US Cyber Command links MuddyWater to Iranian intelligence

Official notice confirms suspicion that the group is state-backed.
Written by Chris Duckett, Contributor

United States Cyber Command said on Wednesday that the hacking group known as MuddyWater is linked to Iranian intelligence.

"MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a notice.

"MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS)."

On Twitter, Cyber Command said MuddyWater was using a suite of malware for espionage and malicious activity, with attribution provided by the FBI National Cyber Investigative Joint Task Force.

"MOIS hacker group MuddyWater is using open-source code for malware," it said.

"MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

Alongside its notice, MuddyWater malware samples were uploaded to VirusTotal, including the PowGoop DDL sideloader, and Mori backdoor that uses DNS tunneling.

"Goopdate.dll uses DLL side-loading to run when a the non-malicious executable GoogleUpdate.exe is run. goopdate.dll will then de-obfuscate goopdate.dat, which is a PowerShell script used to de-obfuscate and run config.txt," Cyber Command said as it detailed one instance of how PowGoop works.

"Config.txt is a PowerShell script that establishes network communication with the PowGoop C2 server. It uses a modified base64 encoding mechanism to send data to and from the C2 server. The IP of the C2 server is often hardcoded in config.txt."

In November, cyber authorities across the US, UK, and Australia attributed attacks exploiting holes in Fortinet and Exchanges to Iranian-backed attackers.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated.

"ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion.

The same month, Microsoft said attacks from state-sponsored Iranian hackers on IT services firms were virtually non-existent in 2020, but in 2021 exceeded 1,500 potential attacks.

Related Coverage

Editorial standards