Threat Actor Update: Iranian State Sponsored APT Conducts Cyber Espionage and Ransomware Activities
EclecticIQ researchers assess MuddyWater is a well-funded, state supported, and skilled adversary group based on the variety of tactics, tools, and targets used by the group which can cause significant damage to both government and enterprises through data theft and ransomware.
MuddyWater is the first APT group attributed as a subordinate element to the Iranian Ministry of Intelligence and Security (MOIS) by The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). MuddyWater has been observed conducting cyber espionage and other cyber activities targeting telecommunication, defense, government, oil and natural gas in Asia, Europe, and North America since approximately 2018 [1].
The attribution of MuddyWater to MOIS likely signals the growth of Iranian cyber capabilities. According to a report by the US Federal Research Division, MOIS is the most powerful and well supported ministry of all Iranian ministries and ranks as “one of the largest and most dynamic intelligence agencies in the Middle East.” [2]
EclecticIQ Researchers assess it is likely MuddyWater will target strategic government agencies, organizations and individuals that have contrasting interests or have dissented with the leadership of Iran. In 2017, MOIS’s powers and responsibilities were formally expanded [3]. The increase of activities abroad has included extensive monitoring and targeting of dissidents and defectors according to the Washington Institute for Near East Policy.
The actor is known to utilize spearphising, exploit publicly known vulnerabilities and use open-source tools to gain access to sensitive data and deploy ransomware. Spearphishing campaigns have lured victims into downloading ZIP files containing a macro enabled Excel document or a PDF file that drops a malicious file to initiate command and control (C2) communications [1].
Once initial access is established, MuddyWater utilizes a variety of malware to accomplish its objectives. The malware suit includes: [1]
- PowGoop
- Small Sieve
- Canopy
- Mori
- POWERSTATS
- Survey Scripts
- Custom PowerShell Backdoor
MuddyWater may also be known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros by various vendors.
Policy and Governance: Joint Advisory Shows Increased Globalized Threat of Ransomware
A joint advisory released by the United States, UK and Australian cyber security authorities reports an increase in 2021 of “sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.” [4] According to the report, ransomware tactics continued to evolve in 2021 which demonstrated the continued technical growth of threat actors and an increased threat to organizations globally.
EclecticIQ Researchers also assess the ransomware threat will continue to grow in 2022. The increase in professionalism of threat groups including improved victim assistance, and negotiation services; as well as evolving tactics such as targeting cloud infrastructure, supply chains and use of triple extortion (threaten to publicly release sensitive information, disrupt victim’s internet access, and inform victim partners, shareholder, and suppliers of the incident) all show that the RaaS ecosystem is growing. This growth is likely to mean targeting more organizations and causing greater damage across the globe.
Appendix:
- https://www.cisa.gov/uscert/ncas/alerts/aa22-055a.
- https://irp.fas.org/world/iran/mois-loc.pdf.
- https://www.washingtoninstitute.org/policy-analysis/irans-intelligence-organizations-and-transnational-suppression.
- https://www.ncsc.gov.uk/files/2021%20Trends%20show%20increased%20globalised%20threat%20of%20ransomware.pdf.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.
TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery
You may also download the content as eiq_json, stix1_2, stix2_1.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.