US Military: MuddyWater Hackers Work for Iranian Intelligence

Close up of Iranian National Flag

The US Cyber Command has linked the prominent cyber threat group MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS). It has also provided details on the various open-source cyber tools that MOIS uses to infiltrate networks around the world.

The press release aims to “enable better defence among malicious cyber actors.” The Cyber Command’s Cyber National Mission Force (CNMF) has provided malware samples attributed to MuddyWater.

Information on MuddyWater’s Recent Activity

MuddyWater is a “subordinate element” within the MOIS. According to the Cyber Command press release, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”

A Command spokesperson said this is the first time the US government has explicitly connected the Iranian Intelligence Ministry with a high-profile espionage actor. Recently, MuddyWater has conducted cyber-espionage on telecom companies and other organizations across the Middle East.

The group has also been active against targets in Europe and North American nations. Last month, researchers at IBM X-Force said MuddyWater utilized the popular workplace platform Slack to carry out a cyberattack against an Asian airline.

How Iranian Threat Actors Leverage Malware in Networks

CNMF also said that “MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.” Finding “multiple of the tools in the same network” may indicate the presence of Iranian threat actors.

Cybersecurity experts have provided more information based on their experience with Iranian hacking groups, and MuddyWater in particular. Sarah Jones, senior principal analyst at Mandiant, said, “Iran fields multiple teams that conduct cyber espionage, cyberattack and information operations.”

“The security services that sponsor these actors, the MOIS and the IRGC, are using them to get a leg up on Iran’s adversaries and competitors all over the world,” Jones added.

Amitai Ben Shushan Ehrlich, researcher at SentinelOne, said MuddyWater seems to refine its techniques to stay under the radar. “Analysis of MuddyWater activity suggests the group continues to evolve and adapt their techniques,” Ehrlich stated. “While still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection.”

If you found this article interesting, we recommend you take a look at our detailed resource on spyware. You could also check out our recommendations for the best antivirus software to help secure your digital surroundings.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.