US links MuddyWater hacking group to Iranian intelligence agency

US links MuddyWater hacking group to Iranian intelligence agency

US Cyber Command (USCYBERCOM) has officially linked the Iranian-backed MuddyWatter hacking group to Iran’s Ministry of Intelligence and Security (MOIS).

MOIS is the Iran government’s leading intelligence agency, tasked with coordinating the country’s intelligence and counterintelligence, as well as covert actions supporting the Islamic regime’s goals beyond Iran’s borders.

“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM said today.

“MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).”

The cyber-espionage group (aka SeedWorm and TEMP.Zagros) was first spotted in 2017 and is known for mainly targeting Middle Eastern entities and continuously upgrading its arsenal.

Although relatively new, the Iranian-sponsored APT group is highly active, and it targets the telecommunications, government (IT services), and oil industry sectors.

MuddyWater was also observed expanding their attacks to government and defense entities in Central and Southwest Asia, and numerous privately-held and public orgs from North America, Europe, and Asia [123].

In collaboration with the FBI, USCYBERCOM’s Cyber National Mission Force (CNMF) has also shared multiple malware samples used by the Iranian hacking group’s operators in espionage and malicious activity.

The samples include multiple variants of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader.

JavaScript samples deployed on devices compromised using the PowGoop loader and a Mori backdoor sample featuring DNS tunneling communication capabilities and used in espionage campaigns were also shared today on VirusTotal.

“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” the US military command added.

“These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.”