In a joint US-UK operation, US security and law enforcement agencies issued a warning of Iranian-affiliated hacking operations targeting a range of government and private organizations in multiple sectors around the world.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other British and US agencies were quoted by Reuters as saying that they had observed Iranian entities, known as MuddyWater, carrying out cyber-espionage targeting the defense, local government, oil and natural gas and telecommunications sectors across the globe.
An alert issued by the US Cyber Security Agency stated that it had revealed, in cooperation with the FBI, the US National Cyber Command Force, and the National Cyber Security Center in the United Kingdom, the presence of “a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors…”
The US Cyber Security Agency said that MuddyWater was a “subordinate element within the Iranian Ministry of Intelligence and Security” and had “conducted broad cyber campaigns in support of MOIS objectives since approximately 2018.”
“MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” according to the agency.
The alert read: “MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware…”
The US warning comes less than two weeks after the Cyber Security Agency had cautioned against a “new storm” of cyber-attacks targeting individuals and facilities.
A report by the FBI and the Cyber Security Agency of the Department of Homeland Security on Feb. 10 disclosed major plans that some hackers might carry out to target civilian facilities and individuals with the aim to cause wider damage.
However, the latest warning pointed specifically to Iran’s MuddyWater which mainly targeted Middle Eastern, European and North American countries. The group’s victims are mainly in the telecommunications and government sectors, as well as oil.
The group was previously associated with the FIN7, but MuddyWater may have been motivated by espionage.
FIN7 has been working on active financially motivated threats since 2013 and primarily targeting the retail, restaurant and hospitality sectors in the United States, often using point-of-sale malware.