Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

US, UK Warn of Iranian Cyberattacks on Government, Commercial Networks

Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.

Governmental agencies in the United States and the United Kingdom warn of cyberespionage operations that the Iranian state-sponsored threat actor MuddyWater has been running against both public and private sector organizations worldwide.

Active since at least 2017 and also tracked as Static Kitten, Seedworm, and Mercury, MuddyWater is an advanced persistent threat (APT) actor believed to be a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

The adversary is supplying the Iranian government with both stolen data and access to compromised networks, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), the National Security Agency (NSA), and the UK’s National Cyber Security Centre (NCSC-UK) said in a joint advisory this week.

[READ: U.S. Cyber Command Officially Links MuddyWater Group to Iranian Intelligence]

MuddyWater has been observed conducting cyberespionage operations against organizations in multiple sectors – including government, defense, telecoms, and oil and natural gas – in Asia, Africa, Europe, and North America.

For initial access to victim environments, the APT employs spear-phishing (ZIP archives containing macro-enabled Excel files or PDF documents are served to the victim), it exploits known vulnerabilities, or employs open-source tools, the joint advisory reads.

Once in, the adversary collects sensitive data and deploys ransomware, while also maintaining persistence on the compromised networks. In some attacks, DLL side-loading is employed to load malware into the processes of legitimate programs.

In recent attacks, the threat actor was observed employing variants of malware families such as Canopy, Mori, PowGoop, PowerStats, and Small Sieve, for backdoor access, payload deployment, data theft, and persistence, the FBI, CISA, CNMF, NCSC-UK, and NSA say.

[READ: Iranian Hackers Using New Backdoor Linked to Memento Ransomware]

In January, the U.S. Cyber Command (CYBERCOM) uploaded to VirusTotal several files associated with the MuddyWater operations, including PowGoop samples and a Mori backdoor sample.

The newly published joint advisory provides technical details on PowGoop, which MuddyWater uses as its main loader, as well as detailed information on the capabilities of other malware families and tools that the APT employs in attacks.

It also details a newly identified PowerShell backdoor associated with the threat actor’s activities. Featuring lightweight functionality, the script relies on the InvokeScript method for the execution of adversary-supplied responses, and uses single-byte Exclusive-OR (XOR) for communication encryption.

Organizations of all types and sizes are advised to review the information associated with MuddyWater and ensure they deploy necessary mitigations to keep their networks secure from this and similar threats.

Related: Wiper Used in Attack on Iran National Media Network

Related: Iranian APT Targets Middle East Telecoms Operators in Espionage Campaign

Related: Destructive Malware Spotted in Recent Attacks Launched by Iranian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.