Iran flag
Image: Mostafa Meraji via Unsplash

‘Multi-stage social engineering’ campaign against Israel tied to Iran-based group

A long-running group connected to the Iranian government targeted at least two Israeli entities with a hacking campaign in the last month, researchers said.

In an ongoing effort detected in late October, the group known as MuddyWater used familiar tactics with slight changes to its previous tools, according to a report by the cybersecurity firm Deep Instinct.

The attacks came amid Israel’s war with the Palestinian militant group Hamas, which has support from Iran. MuddyWater is also tracked as APT34 and OilRig.

The campaign involved a “multi-stage social engineering” process that led recipients to open infected files from links within emails, Deep Instinct said. The report does not identify the targets of the campaign or what information the hackers might have accessed.

“While Deep Instinct could not verify the spreading mechanism of the new campaign, it most likely starts with a spear-phishing email, similar to previous campaigns,” the researchers said. The email content was designed to entice victims into downloading an archive file hosted on a legitimate content hosting service called Storyblok. This file delivered installers for a legitimate remote administration tool called Advanced Monitoring Agent, which MuddyWater had not used before, the researchers said.

After infecting the victims, the MuddyWater operators connected to the infected devices using the administration tool and initiated reconnaissance on the targets, the researchers said.

In the meantime, recipients were served a decoy document: The process included a clean link to an official Israeli Civil Service Commission page containing a memo that “describes what to do in case a government worker expresses opinions against the Israeli state on social networks,” Deep Instinct said.

In October, researchers discovered that MuddyWater, tracked by the cybersecurity industry since at least 2017, had spent eight months inside the systems of an unspecified Middle East government, stealing files and emails.

The group's previous targets include Saudi Arabia, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the U.S. and Turkey.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.