In a relentless eight-month-long campaign spanning from February to September 2023, the Iranian state-sponsored threat actor known as MuddyWater, identified as APT34, Crambus, Helix Kitten, and OilRig, targeted an undisclosed Middle Eastern government. The group successfully exfiltrated sensitive government data, utilizing a range of never-before-seen custom malware tools. This operation, monitored by cybersecurity firm Symantec, sheds light on MuddyWater’s persistent activities in the region.
The campaign, closely tracked by Symantec under the name “Crambus,” involved the theft of files, passwords, and the deployment of a PowerShell backdoor called PowerExchange. This backdoor allowed the threat actors to monitor and execute commands sent via emails, maintaining stealth and compromising a significant number of computers. The group also employed a combination of backdoors, keyloggers, and several custom malware tools, including Backdoor.Tokel, Trojan.Dirps, and Infostealer.Clipog.
The campaign began with the execution of an unknown PowerShell script, demonstrating the adversaries’ initial access method. MuddyWater’s flexibility and covert tactics allowed them to remain undetected as they operated across multiple systems within the compromised network.
One distinctive aspect of this campaign was the use of the PowerExchange backdoor, which was documented in a Fortinet report in May 2023, attributing it to APT34. This implant accessed Microsoft Exchange Servers using hardcoded credentials, enabling the threat actors to execute commands, steal and write files, all concealed within emails with the subject line containing “@@.”
Symantec’s threat hunter team also noted the deployment of popular open-source hacking tools, including Mimikatz for credential dumping and Plink for remote shell capabilities. The attackers further modified firewall rules, allowing remote access while maintaining a low profile.
The campaign’s long duration and its ability to stay under the radar can be attributed to the group’s choice of tools. By introducing new and legitimate tools, they avoided immediate detection, forcing analysts to rely on notifications of potentially malicious activity.
MuddyWater, which has been active since at least 2014, was presumed to diminish after a leak exposed their activities. However, recent campaigns demonstrate their resurgence, with an expansive reach across the Middle East, affecting sectors such as finance, energy, telecommunications, chemicals, government, and critical infrastructure.
Despite previous exposure, MuddyWater’s sophisticated tactics, persistent campaigns, and evolving toolkit make it a continued and significant threat to organizations in the Middle East and beyond.
Source: DD Images via Shutterstock
In summary, MuddyWater’s recent espionage campaign showcases its adaptability, determination, and the use of novel tools, underlining the persistent and evolving nature of state-sponsored cyber threats emanating from Iran.
The resurgence of the MuddyWater cyber espionage group is evident. Their extensive history of espionage campaigns has impacted a wide range of Middle Eastern countries, including Saudi Arabia, Israel, Turkey, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United Arab Emirates, and even the United States. These campaigns have infiltrated key sectors such as finance, energy, telecommunications, chemicals, government, and critical infrastructure. Notably, MuddyWater has faced sanctions from the United States due to their persistent cyber espionage efforts. Recent activities have included cyberattacks in Saudi Arabia featuring a new malware strain called Menorah and a supply chain attack on the United Arab Emirates. This reaffirms their active and evolving presence in the cyber threat landscape.
It is very important to always update our systems and stay informed about current threats. In addition, awareness is also crucial because neglecting these aspects can cause significant damage.
Sources:
https://www.darkreading.com/dr-global/iran-linked-muddywater-spies-middle-east-govt-eight-months
https://thehackernews.com/2023/10/iran-linked-oilrig-targets-middle-east.html
https://www.securityweek.com/iranian-hackers-lurked-for-8-months-in-government-network/
Akos Sipos, UPS Student