The Iranian nation-state organization MuddyWater has been seen conducting devastating operations against hybrid environments under cover of a ransomware campaign. This is supported by recent research from the Microsoft Threat Intelligence team, which identified the threat actor as one that targets both on-premises and cloud infrastructures while collaborating with another newly-emerging activity cluster known as DEV-1084.
“While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation,” revealed the tech giant.
The U.S. government has openly linked an Iranian actor named MuddyWater to the nation’s Ministry of Intelligence and Security (MOIS). It has been acknowledged to be active for at least since 2017. The cybersecurity industry also monitors it under the names Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.
In its description of Cobalt Ulster, cybersecurity company Secureworks observes that threat actors frequently “inject false flags into code associated with their operations” as a diversion to muddle attribution attempts. The gang has targeted Middle Eastern countries primarily in its attacks, including incursions into Israeli companies over the past year using the Log4Shell vulnerability. According to the most recent information from Microsoft, the threat actor most likely collaborated with DEV-1084 to carry out the espionage activities. DEV-1084 carried out the damaging operations once MuddyWater successfully entered the target environment.
In the Redmond-detected activity, DEV-1084 took advantage of highly privileged credentials compromised to encrypt on-premise devices and extensively delete cloud resources, such as server farms, storage accounts, virtual machines, and virtual networks. Additionally, the threat actors used Exchange Web Services to get complete access to email inboxes, employing it to conduct “thousands of search actions” and send messages to internal and external users while posing as an undisclosed high-ranking employee.
The events above are thought to have taken place for around three hours, beginning at 12:38 a.m. (when the attacker used compromised credentials to access the Microsoft Azure environment) and concluding at 3:21 a.m. (when the attacker forwarded emails to other parties following the successful cloud disruption). It’s important to note that DEV-1084 relates to the same threat actor who, in February, targeted Technion, a prestigious research university in Israel, with a ransomware and extortion campaign under the guise of “DarkBit.” Last month, the Israel National Cyber Directorate identified MuddyWater as the attacker.
“DEV-1084 […] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack,” Microsoft added.
Infrastructure, IP address, and tools overlaps are the sources of the connections between Mercury and DEV-1084; the latter was discovered using the reverse tunneling tool Ligolo, a common MuddyWater product. However, there is not enough information to say if DEV-1084 is a sub-team that is only called upon when a damaging attack is required or if it functions independently of MuddyWater and works with other Iranian actors. Early last year, Cisco Talos referred to MuddyWater as a “conglomerate” comprising multiple smaller clusters instead of a single, cohesive organization. The appearance of DEV-1084 points in this direction, at least.
“While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target,” Talos noted.