Iran-Based Hackers Caught Carrying Out Destructive Attacks Under the Guise of Ransomware

The group of Iranian nation-states is known as muddy water have been observed carrying out destructive attacks on hybrid environments under the guise of ransomware operations.

That’s according to new findings from Microsoft’s Threat Intelligence team, which uncovered threat actors targeting on-premises and cloud infrastructure in partnership with another new activity cluster dubbed DEV-1084.

“While threat actors seek to disguise activity as a standard ransomware campaign, irreversible acts demonstrating destruction and disruption are the end goal of such operations,” the tech giant said. revealed Friday.

MuddyWater is the name given to an actor based in Iran that the US government has publicly associated with the country’s Ministry of Intelligence and Security (MOIS). It has been known to be active since at least 2017.

It is also being tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.

Cybersecurity company Secureworks, inside Cobalt Ulster profilenotes that it is not uncommon for threat actors to “inject fake flags into code related to their operations” as a distraction in an attempt to muddy attribution efforts.

The attacks carried out by the group have primarily targeted Middle Eastern countries, with intrusions observed over the past year exploiting a Log4Shell vulnerability to penetrate Israeli entities.

Recent findings from Microsoft reveal threat actors may be working with DEV-1084 to carry out espionage attacks, the latter carrying out destructive actions after MuddyWater managed to gain a foothold into the target environment.

“Mercury likely exploits known vulnerabilities in unpatched applications for early access before handing over access to DEV-1084 to perform extensive reconnaissance and discovery, build persistence, and move laterally across the network, often waiting weeks and sometimes months -month before moving on to the next phase,” Microsoft said.

In activity detected by Redmond, DEV-1084 then abused compromised credentials with high privileges to perform local device encryption and large-scale wipe of cloud resources, including server pools, virtual machines, storage accounts, and virtual networks.

In addition, threat actors gain full access to e-mail inboxes through Exchange Web Services, use them to perform “thousands of search activities” and impersonate unnamed high-ranking employees to send messages to internal and external recipients.

The actions mentioned above are expected to occur over a period of approximately three hours starting at 12:38 PM (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 AM (when the attacker sent an email to the other party after successful cloud tampering ).

It should be noted here that DEV-1084 refers to the same threat actor That assumed persona “DarkBit” as part of a ransomware and extortion attack aimed at Technion, Israel’s leading research university, in February. Israel’s National Cyber ​​Directorate, last month, associated attack on MuddyWater.

“DEV-1084 (…) presents itself as a criminal actor interested in blackmail, possibly as an attempt to cloud Iranian relations and the strategic motivation for the attack,” Microsoft added.

The link between Mercury and DEV-1084 stems from overlapping infrastructure, IP addresses, and tools, with the latter observed using a reverse tunneling utility called NeckMuddyWater’s main artifact.

Despite this, there is not enough evidence to determine whether DEV-1084 operated independently of MuddyWater and in collaboration with other Iranian actors, or whether it is a sub-team that is only called in when necessary to carry out destructive attacks.

Cisco Talos earlier this year described MuddyWater as a “conglomerate” made up of several smaller groups rather than one cohesive group. The appearance of DEV-1084 points in this direction.

“While these teams appear to be operating independently, they are all motivated by the same factors that are in line with Iran’s national security goals, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they are targeting,” Talos said in March 2022.