Cyber Command ties hacking group to Iranian intelligence

U.S. Cyber Command on Wednesday revealed that a hacking group reputed for its cyberespionage campaigns is actually part of Iran’s intelligence apparatus.

The group, known as MuddyWater, is a subordinate element within the Iranian Ministry of Intelligence and Security, the command’s Cyber National Mission Force announced.

The claim marked the first time the U.S. government has publicly linked the prolific threat actor — whose targets have ranged from academia and the tourism industry to government and telecommunications operators — to Tehran’s regime.

“US CyberCommand has weighed in. MuddyWater attributed to Iranian MOIS (instead or IRGC as some assumed),” J.A. Guerrero-Saade, a principal threat researcher at SentinelOne, tweeted referring to Iran’s Islamic Revolutionary Guard Corps.

Cyber Command, in collaboration with the FBI, also uploaded multiple, open-source malware tools employed Iranian intelligence actors around the globe to the popular malware repository VirusTotal.

“If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network,” the militar command warned at the top of the ten entries.

​​”We persistently release malware to enable defense across our nation. Public disclosure of malicious cyber activity or actors enables defense of U.S. interests and our partners. #CyberIsATeamSport,” tweeted Cyber Command’s verified Twitter account.

In a statement, a command spokesperson declined to say how the organization uncovered the malicious tools, or if the samples were provided by a third party.

“We do not discuss the origins of the malware samples the CNMF team posts. Some of these malware samples are variants of others already in the public domain — what is unique about this disclosure is that it provides a holistic picture of how Iranian malicious cyber actors might be collecting information through use of malware.”

MuddyWater, sometimes referred to as SeedWorm, has conducted espionage efforts since at least 2015.

Last month, Symantec’s Threat Hunter Team issued research that found the group had targeted telecom operators and IT service organizations throughout the Middle East and Asia during the previous six months. 

Researchers concluded that the targeting and tactics involved — which saw attackers rely on publicly available malware and remote administration and security assessment tools to pilfer credentials to move throughout networks — were “consistent with Iranian-sponsored actors” but stopped shy of attributing the campaign to Iran’s government.

Among the malware samples highlighted by Cyber Command were a number of variants of PowGoop, a phony Google Update mechanism. The mix included a variant that grants the attacker command and control functions and two others that act as beacons that reach out from compromised networks to contact malicious infrastructure.

Other samples included malicious JavaScript files and a version of the Mori backdoor.

Additional reporting by Catalin Cimpanu

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.