According to the US Cyber Command, the hacking gang known as MuddyWater is tied to Iranian intelligence.
“MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations,” Cyber Command stated in a notice. “MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).”
Cyber Command on Twitter revealed that MuddyWater was employing a suite of malware for espionage and criminal behavior, with attribution given by the FBI National Cyber Investigative Joint Task Force.
“MOIS hacker group MuddyWater is using open-source code for malware,” it stated. “MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic.”
MuddyWater malware samples, including the PowGoop DDL sideloader and the Mori backdoor that leverages DNS tunneling, were released to VirusTotal alongside the alert. In November, cyber authorities in the United States, the United Kingdom, and Australia linked assaults on Fortinet and Exchanges to Iranian-backed attackers.
According to a joint release from the FBI and CISA, this Iranian government-sponsored APT group has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in preparation for follow-on operations, which include deploying ransomware. ACSC also knows that this APT group has also leveraged Australia’s same Microsoft Exchange vulnerability.
Rather than targeting a specific industry, the authorities said that the attackers merely concentrated on exploiting weaknesses wherever they could and then attempting to convert that initial access into data exfiltration, a ransomware attack, or extortion. The same month, Microsoft said that state-sponsored Iranian hackers’ attacks on IT services organizations were non-existent in 2020 but topped 1,500 possible attacks in 2021.