Iranian Hackers Used Slack Workspace in Airline Cyberattack

Slack web application on a browser under a magnifying glass

According to researchers, Iran-based hacking group MuddyWater used Slack, the popular work communication platform, to carry out a cyberattack on an Asian airline. While Slack itself was not breached, the hackers used the platform to communicate with their malware and receive system information.

Researchers at IBM X-Force uncovered how the attack was carried out, stating that MuddyWater leveraged free workspaces on Slack. This allowed the group to cover up operational communications.

They first observed this activity in October 2019 and named the malware Aclip. The cyberattack on the Asian airline took place in March of this year. X-Force researchers did not disclose the name of the airline.

It is also unclear if MuddyWater extracted information from its victims. However, X-Force’s research suggests that the group “may have accessed reservation data.”

How Does Aclip Work?

The researchers claim that Aclip uses the Slack API to carry out its C2 (Command and Control) communications. APIs are interfaces that contain rules and functions that allow external programs to communicate with an application. Slack allows users to develop apps and other services that can be integrated with the platform.

“In this instance, the threat actor created an actor-controlled Slack workspace and channels where they could receive system information, including requested files and screenshots; post commands to the backdoor; and receive commands in return,” IBM X-Force stated.

“Using Legitimate Messaging Platforms for Backroom Communications is Not New”

IBM X-Force claims that this type of activity, where the threat actor uses a legitimate messaging platform for operational communications, is not new. For many years the Internet Relay Chat (IRC) was a popular choice for botnet commands. Platforms such as Slack allow actors to “blend in malware traffic in a way that may go unnoticed by security analysts.”

In fact, Aclip is not the first backdoor that utilizes Slack. X-Force also referred to other backdoors, such as SlackShell, SlackC2bot, and SLUB Backdoor.

Statement From Slack

Slack stated that it learned about MuddyWater’s activities on its workspaces from X-Force’s investigation. “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service. We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk.”

The company also urged people to remain vigilant and follow basic security measures. This includes using two-factor authentication and ensuring that their operating system and antivirus software are up-to-date.

“We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service,” it added.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.