Connect with us

Hi, what are you looking for?



Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks

Microsoft catches an Iranian government-backed APT launching destructive Azure wiper attacks disguised as ransomware.

Iranian cyberattacks

Iranian advanced persistent threat (APT) actors MuddyWater and DEV-1084 have been observed launching destructive cyberattacks disguised as ransomware, Microsoft warns.

Also tracked as Mercury, Seedworm, and Static Kitten, and known to be launching espionage campaigns against targets in the Middle East since at least 2017, MuddyWater was officially linked by the U.S. government to Iran’s Ministry of Intelligence and Security.

DEV-1084, which claims to be a financially motivated cybercriminal group operating under the DarkBit persona, is connected to MuddyWater, if not a subgroup of the APT, Microsoft says (the tech giant uses the DEV designation for emerging, developing, or unknown clusters of activity).

According to Microsoft, DEV-1084 was seen using an IP address and a VPN provider historically associated with MuddyWater, using tools previously used by the APT, and using a domain believed to be controlled by MuddyWater.

“Microsoft assesses that Mercury gains access to the targets through remote exploitation of an unpatched internet-facing device. Mercury then handed off access to DEV-1084. It is not currently clear if DEV-1084 operates independently of Mercury and works with other Iranian actors or if DEV-1084 is an ‘effects based’ sub-team of Mercury that only surfaces when Mercury operators are instructed to carry out a destructive attack,” the tech giant notes.

Following initial compromise, the adversary deploys web shells, creates administrative user accounts, installs legitimate tools for remote access (including eHorus, Ligolo, and RPort), installs a PowerShell script backdoor, and steals credentials.

After establishing persistence, the threat actor performs reconnaissance and lateral movement, using remote scheduled tasks to launch the backdoor, Windows Management Instrumentation (WMI) to execute commands, and remote services to run PowerShell commands.

Advertisement. Scroll to continue reading.

The attackers were also caught abusing compromised Azure Active Directory (Azure AD) accounts that had ‘global administrator’ privileges to perform destructive actions, “deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks. We assess that the attacker’s goal was to cause data loss and a denial of service (DoS) of the target’s services”, Microsoft said.

The adversary was observed performing new actions weeks or even months after completing one of the steps. In some cases, the hackers were seen deploying tunneling tools such as Ligolo and OpenSSH to hide command-and-control (C&C) communication.

Microsoft also observed the attackers using high-privileged credentials and domain controller access to carry out on-premises destructive operations and prepare for large-scale encryption.

Using Group Policy Objects (GPO), the threat actor deployed the DarkBit ransomware in the Netlogon shares of several domain controllers and registered a scheduled task to launch the payload.

Using the compromised accounts, the adversary obtained credentials for other privileged accounts, which were abused for other malicious activities, including adding certificates to the OAuth application and attempting to dump mailboxes and/or search for sensitive data.

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper via Supply Chain Attack

Related: US, Allies Link Iranian Government Agency to Ransomware Attacks

Related: Microsoft Dives Into Iranian Ransomware APT Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.