According to The Record, U.S. Cyber Command revealed on Wednesday that a hacking group known for its cyber espionage activities was actually part of Iran's intelligence agency. The National Cyber Task Force under U.S. Cyber Command announced that the group, dubbed MuddyWater, is a subordinate unit of Iran's Intelligence and Security Ministry.
The claim marks the first time the U.S. government has publicly linked this prolific threat actor — whose targets range from academia and tourism to governments and telecommunications operators — with Iranian intelligence agencies.
"U.S. Cyber Command has stepped in." J.A. Guerrero-Saade, chief threat researcher at SentinelOne, said of Iran's Islamic Revolutionary Guard Corps on Twitter: "MuddyWater belongs to Iran's MOIS (not what some believe to be the IRGC). ”
Us Cyber Command, in partnership with the FBI, has also uploaded multiple open source malware tools that employ Iranian intelligence personnel around the globe to the popular malware repository VirusTotal.
"If you see a combination of these tools, Iranian MOIS actor MuddyWater could be in your network," U.S. Cyber Command warned at the top of the ten entries.
"We relentlessly release malware to keep our entire country safe. Public disclosure of malicious online activity or actors protects U.S. interests and our partners. #CyberIsATeamSport," tweeted the official Twitter account of U.S. Cyber Command.
In a statement, a spokesman for U.S. Cyber Command declined to say how the group discovered the malicious tools or whether the samples were provided by a third party.
"We do not discuss the origin of the malware samples released by the CNMF team. Some of these malware samples are variants of other malware already in the public domain — and what makes this disclosure unique is that it provides a whole picture of what malicious network actors in Iran might be able to gather through the use of malware. ”
MuddyWater, sometimes referred to as SeedWorm, has been spying since at least 2015.
Last month, Symantec's threat hunter team released a study that found that the organization had targeted telecom operators and IT services organizations across the Middle East and Asia over the past 6 months.
The researchers concluded that the targets and tactics involved — the attackers relied on public malware and remote management and security assessment tools to steal credentials and move them across the network — were "consistent with Iranian-sponsored actors" but did not attribute the activity to the Iranian government.
Among the malware samples highlighted by U.S. Cyber Command are some variants of PowGoop, a fake Google update mechanism. These include a variant that gives attackers command and control, and two other variants that act as beacons to connect malicious infrastructure from the attacked network. Other samples include malicious JavaScript files and a version of Mori Backdoor.