US Cyber Command (USCYBERCOM) has officially linked the Iran-linked MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date. The group evolved over the years by adding new attack techniques to its arsenal. Across the years the APT group also has also targeted European and North American nations.
The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors
MOIS is the primary intelligence agency of the Islamic Republic of Iran and a member of the Iran Intelligence Community. It is also known as VAJA and previously as VEVAK (Vezarat-e Ettela’at va Amniyat-e Keshvar) or alternatively MOIS.
“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM said.”
“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”
Collaboration between the #FBI and @CNMF_CyberAlert through the National Cyber Investigative Joint Task Force (NCIJTF) is key to detecting network compromises, mitigating computer intrusions, and preventing malicious Iranian cyber activities. #CyberIsATeamSport https://t.co/Y7QsTgHHZb
— FBI (@FBI) January 12, 2022
“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. https://twitter.com/CNMF_CyberAlert #MOIS_MuddyWater” states the CYBERCOM Malware Alert.
Iranian MOIS hacker group #MuddyWater is using a suite of malware to conduct espionage and malicious activity. If you see two or more of these malware on your network, you may have MuddyWater on it: https://t.co/xTI6xuQOg3. Attributed through @NCIJTF @FBI
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) January 12, 2022
Researchers from SentinelOne analyzed some tools in the arsenal of the group that were also shared by the US USCYBERCOM.
The researchers discovered an interesting subset of activity targeting Exchange servers of high-profile organizations. The subset of Exchange exploitation activity is interesting because it is difficult to attribute it to MuddyWater due to the use of publicly available offensive security tools.
The attackers attempt to exploit Exchange servers using two different tools:
- A publicly available script for exploiting CVE-2020-0688 (T1190)
- Ruler – an open source Exchange exploitation framework
“Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques. While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.” reads the analysis published by SentinelOne. “This is observed through the three distinct activities observed and analyzed in this report: The evolution of the PowGoop malware family, the usage of tunneling tools, and the targeting of Exchange servers in high-profile organizations.”
Cyber Defense Magazine