The US authorities have, for the first time, explicitly identified the prolific MuddyWater hacking group as an Iranian state-sponsored entity, revealing several open-source tools used by the group to target victims.
US Cyber Command’s Cyber National Mission Force said in a post yesterday that the actors associated with MuddyWater are “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).”
According to the Congressional Research Service (CRS), the MOIS “conducts domestic surveillance to identify regime opponents.” It also “surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies,” the CRS said.
Among the tools attributed to the Iranian APT group were variants of the PowGoop DLL side-loader. These are used “to trick legitimate programs into running malware and obfuscate PowerShell scripts to hide command and control functions,” the post noted.
US Cyber Command also pointed to various JavaScript samples used to establish connections to malicious infrastructure and a Mori backdoor used for DNS tunneling to communicate with command and control servers.
“Should a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors,” it warned.
Threat intelligence vendor Mandiant said it had been tracking MuddyWater, or “Seedworm,” since at least May 2017.
“Iran fields multiple teams that conduct cyber espionage, cyberattack, and information operations,” explained Sarah Jones, Mandiant senior principal analyst, threat intelligence. “The security services that sponsor these actors, the MOIS and the IRGC, are using them to get a leg up on Iran’s adversaries and competitors all over the world.”
MuddyWater is best known for attacks on targets in the Middle East, including telecommunications, government and oil sectors. However, it has previously detected attacking victims in Europe and North America.