U.S. Cyber Command’s Cyber National Mission Force on Wednesday identified and disclosed multiple open-source tools that an Iranian threat group has used to target networks in the Middle East, Europe and North America.
The “MuddyWater” threat group was described by Cyber Command as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). The Congressional Research Service last summer reported that MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies."
Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, said that as threat researchers tracking nation-state sponsored groups, his team doesn’t often get a glimpse at the organizations behind these operations. Saade said U.S. CyberCommand provided such insight by pointing the finger at MOIS versus the Iranian Revolutionary Guard Corps (IRGC), which in the past many security experts had assumed.
Guerrero-Saade said MuddyWater has been actively tracked since as early as 2017. In a recent blog, SentinelOne reported that they continue to see the group innovating: improving their custom malware, abusing tunneling tools, and adopting open-source exploits and frameworks to target Microsoft Exchange servers.
“Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups,” Guerrero-Saade said. “Even so, it appears MuddyWater’s persistency is a key to its success, and their lack of sophistication does not appear to prevent them from achieving their goals.”
John Bambenek, principal threat hunter at Netenrich, considers the U.S. government identifying Iranian-state backed activity the first step to doing something about it. Bambenek said organizations should check their networks for the reported indicators and behavior and, if found, let the government know.
“Remember that Iran is just as able to read CyberCom’s blog and will change tactics,” Bambenek said. “Only strong disruptive activity will be able to minimize the ability of this group to achieve its objectives, which will combine public tactics (like naming and shaming) and private tactics of which will not be visible to the broader public. Make no mistake, this blog won’t stop Iran in and of itself.”