Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks

Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.

Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.

Active since at least 2017 and also tracked as Static Kitten, Seedworm, and Mercury, MuddyWater is an advanced persistent threat (APT) actor believed to be a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

The adversary is supplying the Iranian government with both stolen data and access to compromised networks, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), the National Security Agency (NSA), and the UK’s National Cyber Security Centre (NCSC-UK) said in a joint advisory this week.

[READ: U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence]

MuddyWater has been observed conducting cyberespionage operations against organizations in multiple sectors – including government, defense, telecoms, and oil and natural gas – in Asia, Africa, Europe, and North America.

For initial access to victim environments, the APT employs spear-phishing (ZIP archives containing macro-enabled Excel files or PDF documents are served to the victim), it exploits known vulnerabilities, or employs open-source tools, the joint advisory reads.

Once in, the adversary collects sensitive data and deploys ransomware, while also maintaining persistence on the compromised networks. In some attacks, DLL side-loading is employed to load malware into the processes of legitimate programs.

In recent attacks, the threat actor was observed employing variants of malware families such as Canopy, Mori, PowGoop, PowerStats, and Small Sieve, for backdoor access, payload deployment, data theft, and persistence, the FBI, CISA, CNMF, NCSC-UK, and NSA say.

Advertisement. Scroll to continue reading.

[READ: Iranian Hackers Using New Backdoor Linked to Memento Ransomware]

In January, the U.S. Cyber Command (CYBERCOM) uploaded to VirusTotal several files associated with the MuddyWater operations, including PowGoop samples and a Mori backdoor sample.

The newly published joint advisory provides technical details on PowGoop, which MuddyWater uses as its main loader, as well as detailed information on the capabilities of other malware families and tools that the APT employs in attacks.

It also details a newly identified PowerShell backdoor associated with the threat actor’s activities. Featuring lightweight functionality, the script relies on the InvokeScript method for the execution of adversary-supplied responses, and uses single-byte Exclusive-OR (XOR) for communication encryption.

Organizations of all types and sizes are advised to review the information associated with MuddyWater and ensure they deploy necessary mitigations to keep their networks secure from this and similar threats.

Related: Wiper Used in Attack on Iran National Media Network

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: Destructive Malware Spotted in Recent Attacks Launched by Iranian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...