The flag of Iran is seen in front of the building of the International Atomic Energy Agency (IAEA) Headquarters on May 24, 2021, in Vienna. (Photo by Michael Gruber/Getty Images)

U.S. Cyber Command’s Cyber National Mission Force on Wednesday identified and disclosed multiple open-source tools that an Iranian threat group has used to target networks in the Middle East, Europe and North America.

The “MuddyWater” threat group was described by Cyber Command as a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). The Congressional Research Service last summer reported that MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies."

Cyber Command said should a network operator identify multiple tools used by MOIS on the same network, it may indicate the presence of Iranian malicious cyber actors. According to Cyber Command, the techniques MOIS uses include side-loading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control (C2) functions. New samples showing the different parts of this suite of tools were posted by Cyber Command to Virus Total,  along with JavaScript files used to establish connections back to malicious infrastructure.

Juan Andres Guerrero-Saade, principal threat researcher at SentinelOne, said that as threat researchers tracking nation-state sponsored groups, his team doesn’t often get a glimpse at the organizations behind these operations. Saade said U.S. CyberCommand provided such insight by pointing the finger at MOIS versus the Iranian Revolutionary Guard Corps (IRGC), which in the past many security experts had assumed.   

Guerrero-Saade said MuddyWater has been actively tracked since as early as 2017. In a recent blog, SentinelOne reported that they continue to see the group innovating: improving their custom malware, abusing tunneling tools, and adopting open-source exploits and frameworks to target Microsoft Exchange servers.

“Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups,” Guerrero-Saade said. “Even so, it appears MuddyWater’s persistency is a key to its success, and their lack of sophistication does not appear to prevent them from achieving their goals.”

John Bambenek, principal threat hunter at Netenrich, considers the U.S. government identifying Iranian-state backed activity the first step to doing something about it. Bambenek said organizations should check their networks for the reported indicators and behavior and, if found, let the government know.

“Remember that Iran is just as able to read CyberCom’s blog and will change tactics,” Bambenek said. “Only strong disruptive activity will be able to minimize the ability of this group to achieve its objectives, which will combine public tactics (like naming and shaming) and private tactics of which will not be visible to the broader public. Make no mistake, this blog won’t stop Iran in and of itself.”