Iran-linked 'MuddyWater' carrying out digital attacks worldwide, U.S. warns

U.S. and United Kingdom authorities on Thursday warned that a hacking group that has been identified as part of Iran’s primary intelligence agency is carrying out digital espionage and other malicious activities against targets around the globe.

The group, dubbed “MuddyWater,” is targeting a “range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America,” the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA and others agencies warned in a joint advisory.

MuddyWater, sometimes referred to as SeedWorm, has conducted cyber espionage efforts since at least 2015.

In January, U.S. Cyber Command for the first time linked the group to the Iranian Ministry of Intelligence and Security, uploading several samples of open source tools it is utilizing to target organizations around the world.

The revelation came two months after CISA and several other global cybersecurity agencies warned that Iranian-linked hackers had been targeting known vulnerabilities in Microsoft Exchange servers as well as some of Fortinet’s devices.

The new alert comes one day after the U.S. and U.K. issued an advisory that said new malware, named Cyclops Blink, was developed by Sandworm, a unit within Russia’s military intelligence service that has carried out some of the most destructive cyberattacks in recent years.

The latest advisory also comes as senior officials and agencies remain on edge over potential cyberattacks spiraling out of Russia’s invasion of Ukraine.

“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners,” CISA Director Jen Easterly tweeted.

In the advisory, authorities said that MuddyWater has deployed a new Python backdoor, dubbed Small Sieve, which provides users “basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API)." 

The governments also noted that the group utilizes a variety of malware, including PowGoop, to launch second-stage infections onto already compromised networks and systems that allows it to pilfer data and grant it backdoor access.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.