A hacking group commonly linked to the Iranian government threatened to kill security researchers who came across their cyber espionage operation, according to a new report.
Researchers with multinational cybersecurity company Trend Micro were probing a server that appeared connected to a possible data breach in the Middle East when they received a message that read: “Stop!!! I Kill You Researcher.”
The server, used by a group known as “MuddyWaters,” later proved to be the attacker’s command and control (C&C) infrastructure.
The infrastructure had been used to launch several attacks against multiple Middle Eastern and Central Asian government institutions, research shows.
“It seems that the attackers are actively monitoring the incoming connections to the C&C,” a blog by Trend Micro reads. “In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: ‘Stop!!! I Kill You Researcher.’ This level of personalized messaging implies that the attackers are monitoring what data is going to and from their C&C server.”
Trend Micro discovered the attack server by investigating a targeted phishing email, which carried distinctive malware hidden in a document. Experts say MuddyWaters is an advanced persistent threat (APT) likely tied to Iranian government interests. In the past, the group has been known to target political and civil society organizations in neighboring countries as well as large telecommunications firms.
Cybersecurity companies say the group has been active since at least 2015; having attempted to breach targets located in Georgia, India, Iraq, Israel, Pakistan, Saudi Arabia, Turkey, the United Arab Emirates and U.S. The latest activity, spotted by Trend Micro, was largely focused on Turkey, Pakistan and Tajikistan.
Associated phishing emails contained references to “government organizations such as the Ministry of Internal Affairs of the Republic of Tajikistan,” according to Trend Micro.
What’s comparably unique about MuddyWaters is the lengths to which the group will attempt to obfuscate their attacks through the use of so-called “false flag” techniques. These false flags include writing malware tools with snippets of borrowed computer code, which would be more closely associated with a Chinese hacking operation, for example. In another known case, MuddyWaters designed phishing emails that appeared like they were related to a legitimate Russian cybersecurity company, Kaspersky Lab, which has alleged ties to the Russian intelligence community according to the U.S. government.
Recent reporting by The Washington Post suggested that a Russian APT similarly used false flag techniques to frame North Korea for hacking into the 2017 Pyongyang Winter Olympics. These types of tactics can make it more difficult for researchers to attribute incidents to specific entities or countries, experts say.