Seedworm Inside: Iranian APT Compromises U.S. Bank Networks as Cyber War Parallels Kinetic
Seedworm Inside: Iranian APT Compromises U.S. Bank Networks as Cyber War Parallels Kinetic
When kinetic military operations collide with cyber warfare, the financial sector becomes the battlefield where both converge. On March 5, 2026, Security.com published a detailed analysis confirming that Seedworm — also tracked as MuddyWater and attributed to Iran's Ministry of Intelligence and Security (MOIS) — had successfully compromised networks at multiple U.S. financial institutions.
The campaign was not opportunistic. It was a deliberate, coordinated operation that paralleled the kinetic conflict timeline, using the chaos and resource diversion created by physical operations to provide cover for digital intrusion.
For European financial institutions regulated under DORA, the Seedworm campaign is not a distant American problem. It is a direct threat that travels through the interconnected fabric of global banking.
The Seedworm Campaign: Technical Profile
Seedworm (MuddyWater) has been tracked by threat intelligence organizations since 2017. The group is attributed to Iran's MOIS with high confidence by multiple intelligence agencies, including in CISA's joint advisory on Iranian government-sponsored cyber operations. Unlike Iran's Islamic Revolutionary Guard Corps (IRGC) cyber units, which focus on destructive operations, MOIS-affiliated groups like Seedworm specialize in espionage, persistent access, and intelligence preparation of the battlefield.
The March 2026 campaign against U.S. banks followed Seedworm's established playbook, adapted for the financial sector:
| Phase | Technique | Tools Used | Detection Difficulty |
|---|---|---|---|
| Initial access | Spear-phishing with lure documents referencing sanctions compliance | Custom loader via macro-enabled documents | Medium — financial-themed lures well-crafted |
| Persistence | Legitimate remote management tool (RMM) installed as service | Modified Atera/ConnectWise agent | High — blends with legitimate admin tools |
| Lateral movement | Pass-the-hash, Kerberoasting, exploitation of misconfigured trusts | Mimikatz variants, custom PowerShell | Medium — standard lateral movement TTPs |
| Internal reconnaissance | Active Directory enumeration, SWIFT infrastructure mapping | ADFind, BloodHound, custom scripts | High — resembles legitimate admin activity |
| Data collection | Targeted exfiltration of correspondent banking relationship data | Custom staging tool, encrypted exfil channels | High — low-volume, encrypted |
The most concerning aspect of the campaign was Seedworm's apparent targeting of SWIFT-connected infrastructure and correspondent banking relationship data. This suggests the operation's objectives went beyond simple espionage — mapping the interbank network provides the intelligence foundation for future disruptive operations.
The Cascade Risk: How U.S. Bank Compromises Reach Europe
The Seedworm campaign's significance for DORA-regulated entities extends far beyond the directly compromised institutions. European banks are connected to U.S. banks through multiple channels, each of which represents a potential pathway for attack propagation.
SWIFT Messaging Network
SWIFT messages between European and American banks traverse a shared messaging infrastructure. While SWIFT itself implements strong security controls, the endpoints — the banks' local SWIFT interfaces — are part of the compromised network. If Seedworm gained access to a U.S. bank's SWIFT Alliance Lite2 or Access interface, it could potentially observe, manipulate, or disrupt messages destined for European counterparts.
Correspondent Banking Relationships
European banks maintain correspondent banking relationships with U.S. institutions for dollar-denominated transactions. These relationships involve the exchange of sensitive data — transaction instructions, account details, compliance documentation — through secure channels that terminate at both endpoints. A compromise of the U.S. endpoint exposes the European bank's data flowing through that channel.
Shared Third-Party Platforms
Many financial institutions on both sides of the Atlantic use common third-party platforms for compliance screening (sanctions, AML), trade finance, and securities settlement. A compromise of a U.S. institution's access to these platforms could affect the integrity of data shared with European participants.
| Connection Channel | Data at Risk | Seedworm Exploitation Potential | DORA Article |
|---|---|---|---|
| SWIFT messaging | Transaction instructions, account data | Message observation/manipulation if endpoint compromised | Art. 17, 19 |
| Correspondent banking | Customer data, compliance docs | Data exfiltration via compromised U.S. counterpart | Art. 28 |
| Shared platforms (Bloomberg, Refinitiv) | Market data, trade data | Indirect access via compromised credentials | Art. 28, 29 |
| API integrations | Real-time data feeds | Injection of malicious data via compromised endpoint | Art. 17 |
| Email/communication | Sensitive business correspondence | BEC attacks leveraging compromised accounts | Art. 11 |
DORA Obligations for European Institutions
European financial institutions must respond to the Seedworm campaign even if they are not directly targeted. DORA creates affirmative obligations that are triggered by credible threat intelligence, not only by confirmed breaches.
Article 5-6: ICT Risk Management
DORA Article 5 requires an "effective and prudent" ICT risk management framework. When a credible, attributed state-sponsored campaign against interconnected financial institutions is confirmed by multiple intelligence sources, the threat model must be updated. An institution that fails to incorporate the Seedworm threat into its risk assessment after public confirmation is not meeting the Article 5 standard.
Article 6 further requires that the ICT risk management framework "shall include at least [...] identification of all sources of ICT risk." A state-sponsored APT with confirmed presence in the banking networks of interconnected institutions is an identified source of ICT risk.
