The U.S. and U.K. governments have issued a joint cybersecurity advisory warning that an Iranian advanced persistent threat group is conducting cyber espionage and other malicious cyber operations.

The group, known as “MuddyWater” and part of Iran’s Ministry of Intelligence and Security, has been targeting a range of government and private sector organizations in Asia, Africa, Europe and North America. Organizations targeted include telecommunications, defense, local government and oil and natural gas.

MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm and TEMP.Zagros. The APT group dates back to 2018 and undertakes broad cyber campaigns supporting Iranian government objectives.

The group exploits publicly reported vulnerabilities and uses open-source tools and strategies to gain access to sensitive data on targeted systems and deeply ransomware.

Having exploited vulnerabilities, MuddyWater primarily deploys new variants of PowGoop malware as their main loader in malicious operations. PowGoop consists of a DLL loader and a PowerShell-based downloader and impersonates a legitimate file that is signed as a Google Update executable file.

The joint advisory was issued by the U.S. Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, the U.S. Cyber Command Cyber National Mission Force and the U.K. National Cyber Security Center.

“Iranian government-sponsored actors are consistently targeting government and commercial networks through multiple means, including exploiting known vulnerabilities and spearphishing,” a CISA spokesperson said. “We are committed to identifying nation-state threats to our critical infrastructure and helping organizations reduce their cyber risk.”

Iranian state-sponsored hacking campaigns were last in the news in January when another group, known as APT 35, Phosphorous and Charming Kitten, was found to be actively exploiting vulnerabilities in Apache Log4j.

“While MuddyWater has been around for a while, the new tactics, techniques and procedures uncovered in this CISA Alert are interesting and in line with other actors we’ve seen from Iran,” Drew Schmitt, principal threat intelligence analyst at cybersecurity consulting company GuidePoint Security LLC, told SiliconANGLE. “The severity of this isn’t probably that high, but timing is interesting with the Ukraine cyberattacks and conflict playing out in parallel.”

“This could be Iran stepping up operations based on a distracted worldview or some other reason,” Schmitt added. “It really is hard to speculate on the rationale. Interestingly, the CISA alert does not seem to say whether this is a trend seen over a period of time or something quite new.”

Photo: Get Archive

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.


Source link