Sowbug

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Sowbug, a previously unidentified threat actor, has been discovered by Symantec engaging in highly targeted cyber attacks against organizations primarily in South America and Southeast Asia. The group appears to be heavily focused on foreign policy institutions and diplomatic targets, executing classic espionage attacks and stealing documents from the infiltrated organizations. The first evidence of Sowbug-related activity was uncovered in March 2017 with the discovery of a new piece of malware named Felismus used against a target in Southeast Asia. However, the association between Felismus and Sowbug remained unknown until recently. To date, Sowbug has been observed mainly targeting government entities in countries including Argentina, Brazil, Ecuador, Peru, Brunei, and Malaysia. The method Sowbug employs for initial infiltration into a target's network remains unclear. Yet, once inside, the group tends to maintain a long-term presence, sometimes remaining within a victim's environment for up to six months. For instance, in September 2016, Sowbug infiltrated an organization in Asia, deploying the Felismus backdoor on one of its computers under the file name adobecms.exe in CSIDL_WINDOWS\debug. This stealthy and persistent approach underscores the sophisticated nature of Sowbug's operations. The emergence of Sowbug serves as a reminder that no region is immune to cyber espionage threats, especially given the steady increase in active operations in recent years. Customers with Intelligence Services or WebFilter-enabled products are protected against activities associated with the Sowbug group. As such, it is crucial for organizations to stay vigilant, adopt robust cybersecurity measures, and remain updated about evolving threat actors and their tactics.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Symantec
Backdoor
Espionage
Malware
Infiltration
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FelismusUnspecified
1
Felismus is a malicious software (malware) that was first identified by Symantec in March 2017. The malware, used against a target in Southeast Asia, was discovered as part of Sowbug-related activity, marking the introduction of an entirely new piece of cyber threat. This harmful program can infiltr
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sowbug Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Endpoint Protection - Symantec Enterprise