US and UK warn of attacks from Iranian 'MuddyWater' hacking group

SECURITY

The U.S. and U.K. governments today issued a joint cybersecurity advisory warning that an Iranian advanced persistent threat group is conducting cyber espionage and other malicious cyber operations.

The group, known as “MuddyWater” and part of Iran’s Ministry of Intelligence and Security, has been targeting a range of government and private sector organizations in Asia, Africa, Europe and North America. Organizations targeted include those in telecommunications, defense, local government and oil and natural gas.

MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm and TEMP.Zagros. The advanced persistent threat or APT group dates back to 2018 and undertakes broad cyber campaigns supporting Iranian government objectives.

The group exploits publicly reported vulnerabilities and uses open-source tools and strategies to gain access to sensitive data on targeted systems and deeply ransomware.

Having exploited vulnerabilities, MuddyWater primarily deploys new variants of PowGoop malware as their main loader in malicious operations. PowGoop consists of a so-called dynamic link library loader and a PowerShell-based downloader and impersonates a legitimate file that is signed as a Google Update executable file.

The joint advisory was issued by the U.S. Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the U.S. Cyber Command Cyber National Mission Force and the U.K. National Cyber Security Center.

“Iranian government-sponsored actors are consistently targeting government and commercial networks through multiple means, including exploiting known vulnerabilities and spear phishing,” a CISA spokesperson said. “We are committed to identifying nation-state threats to our critical infrastructure and helping organizations reduce their cyber risk.”

Iranian state-sponsored hacking campaigns were last in the news in January when another group, known as APT 35, Phosphorous and Charming Kitten, was found to be actively exploiting vulnerabilities in Apache Log4j.

“While MuddyWater has been around for a while, the new tactics, techniques and procedures uncovered in this CISA Alert are interesting and in line with other actors we’ve seen from Iran,” Drew Schmitt, principal threat intelligence analyst at cybersecurity consulting company GuidePoint Security LLC, told SiliconANGLE. “The severity of this isn’t probably that high, but timing is interesting with the Ukraine cyberattacks and conflict playing out in parallel.”

Schmitt said Iran could be stepping up operations, though he said the rationale is uncertain. “Interestingly, the CISA alert does not seem to say whether this is a trend seen over a period of time or something quite new,” he added.

Photo: Get Archive