United States Cyber Command recently announced it has successfully identified and disclosed multiple open source tools that Iranian threat actors have been using in networks all around the world.
These threat actors belong to a group collectively known as MuddyWater—also known by names such as MERCURY, Seedworm, and Static Kitten.
The group's main goal is to conduct Iranian intelligence activities, according to a Cyber Command news release, and it has been known to use a wide variety of techniques to maintain access to victim networks.
MuddyWater has mostly targeted Middle Eastern nations, but attacks against European and North American countries have also been documented.
Here is how the U.S. Cyber Command describes the group:
"MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS 'conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran's embassies.'"
The FBI also shared the following tweet, highlighting again how important collaboration between government agencies is in situations like these:
U.S. Cyber Command also notes that if you identify multiple MuddyWater tools on your network, it could indicate the presence of Iranian intelligence threat actors.
It also adds some technical aspects of how these attackers could be leveraging malware in networks:
"These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. New samples showing the different parts of this suite of tools are posted to Virus Total, along with JavaScript files used to establish connections back to malicious infrastructure."
For more technical information, read the statement from the U.S. Cyber Command on the MuddyWater group.
