Cyber Command ties hacking group to Iranian intelligence
U.S. Cyber Command on Wednesday revealed that a hacking group reputed for its cyberespionage campaigns is actually part of Iran’s intelligence apparatus.
The group, known as MuddyWater, is a subordinate element within the Iranian Ministry of Intelligence and Security, the command’s Cyber National Mission Force announced.
The claim marked the first time the U.S. government has publicly linked the prolific threat actor — whose targets have ranged from academia and the tourism industry to government and telecommunications operators — to Tehran’s regime.
“US CyberCommand has weighed in. MuddyWater attributed to Iranian MOIS (instead or IRGC as some assumed),” J.A. Guerrero-Saade, a principal threat researcher at SentinelOne, tweeted referring to Iran’s Islamic Revolutionary Guard Corps.
Cyber Command, in collaboration with the FBI, also uploaded multiple, open-source malware tools employed Iranian intelligence actors around the globe to the popular malware repository VirusTotal.
“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network,” the militar command warned at the top of the ten entries.
”We persistently release malware to enable defense across our nation. Public disclosure of malicious cyber activity or actors enables defense of U.S. interests and our partners. #CyberIsATeamSport,” tweeted Cyber Command’s verified Twitter account.
In a statement, a command spokesperson declined to say how the organization uncovered the malicious tools, or if the samples were provided by a third party.
“We do not discuss the origins of the malware samples the CNMF team posts. Some of these malware samples are variants of others already in the public domain — what is unique about this disclosure is that it provides a holistic picture of how Iranian malicious cyber actors might be collecting information through use of malware.”
MuddyWater, sometimes referred to as SeedWorm, has conducted espionage efforts since at least 2015.
Last month, Symantec’s Threat Hunter Team issued research that found the group had targeted telecom operators and IT service organizations throughout the Middle East and Asia during the previous six months.
Researchers concluded that the targeting and tactics involved — which saw attackers rely on publicly available malware and remote administration and security assessment tools to pilfer credentials to move throughout networks — were “consistent with Iranian-sponsored actors” but stopped shy of attributing the campaign to Iran’s government.
Among the malware samples highlighted by Cyber Command were a number of variants of PowGoop, a phony Google Update mechanism. The mix included a variant that grants the attacker command and control functions and two others that act as beacons that reach out from compromised networks to contact malicious infrastructure.
Additional reporting by Catalin Cimpanu
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.