Seedworm APT in US Bank Networks: Iranian Cyber Warfare Meets Financial Infrastructure

Inside the Intrusion: Technical Indicators and Banking Impact

The Seedworm campaign against US financial institutions exhibited several characteristics that distinguish nation-state intrusions from commodity cybercrime, each carrying specific implications for operational resilience.

Persistence and Stealth

Unlike ransomware operators who seek rapid monetization, Seedworm prioritized long-term persistence. Security researchers indicated that some intrusions may have been active for months before detection. The group used scheduled tasks, registry modifications, and DLL side-loading to maintain access across system reboots. In banking environments where systems run continuously and change management is tightly controlled, these persistence mechanisms were designed to survive patching cycles and routine security scans.

The stealth tradecraft was particularly concerning for financial institutions. Seedworm's use of PowerShell — a legitimate administration tool present on every Windows system — meant that their command-and-control traffic blended with normal system administration activity. Banks' security operations centers (SOCs) process millions of events daily, and distinguishing malicious PowerShell usage from legitimate administrative scripts requires advanced behavioral analytics that many institutions have not yet fully deployed.

Lateral Movement and Reconnaissance

Once inside the initial compromised system, Seedworm methodically mapped the internal network. The group reportedly conducted Active Directory reconnaissance to identify privileged accounts, payment processing systems, SWIFT messaging infrastructure, and disaster recovery systems. This mapping activity — essentially creating a blueprint of the bank's critical infrastructure — is consistent with pre-positioning for future operations rather than immediate data theft.

The targeting of disaster recovery systems was particularly alarming. In destructive attack scenarios, disabling backup and recovery infrastructure before launching the primary attack maximizes the damage and recovery time. The 2012 Saudi Aramco attack (attributed to Iran) used exactly this playbook — destroying backup systems before wiping 35,000 workstations. The identification of DR systems in bank networks suggests Seedworm was preparing similar operational options.

Implications for the Banking Sector

The discovery of Seedworm in US bank networks had sector-wide implications. The Financial Services Information Sharing and Analysis Center (FS-ISAC) reportedly coordinated threat intelligence sharing across member institutions, enabling banks to search for the specific indicators of compromise (IOCs) identified by researchers. However, the living-off-the-land techniques employed by Seedworm meant that IOC-based detection was insufficient — many of the tools and techniques used were legitimate system utilities that could not simply be blocked.

Several banks reportedly initiated "threat hunts" — proactive searches through their environments for behavioral indicators consistent with Seedworm's tradecraft, rather than relying solely on signature-based detection. These hunts required specialized threat hunting teams with deep understanding of both the attacker's methodology and the bank's own legitimate administrative patterns — a capability that exists at the largest banks but is often absent at mid-tier institutions.

The timing of the disclosure — during active US-Iran military conflict — created an additional operational challenge. Banks had to simultaneously investigate potential intrusions in their own environments, implement protective measures, and plan for the possibility of escalation to destructive attacks, all while maintaining normal banking operations and customer service.

Nation-State Actors in the Banking Network

In early March 2026, cybersecurity firm reports detailed the discovery of Seedworm — also known as MuddyWater, a threat group attributed to Iran's Ministry of Intelligence and Security (MOIS) — operating inside the networks of multiple US financial institutions. The revelation, reported by Security.com on March 5, 2026, came against the backdrop of escalating US-Iran tensions following military strikes, making the intrusions simultaneously a cybersecurity incident and a geopolitical event.

Seedworm is not a newly discovered threat actor. The group has been tracked by multiple cybersecurity firms since at least 2017, with documented campaigns targeting government, telecommunications, energy, and defense sectors primarily in the Middle East but increasingly expanding to Western targets. What made the March 2026 revelations significant was the explicit targeting of financial institutions and the operational sophistication of the intrusions — suggesting a shift from intelligence gathering to pre-positioning for potential destructive operations.

The technical indicators were alarming. Seedworm's tradecraft had evolved significantly from earlier campaigns. The group reportedly employed living-off-the-land techniques — using legitimate system administration tools already present in bank environments to avoid detection by endpoint security solutions. PowerShell-based command and control, WMI (Windows Management Instrumentation) lateral movement, and abuse of legitimate cloud services for data exfiltration made the intrusions exceptionally difficult to distinguish from normal administrative activity.

