Telecom organizations in Africa targeted by Iran-linked hackers

A cyber-espionage group linked to Iran’s intelligence service has been targeting telecommunications companies in Egypt, Sudan and Tanzania, researchers have found.

This is likely the first time the group, tracked as MuddyWater, has operated against organizations in Africa, according to Marc Elias, a threat intelligence analyst at Symantec, who analyzed the incident. In previously reported attacks, the hackers were mostly interested in entities in the Middle East.

The incidents involving unnamed telecom companies occurred in November. There is no evidence that the hackers stole information during the attacks, but based on their past campaigns, "it is highly likely" that the goal of this campaign was espionage, according to the report.

"And if we look at past operations of Iranian groups, a disruption attack could also be possible," researchers said. Iran-linked hackers have been named in attacks on Western water utilities, government agencies and more. MuddyWater has been the subject of U.S. government advisories.

The hackers' activity in the African region may be linked to the war between Israel and the Palestinian militant group Hamas, which is reportedly supported by Iran.

“The targeted country that most stood out was Egypt, which has a border with Gaza and Israel and is quite involved in the ongoing war,” Elias said.

MuddyWater has been active over the past few months, mostly aiming at organizations in Israel.

What was different about the campaign analyzed by Symantec is that the hackers used a PowerShell launcher from a new toolset researchers are calling MuddyC2Go. PowerShell is legitimate Microsoft software that hackers use for launching malware.

The new toolset was first discovered in November of this year, but the hackers may have been using it since 2020 to attack countries in the Middle East. With its help, the threat actor can gain remote access to a victim system.

Other tools used by MuddyWater in this campaign include legitimate remote device control and management software called SimpleHelp. Once installed on a victim device, SimpleHelp can run constantly as a system service, enabling attackers to access the user's device at any point in time, even after a reboot. It also allows attackers to execute commands on a device with administrator privileges.

Also part of the toolset is another publicly available piece of software, Venom Proxy, that allows control of devices connected to an organization’s intranet — a private network typically isolated from the public internet.

MuddyWater, which has been active since at least 2017, has long had an interest in telecom organizations, as do many groups engaged in cyber-espionage activities, researchers said.

In October, an Iranian state-backed hacker group was caught spying on the government, military, and telecom sectors in the Middle East. In September, telecommunications providers across the Middle East were targeted with a new malware family that researchers called HTTPSnoop.

“Telecommunication companies have a huge amount of visibility into national and global internet traffic and are of high value, especially for state-sponsored groups,” said researchers at Cisco Talos in their previous report.