Article 17-19: Incident Management
If a European institution detects indicators of compromise associated with the Seedworm campaign — the IOCs published by Security.com and subsequently distributed through FS-ISAC — this may trigger classification as a major ICT-related incident under Article 17, even before data exfiltration is confirmed.
The precautionary principle applies: if Seedworm indicators are found in your network, the incident should be classified as major pending investigation. Waiting for confirmation of impact before classifying the incident as major repeats the mistake of the French banking breach, where delayed classification reduced the effectiveness of the response.
Article 45: Information Sharing
DORA Article 45 encourages financial entities to participate in information sharing arrangements. The Seedworm campaign is a textbook case for information sharing: indicators of compromise, TTPs, and defensive recommendations shared through FS-ISAC and European equivalents enable proactive defense across the sector.
Financial institutions that have not yet established information sharing arrangements should treat the Seedworm campaign as the catalyst to do so. The intelligence shared through these channels can provide hours or days of advance warning before an attacker pivots from U.S. to European targets.
The State-Sponsored Dimension: Beyond Traditional Threat Models
The Seedworm campaign is not an ordinary cybercrime operation. State-sponsored APTs operate with resources, patience, and objectives that fundamentally differ from criminal actors:
Persistence over profit: Criminal actors seek quick monetization. State actors seek long-term access for intelligence and future disruption capability. Seedworm's dwell time in financial networks can extend for months or years without triggering detection.
Operational security: State actors invest heavily in blending with legitimate activity. Seedworm's use of legitimate RMM tools for persistence is specifically designed to evade detection by security tools that flag known malware but not legitimate admin software.
Strategic targeting: The focus on SWIFT infrastructure and correspondent banking relationships suggests intelligence preparation for potential future disruption operations — mapping the network now for possible attacks later.
For DORA-regulated entities, this means that traditional cybersecurity metrics — time to detect, time to respond, incidents per month — may not capture the risk. A state actor that maintains silent persistent access for months without triggering an alert is not a success story for the defense; it is a failure waiting to be discovered.
| Dimension | Criminal APT | State-Sponsored APT (Seedworm) | Implication for DORA |
|---|---|---|---|
| Objective | Financial gain | Intelligence + future disruption capability | Risk assessment must include strategic threats |
| Dwell time | Days to weeks | Months to years | Continuous threat hunting required |
| Tooling | Known malware, RaaS | Legitimate tools + custom implants | Detection requires behavioral analysis |
| Targeting | Opportunistic | Specifically targets interbank infrastructure | Third-party risk extends to interconnected banks |
| Resources | Limited | Effectively unlimited (state funding) | Defense must assume sophisticated adversary |
Recommendations for DORA-Regulated Entities
Immediate actions (0-7 days):
- Search for published Seedworm IOCs across all network telemetry, endpoint logs, and authentication records.
- Audit all legitimate RMM tools deployed in your environment. Any RMM agent not explicitly authorized should be investigated immediately.
- Review and restrict authentication trust relationships with U.S. correspondent banks.
- Brief your board on the state-sponsored threat per DORA Article 14.
Short-term actions (7-30 days):
- Conduct a focused threat hunt for Seedworm TTPs, not just IOCs. Behavioral indicators — unusual PowerShell execution, Kerberoasting attempts, AD enumeration patterns — are more durable than file hashes.
- Review your third-party risk register for all U.S. financial institution connections. Assess each for potential Seedworm exposure.
- Engage with your national CSIRT and sector information sharing body. Share and consume intelligence actively.
Medium-term actions (30-90 days):
- Update your ICT risk assessment to explicitly address state-sponsored APT risk, including dwell time assumptions and detection confidence levels.
- Review your resilience testing programme for scenarios involving compromised interbank infrastructure.
- Assess whether your detection capabilities can identify the use of legitimate tools for malicious purposes — the core challenge of state-sponsored APT detection.
The Seedworm campaign is a preview of the converged threat landscape where kinetic and cyber operations reinforce each other. For European financial institutions, the Atlantic Ocean provides no protection when the attack vector is a SWIFT message or an API call from a compromised correspondent.
Voir aussi: Iran's Cyber Warfare Legal Implications | US Banks on High Alert | Data Centers Are Now Military Targets
Resume en francais
En mars 2026, Security.com a confirme que Seedworm (MuddyWater), un groupe APT iranien affilie au ministere du Renseignement (MOIS), avait compromis les reseaux de plusieurs institutions financieres americaines. La campagne a exploite des outils d'administration a distance legitimes pour etablir un acces persistant, puis s'est propagee lateralement vers l'infrastructure SWIFT et les donnees de relations de correspondance bancaire. Pour les entites europeennes reglementees par DORA, le risque de cascade est direct : les connexions SWIFT, les relations de correspondance bancaire, les plateformes partagees et les integrations API creent des voies de propagation. Les obligations DORA s'appliquent : mise a jour du modele de menace (Art. 5-6), recherche proactive d'IOCs (Art. 17), signalement en cas de detection (Art. 19), revision des connexions avec les correspondants americains (Art. 28), et partage d'intelligence (Art. 45). La dimension etatique implique une persistance de mois a annees, des outils legitimes echappant a la detection standard, et un ciblage strategique de l'infrastructure interbancaire.