MuddyWater hacking group is Iranian

The US Cyber Command’s Cyber National Mission Force has identified the MuddyWater hacking group as an operation funded by the government of Iran, possibly under the Iranian Ministry of Intelligence and Security (MOIS).

The U.S. government has said MOIS conducts internal surveillance to identify opponents of the regime, in addition to monitoring the activity of foreign actors. In its report, US Cyber Command points out that this group is characterized by using the PowGoop DLL side loader, which allows you to trick legitimate software into running malware and hide your C&C communications.

The agents also mention that multiple samples of JavaScript code were detected to facilitate the implementation of the Mori backdoor, used to create a DNS tunnel and establish C&C communications: “The identification of these indicators of compromise demonstrates an attack deployed by Iranian hackers,” the report adds.

This group was first identified in 2017 by researchers at security firm Mandiant: “Iran controls various cyber espionage operations, cyberattacks and theft of sensitive information. The security services that sponsor these groups (IRGC and MOIS) use them to gain a strategic advantage against their local opponents and in other countries,” the experts’ report said.

In its first attacks, MuddyWater was noted for targeting various targets in the Middle East, including government agencies, telecommunications companies and oil companies. Their most recent attacks targeted private companies in Europe and North America.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.