The Iranian APT MuddyWater has hacked into the networks of several organizations in the US, including an aerospace and defense contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports.
The threat actor has been present in the environments of an airport, a bank, a non-governmental organization operating in the US and Canada, and a software company with a presence in Israel.
According to the Broadcom experts, the APT’s activity has continued “in recent days following US and Israeli military strikes on Iran that have sparked conflict in the region”.
The compromised software firm, an aerospace and defense contractor, also has a presence in Israel, making it a target of interest for MuddyWater hackers.
As part of the campaign, the APT deployed a new backdoor dubbed Dindoor on the networks of the software supplier’s Israeli branch, the US bank, and the Canadian NGO.
The backdoor is signed with a certificate issued for ‘Amy Cherne’. The APT also attempted to exfiltrate data from the software company’s Israeli branch.
Broadcom’s cybersecurity team also discovered a Python backdoor dubbed Fakeset on the networks of a US airport and a non-profit organization, also signed with an Amy Cherne certificate and with a certificate issued for ‘Donald Gay’, which was used in previous MuddyWater attacks as well.
The observed activity has been disrupted, but other organizations might still be vulnerable to compromise, the Symantec and Carbon Black team says.
“While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks,” the experts note.
Active since at least 2017 and also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, MuddyWater has been officially linked by the US to the Iranian Ministry of Intelligence and Security (MOIS).
The threat actor is known for targeting entities in the Middle East as part of espionage operations, and was seen last year deploying updated Android spyware during the Israel-Iran conflict.
Last year, Amazon detailed the APT’s involvement in cyber-enabled kinetic targeting, hacking into live CCTV streams from Jerusalem in support of a missile attack.
Related: Iranian Strikes on Amazon Data Centers Highlight Industry’s Vulnerability to Physical Disasters
Related: Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low
Related: US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates
