Connect with us

Hi, what are you looking for?



US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks

Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.

Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.

Active since at least 2017 and also tracked as Static Kitten, Seedworm, and Mercury, MuddyWater is an advanced persistent threat (APT) actor believed to be a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

The adversary is supplying the Iranian government with both stolen data and access to compromised networks, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), the National Security Agency (NSA), and the UK’s National Cyber Security Centre (NCSC-UK) said in a joint advisory this week.

[READ: U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence]

MuddyWater has been observed conducting cyberespionage operations against organizations in multiple sectors – including government, defense, telecoms, and oil and natural gas – in Asia, Africa, Europe, and North America.

For initial access to victim environments, the APT employs spear-phishing (ZIP archives containing macro-enabled Excel files or PDF documents are served to the victim), it exploits known vulnerabilities, or employs open-source tools, the joint advisory reads.

Once in, the adversary collects sensitive data and deploys ransomware, while also maintaining persistence on the compromised networks. In some attacks, DLL side-loading is employed to load malware into the processes of legitimate programs.

Advertisement. Scroll to continue reading.

In recent attacks, the threat actor was observed employing variants of malware families such as Canopy, Mori, PowGoop, PowerStats, and Small Sieve, for backdoor access, payload deployment, data theft, and persistence, the FBI, CISA, CNMF, NCSC-UK, and NSA say.

[READ: Iranian Hackers Using New Backdoor Linked to Memento Ransomware]

In January, the U.S. Cyber Command (CYBERCOM) uploaded to VirusTotal several files associated with the MuddyWater operations, including PowGoop samples and a Mori backdoor sample.

The newly published joint advisory provides technical details on PowGoop, which MuddyWater uses as its main loader, as well as detailed information on the capabilities of other malware families and tools that the APT employs in attacks.

It also details a newly identified PowerShell backdoor associated with the threat actor’s activities. Featuring lightweight functionality, the script relies on the InvokeScript method for the execution of adversary-supplied responses, and uses single-byte Exclusive-OR (XOR) for communication encryption.

Organizations of all types and sizes are advised to review the information associated with MuddyWater and ensure they deploy necessary mitigations to keep their networks secure from this and similar threats.

Related: Wiper Used in Attack on Iran National Media Network

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: Destructive Malware Spotted in Recent Attacks Launched by Iranian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...