Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

The U.S. Cyber Command (CYBERCOM) on Wednesday officially tied the advanced persistent threat (APT) actor known as MuddyWater to Iranian intelligence.

Also tracked as MERCURY, Seedworm, and Static Kitten, MuddyWater was initially detailed in 2017. The threat actor is known for conducting espionage campaigns focused on entities in the Middle East, but has targeted entities in Europe and North America as well.

The hacking group, the military agency notes, employs various open-source tools that allow it to maintain access to compromised networks, and administrators should assume they have been compromised if they identify multiple such tools in their environment.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” CYBERCOM says.

U.S. Cyber Command believes MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of anti-regime activists abroad.

To help network defenders better protect their environments against MuddyWater attacks, CYBERCOM has uploaded 17 malware samples associated with the group’s activities to VirusTotal, including PowGoop samples and variants and a Mori backdoor sample.

First observed in 2020, PowGoop is a downloader that contains a DLL loader, along with a PowerShell-based downloader that decrypts and runs it. The malicious tool was used in attacks against a wide range of entities in the education, government, oil and gas, real estate, telecoms, and technology sectors.

Older than PowGoop and observed in numerous MuddyWater intrusions, the Mori backdoor relies on DNS tunneling for communication with the command and control (C&C) server, and is believed to be employed for espionage purposes.

Advertisement. Scroll to continue reading.

Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t detected as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend

Related: U.S. Cyber Command Shares More Russian Malware Samples

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...