US Cyber Command (USCYBERCOM) has officially linked the Iranian-backed MuddyWatter hacking group to Iran’s Ministry of Intelligence and Security (MOIS).
MOIS is the Iran government’s leading intelligence agency, tasked with coordinating the country’s intelligence and counterintelligence, as well as covert actions supporting the Islamic regime’s goals beyond Iran’s borders.
“These actors, known as MuddyWater in industry, are part of groups conducting Iranian intelligence activities, and have been seen using a variety of techniques to maintain access to victim networks,” USCYBERCOM said today.
“MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).”
Although relatively new, the Iranian-sponsored APT group is highly active, and it targets the telecommunications, government (IT services), and oil industry sectors.
MuddyWater was also observed expanding their attacks to government and defense entities in Central and Southwest Asia, and numerous privately-held and public orgs from North America, Europe, and Asia [1, 2, 3].
Collaboration between the #FBI and @CNMF_CyberAlert through the National Cyber Investigative Joint Task Force (NCIJTF) is key to detecting network compromises, mitigating computer intrusions, and preventing malicious Iranian cyber activities. #CyberIsATeamSport https://t.co/Y7QsTgHHZb
— FBI (@FBI) January 12, 2022
In collaboration with the FBI, USCYBERCOM’s Cyber National Mission Force (CNMF) has also shared multiple malware samples used by the Iranian hacking group’s operators in espionage and malicious activity.
The samples include multiple variants of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader.
“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” the US military command added.
“These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.”