Iran-linked ‘MuddyWater’ carrying out digital attacks worldwide, U.S. warns
Martin Matishak February 24, 2022

Iran-linked ‘MuddyWater’ carrying out digital attacks worldwide, U.S. warns

Martin Matishak

February 24, 2022

Iran-linked ‘MuddyWater’ carrying out digital attacks worldwide, U.S. warns

U.S. and United Kingdom authorities on Thursday warned that a hacking group that has been identified as part of Iran’s primary intelligence agency is carrying out digital espionage and other malicious activities against targets around the globe.

The group, dubbed “MuddyWater,” is targeting a “range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America,” the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA and others agencies warned in a joint advisory.

MuddyWater, sometimes referred to as SeedWorm, has conducted cyber espionage efforts since at least 2015.

In January, U.S. Cyber Command for the first time linked the group to the Iranian Ministry of Intelligence and Security, uploading several samples of open source tools it is utilizing to target organizations around the world.

The revelation came two months after CISA and several other global cybersecurity agencies warned that Iranian-linked hackers had been targeting known vulnerabilities in Microsoft Exchange servers as well as some of Fortinet’s devices.

The new alert comes one day after the U.S. and U.K. issued an advisory that said new malware, named Cyclops Blink, was developed by Sandworm, a unit within Russia’s military intelligence service that has carried out some of the most destructive cyberattacks in recent years.

The latest advisory also comes as senior officials and agencies remain on edge over potential cyberattacks spiraling out of Russia’s invasion of Ukraine.

“Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners,” CISA Director Jen Easterly tweeted.

In the advisory, authorities said that MuddyWater has deployed a new Python backdoor, dubbed Small Sieve, which provides users “basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API).” 

The governments also noted that the group utilizes a variety of malware, including PowGoop, to launch second-stage infections onto already compromised networks and systems that allows it to pilfer data and grant it backdoor access.

Martin Matishak is a senior cybersecurity reporter for Recorded Future News. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.