least some hands-on-keyboard activity on the part of the attackers.

The attackers then used a remote access tool, believed to be eHorus, to perform the following tasks:

  • Deliver and run a suspected Local Security Authority Subsystem Service (LSASS) dumping tool
  • Deliver what are believed to be Ligolo tunneling tools
  • Execute Certutil to request a URL from Exchange Web Services (EWS) of what appears to be other targeted organizations 

One feature of this attack against a telecoms organization is that the attackers may have attempted to pivot to other targets by connecting to the Exchange Web Services (EWS) of other organizations, another telecoms operator, and an electronic equipment company in the same region. The following commands were used:

  • certutil.exe -urlcache –split [DASH]f hxxps://[REDACTED]/ews/exchange[.]asmx
  • certutil.exe -urlcache -split [DASH]f hxxps://webmail.[REDACTED][.]com/ews

It is unclear what the intent of these requests is. It is possible the attackers were attempting to check connectivity to these organizations.

Possible supply chain attack

One target that appeared to be an outlier was a utility company in Laos. The infection vector may have been the exploit of a public-facing service since the first machine that appeared to be compromised was an IIS web server. Suspicious activity also had w3wp.exe in the process lineage.

The attackers then used PowerShell to:

  • Download a suspected Ligolo tunneling tool
  • Download an unknown PowerShell script
  • Download an unknown XLS file

The attackers then used PowerShell to connect to a webmail server of an organization in Thailand. They also attempted to connect to IT-related servers belonging to another company in Thailand.

To facilitate credential theft, WMI was used to execute PowerShell to modify the registry to store passwords in plaintext in memory. In addition to this, an obfuscated version of the publicly available CrackMapExec tool appeared to be deployed.


The attackers made heavy use of legitimate tools and publicly available hacking tools. These include:

  • ScreenConnect: Legitimate remote administration tool
  • RemoteUtilities: Legitimate remote administration tool
  • eHorus: Legitimate remote administration tool
  • Ligolo: Reverse tunneling tool
  • Hidec: Command line tool for running a hidden window
  • Nping: Packet generation tool
  • LSASS Dumper: Tool that dumps credentials from Local Security Authority Subsystem Service (LSASS) process
  • SharpChisel: Tunneling tool
  • Password Dumper
  • CrackMapExec: Publicly available tool that is used to automate security assessment of an Active Directory environment
  • ProcDump: Microsoft Sysinternals tool for monitoring an application for CPU spikes and generating crash dumps, but which can also be used as a general process dump utility
  • SOCKS5 proxy server: Tunneling tool
  • Keylogger: Retrieves browser credentials
  • Mimikatz: Publicly available credential dumping tool

Seedworm link?

There is some evidence to suggest that the Iranian Seedworm group was responsible for these attacks. Two IP addresses used in this campaign have been previously linked to Seedworm activity. However, Seedworm is known to regularly switch its infrastructure, meaning conclusive attribution cannot be made.

There is also some overlap in tools between this campaign and earlier Seedworm campaigns. ScreenConnect, RemoteUtilities, SharpChisel, Ligolo, ProcDump, and Password Dumper were all referenced by Trend Micro in a March 2021 blog on Seedworm activity.

In the case of two tools – SharpChisel and Password Dumper – identical versions were used in this campaign to those that were documented by Trend.

Focused campaign

If these attacks are linked to Iran, it will not be the first time an Iranian threat actor has targeted the telecoms sector. In 2018, Symantec revealed that the Chafer group had compromised of a major telecoms services provider in the Middle East.

While the ultimate end goal of the campaign remains unknown, the focus on telecoms operators suggests that the attackers are gathering intelligence on the sector and possibly attempting to pivot into spying on communications.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement