Iran-Linked Hackers Conducting Operations Against Government Networks, Intel Agencies Warn

Summary:

An advisory issued by the FBI, the NSA, the Cybersecurity and Infrastructure Security Agency and the United Kingdom’s cyber apparatus indicates the Iran-linked hackers known as “MuddyWater” are “conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors.” The advisory indicates the group is targeting telecommunications, defense, local government, and the oil and natural gas industries in North America, Europe, Asia and Africa. MuddWater, the advisory notes, is a “subordinate element within the Iranian Ministry of Intelligence and Security.” The group specializes in exploiting publicly reported vulnerabilities and open-source tools to gain unauthorized access to IT systems and deploy malware. “MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” the advisory states. The advisory contains technical mitigations government and private sector can apply to shore up their systems.

Additional Discussion:

FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. As part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network. MuddyWater actors also use techniques such as side-loading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide C2 functions.

Recommendations:
FBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. Note: also see the Additional Resources section.

• Malware Analysis Report – MAR-10369127-1.v1: MuddyWater
• IOCs – AA22-052A.stix and MAR-10369127-1.v1.stix
• CISA's webpage – Iran Cyber Threat Overview and Advisories
• NCSC-UK MAR – Small Sieve
• CNMF's press release – Iranian intel cyber suite of malware uses open source tools

Associated Files:

• AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations