US Military Ties Prolific MuddyWater Cyberespionage APT to Iran

U.S. Cyber Command has confirmed that MuddyWater – an advanced persistent threat (APT) cyberespionage actor aka Mercury, Static Kitten, TEMP.Zagros or Seedworm that’s historically targeted government victims in the Middle East – is an Iranian intelligence outfit. The link has been suspected, and now it’s government-stamped. On Wednesday, USCYBERCOM not only confirmed the tie; it also disclosed the plethora of open-source tools and strategies MuddyWater uses to break into target systems and released malware samples. “MuddyWater has been seen using a variety of techniques to maintain access to victim networks,” according to USCYBERCOM’S National Mission Force (CNMF). “These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.” USCYBERCOM has uploaded multiple MuddyWater-attributed malware samples to VirusTotal. Iranian MOIS hacker group #MuddyWater is using a suite of malware to conduct espionage and malicious activity. If you see two or more of these malware on your network, you may have MuddyWater on it: Attributed through @NCIJTF @FBI — USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) January 12, 2022 USCYBERCOM’s press release described MuddyWater as being “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” The Congressional Research Service describes MOIS as conducting “domestic surveillance to identify…