U.S. and U.K. government agencies called out Iranian government-affiliated hackers Thursday, accusing them of being behind cyber-espionage targeting the defense, local government, oil and natural gas and telecommunications sectors across the globe.
The joint alert points a finger at MuddyWater, which the U.S. government for the first time last month attributed directly to Tehran. In the latest warning, the government agencies said that they have observed MuddyWater on the move in Africa, Asia, Europe and North America since 2018.
“MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” reads the alert.
The bulletin is the joint work of the the FBI, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the U.S. Cyber Command Cyber National Mission Force and the U.K.’s National Cyber Security Centre.
MuddyWater has a long history of allegedly spying on primarily Middle East targets, but the two U.S. alerts — one of which, Thursday’s, arrived as Russia’s invasion of Ukraine is preoccupying government officials — indicate an increased focus from the government, given the group’s potential wider reach.
“Iranian government-sponsored actors are consistently targeting government and commercial networks through multiple means, including exploiting known vulnerabilities and spearphishing,” a CISA spokesperson said. “We are committed to identifying nation-state threats to our critical infrastructure and helping organizations reduce their cyber risk.”
Thursday’s warning came the same day that cybersecurity firm Mandiant released research about how a group it said was likely associated with MuddyWater had used Telegram malware to target Middle Eastern technology and government organizations.
While MuddyWater has been active since at least 2017, “We have observed a particularly high tempo over the last year or so,” Emiel Haeghebaert, analyst at Mandiant, told CyberScoop via email.
“In addition to the higher cadence of their operations, a notable development is that the group has increasingly incorporated legitimate tools and resources into their toolkit,” he said. “The use of legitimate remote access software and the network communication capabilities of common workplace applications like Slack and even Telegram indicates these threat actors are trying to evade detection.”
What will be interesting to watch, Haeghebaert said, is how MuddyWater — which Mandiant also calls TEMP.Zagros — reacts to the government callout.
“A particularly interesting characteristic of this group is their awareness of and responsiveness to public disclosures,” he said. “For example, when security researchers pointed out that their malware included a typo in the word ‘sory’ [sic] on Twitter, a new iteration of the malware seen just days later had this typo corrected to ‘SoRRy’ [sic]. This awareness then begs the question of how TEMP.Zagros will respond to this public disclosure, including whether they will re-build their arsenal from scratch or continue unabated.”