CISA issued a warning on MuddyWater by the Iranian government-sponsored APT

Once again, CISA came forward with cyber intrusion as the UK and US both have been issued warning against MuddyWater. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the malware is coming from the Iranian side of the map.

Further information revealed MuddyWater malware is directly funded by the Iranian government as a sponsored program. Advanced persistent threat (APT) is quite dangerous and frequently pops up on the radar, but a full-fledged attack coming to the European side is pretty uncommon.

MuddyWater comes from an Iranian threat group, similar to NSO as an Israeli cyber warfare product. History says they are primarily deployed in the Middle Eastern nations, but a newer target includes European and North American countries. Government IT services, telecommunications and oil sectors remain Muddy Water’s primary objective.

The last activity from MuddyWater can be linked to FIN7, but the recent espionage may lead to the current cause. MITRE ATT&CK® Foundation says MuddyWater was founded on 18 April 2018, and the current version of it is 3.0. MuddyWater (ID: G0069) is associated with Earth Vetala, MERCURY, Static Kitten, Seedworm. TEMP.Zagros and similar groups.

Asia, Africa, Europe and North America went through other variations of the threat group. Currently, a high alert is set among the authorities of the UK and US. On Thursday, CISA issued the warning right after we covered a story regarding CISA recommended open-source tools for business.

A document published by Clearsky Cyber Security on “MuddyWater Operations in Lebanon and Oman” says they compromised two Israeli domains and launched a two-stage campaign. Along with CISA, NSA, the FBI, US Cyber Command Cyber National Mission Force, and Cyber Security Mission Force of the UK warned against it. Multiple sectors and industries reported the event, including local government agencies, oil, natural gas, and telecommunications network.

States alerted these actors as they “maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs).” They also poured out crucial information on legitimate programs running malware such as PowerShell script execution. Scripts can hide commands within and control the (C2) functions.

APT actors have always been crucial in cyber-attacks, phishing emails, spamming, and DDoS attacks. Since DDoS is not a high-level attack and doesn’t work for serves that track ping requests, they are for mainstream attackers. APT works by sending payloads with ZIP files. When downloaded, victims open a micro communication script that gives direct control to malicious attackers. After careful monitoring, the actor’s C2 server or PDF file can directly damage victim computers.

As we’ve mentioned in the early section of the article, MuddyWater actors are also spotted using a set of different malware, backdoor access, exfiltration techniques and persistence attacks. PowGoop, Small Sieve, Starwhale/Canopy, POWERSTATS and Mori. Such methods and tools are pretty controversial, typically responded to by cyber teams of service providers. Dedicated teams of IT professionals or packs of cyber security experts are on a constant lookout for these persistent threats. But the intrusion popping up on the UK and US radar is a pretty desperate sign in today’s situation of the Russia-Ukraine conflict.

Iranian government-sponsored thereat actor (AA22-055A) uses MITRE ATTACK® adversarial tactics, techniques and common knowledge (ATT&CK) framework.

You can find the standard adversarial techniques from ATT&CK for Enterprise reference. Also, the official publication by CISA on the Iranian government-sponsored actors conducting cyber operations against global government and commercial networks is published here.

The Iranian Mistry of Intelligence and Security (MOIS) funds the MuddyWater project for several reasons. One can be gathering sensitive information related to the war happening between Russia and Ukraine. Another prediction is they want to come to the radar by overlapping NSO Group’s Pegasus spyware.

The US Cyber Command published an article on “Iranian intel cyber suite of malware uses open-source tools” among all the praises we give and get for them. Open-source tools are a lifesaver but can be a two-way sword if misused. Tactics, techniques, and procedures (TTP) are given by the advisory, which should be followed strictly in a proper manner.