For financial institutions operating under DORA or equivalent frameworks, Seedworm's presence raised a critical question: how do you classify and respond to a persistent nation-state intrusion that has not yet caused observable damage? The attackers were inside the network. They had established persistence. They had mapped internal systems. But they had not — as of the disclosure — destroyed data, disrupted operations, or stolen customer records. This is the gray zone between threat intelligence and incident management that most operational resilience frameworks struggle to address.

The geopolitical context made the intrusions qualitatively different from ordinary cybercrime. Seedworm's operations were not financially motivated — they were strategic. The presence of a state-sponsored actor in banking networks during active military hostilities between the US and Iran raised the specter of destructive cyberattacks against financial infrastructure as an act of asymmetric warfare.

DORA's Framework Applied to Nation-State Threats

The Seedworm intrusions test DORA's framework against a threat category that is increasingly relevant for European financial institutions: state-sponsored cyber operations targeting banking infrastructure.

Art. 5-6 — ICT Risk Management and Nation-State Threats

DORA Art. 5 requires financial entities to have an ICT risk management framework that is "comprehensive" and addresses all ICT risks. Nation-state threats represent a qualitatively different risk category from cybercrime. The threat actor has potentially unlimited resources, operates under state protection, and pursues strategic rather than financial objectives. The risk assessment for a nation-state threat must account for destructive capability, not just data theft or financial fraud.

Art. 6 specifically requires entities to identify the sources of ICT risk and keep their risk assessment current with the "evolving cyber threat landscape." The Seedworm campaign demonstrates that the geopolitical context can rapidly change the threat landscape for financial institutions. A bank that assessed Iranian cyber threats as "low probability" in January 2026 would have needed to reassess that rating to "high probability" by March 2026 as military conflict escalated. DORA-compliant risk management must be dynamic enough to incorporate geopolitical intelligence into threat assessments.

Art. 7 — ICT Systems, Protocols, and Tools

DORA Art. 7 requires financial entities to use ICT systems, protocols, and tools that are "resilient, reliable, and have sufficient capacity." Seedworm's living-off-the-land approach challenges this requirement because the compromised tools are the legitimate ICT systems themselves. PowerShell, WMI, and other Windows administration tools are part of the bank's ICT infrastructure — they are the protocols and tools that Art. 7 requires to be maintained. The challenge is ensuring that these legitimate tools cannot be weaponized by adversaries who gain access to the network.

This implies that Art. 7 compliance must extend beyond system availability and performance to encompass security configuration — hardening legitimate administration tools against misuse, implementing application whitelisting, and deploying behavioral analytics that can distinguish malicious from legitimate use of system utilities.

Art. 17-19 — Incident Classification for Pre-Positioned Intrusions

The most challenging DORA question raised by Seedworm is incident classification. Art. 17 requires financial entities to classify ICT-related incidents according to criteria including the duration, the geographic spread, the data losses, and the criticality of services affected. But Seedworm's presence — as of the March 2026 disclosure — had not caused any of these observable impacts. The attackers were present but dormant. The data had not been exfiltrated (as far as was known). Services continued operating normally.

Does a discovered but non-activated nation-state intrusion qualify as a "major ICT-related incident" under Art. 19? The case for classification as major is strong: the threat actor has demonstrated capability and intent, the compromised systems include critical infrastructure, and the geopolitical context suggests potential for escalation. The case against is that no actual disruption or data loss has occurred.

The prudent approach — and the one most consistent with DORA's risk-based philosophy — is to classify a discovered nation-state intrusion as a major incident regardless of whether damage has yet occurred. The risk to operational resilience is not determined by what the attacker has done but by what the attacker can do from their established position.

Art. 45-49 — Information Sharing (Pillar V)

The Seedworm campaign provides perhaps the strongest real-world case for DORA Pillar V's information sharing requirements. Art. 45 encourages financial entities to participate in cyber threat intelligence sharing arrangements. The FS-ISAC's coordination of IOC sharing across US banks during the Seedworm campaign demonstrated the operational value of such arrangements — institutions that received early IOC feeds could begin hunting for the threat in their environments before public disclosure.

For EU financial institutions, DORA Art. 45 creates a framework for similar sharing arrangements. The Seedworm case demonstrates that the value of shared threat intelligence is highest during active campaigns when IOCs are fresh and the threat actor's tradecraft has not yet evolved. Delayed sharing — waiting for formal reports or sanitized advisories — significantly reduces the defensive value of the intelligence.

The Asymmetric Warfare Dimension

The Seedworm campaign against US financial institutions introduced a dimension that traditional operational resilience frameworks were not designed to address: the use of banking infrastructure as a theater of geopolitical conflict.

Financial Infrastructure as a Military Target

The historical precedent is clear and documented. In 2012, Iran launched Operation Ababil, a sustained DDoS campaign against major US banks including Bank of America, JPMorgan Chase, Citigroup, and Wells Fargo. The attacks were explicitly retaliatory — a response to economic sanctions. In the intervening years, Iranian cyber capabilities have grown substantially. The shift from DDoS (disruption) to APT infiltration (pre-positioning for destruction) represents a qualitative escalation in the threat to financial infrastructure.

The Seedworm intrusions of March 2026 occurred during active military hostilities between the US and Iran. In this context, the presence of Iranian state actors inside bank networks was not merely a cybersecurity concern — it was a potential act of preparation for asymmetric warfare. Destructive cyberattacks against banking infrastructure could serve Iranian strategic objectives by disrupting the economic base that supports military operations, creating domestic political pressure through customer impact, and demonstrating reach against critical infrastructure as a deterrent.

Implications for European Financial Institutions

While the Seedworm campaign directly targeted US banks, European financial institutions are not immune. EU banks have extensive correspondent banking relationships with US institutions, share payment infrastructure (SWIFT, CLS), and operate in an interconnected global financial system where disruptions propagate rapidly. A destructive attack against major US banks would have immediate second-order effects on European financial markets and institutions.

DORA Art. 6(8) requires financial entities to consider the "broader macroeconomic and geopolitical context" in their ICT risk assessment. The Seedworm case demonstrates that this requirement is not a theoretical exercise — geopolitical events can rapidly change the threat profile for financial institutions. European banks with operations in or connections to conflict zones must integrate geopolitical risk monitoring into their ICT risk management frameworks.

The Detection Challenge

Seedworm's living-off-the-land techniques expose a fundamental gap in many institutions' detection capabilities. Traditional security monitoring — signature-based intrusion detection, static endpoint protection, log-based SIEM rules — was designed to detect malware and known attack patterns. Seedworm used no malware. Their tools were PowerShell, WMI, and legitimate administrative utilities. Their communication channels were encrypted connections to legitimate cloud services.

Detecting this class of threat requires advanced behavioral analytics — tools that establish baselines of normal administrative activity and alert on deviations. It requires threat hunting teams that proactively search for indicators of tradecraft rather than waiting for automated alerts. And it requires intelligence integration — consuming and operationalizing threat intelligence feeds fast enough to search for newly disclosed IOCs before the attacker changes their infrastructure.

For institutions subject to DORA, this detection capability gap has direct compliance implications. Art. 9 requires financial entities to implement measures to "promptly detect anomalous activities." If an institution cannot detect a nation-state actor using legitimate tools to traverse its network, its detection measures are not sufficient under Art. 9 — regardless of whether they meet the baseline standard for detecting commodity malware.

Building Resilience Against State-Sponsored Threats

The Seedworm campaign reinforces several operational resilience principles that apply beyond the specific US-Iran context:

Assume breach. The question is not whether a sophisticated adversary can get into your network — it is whether you can detect them once they are inside and limit the damage they can do. Resilience planning must assume that perimeter defenses will eventually be bypassed.

Protect recovery infrastructure. Seedworm's targeting of disaster recovery systems is a critical warning. If an attacker can destroy your backups before launching the primary attack, your RTO becomes infinite. Backup systems must be architecturally isolated from the primary network, with offline or immutable copies that cannot be reached through network-based attacks.

Intelligence-driven defense. The FS-ISAC's IOC sharing during the Seedworm campaign demonstrated the defensive value of threat intelligence sharing. Institutions that participate in intelligence sharing arrangements can detect threats days or weeks earlier than those relying solely on vendor advisories.

Geopolitical risk integration. Financial institutions must integrate geopolitical monitoring into their ICT risk management. A change in the geopolitical landscape — military escalation, sanctions, diplomatic breakdown — can change the probability of nation-state cyber operations against financial infrastructure from theoretical to imminent.