Iranian hackers caught executing malicious attacks posing as Ransomware
Under the cover of a ransomware operation, MuddyWater, a nation-state organization from Iran, has been seen conducting devastating operations against hybrid environments.
This is supported by recent information from the Microsoft Threat Intelligence team, which identified the threat actor as one that targets both on-premises and cloud infrastructures in conjunction with another newly-emerging activity cluster known as DEV-1084.
Although the threat actors tried to pass off their acts as a typical ransomware campaign, the unrecoverable actions suggest that the operation’s main objectives were disruption and devastation, the tech giant said in a statement on Friday.
It has also been known as Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix in the cybersecurity community.
The gang has targeted Middle Eastern countries primarily in its attacks, and during the past year, Israeli entities have been breached using the Log4Shell bug.
The threat actor likely collaborated with DEV-1084 to carry out the assault, according to the most recent information from Microsoft. DEV-1084 carried out the harmful operations after MuddyWater successfully entered the target environment.
According to Microsoft, Mercury “likely exploited known vulnerabilities in unpatched applications to gain initial access before handing access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, frequently waiting weeks or even months before moving to the next stage.”
All of these events are thought to have taken place over the course of around three hours, beginning at 12:38 a.m. (when the attacker used compromised credentials to access into the Microsoft Azure environment) and finishing at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).
It’s important to note that DEV-1084 relates to the same threat actor who used the alias “DarkBit” in a ransomware and extortion attempt against Israel’s Technion, a top research university, in February. The hack was traced to MuddyWater by the Israel National Cyber Directorate last month.
In an effort to conceal Iran’s involvement in the attack and its strategic goal, DEV-1084, according to Microsoft, “presented itself as a criminal actor engaged in extortion.”
However, there is not enough information to say whether DEV-1084 is a separate entity from MuddyWater that works in concert with other Iranian actors or if it is a sub-team that is only activated when a destructive strike is necessary.
Early last year, Cisco Talos referred to MuddyWater as a “conglomerate,” rather than a single, cohesive organization, because it consists of multiple smaller clusters. DEV-1084’s appearance indicates a move in this direction.
Despite the fact that these teams appear to work separately, Talos stated in March 2022 that they are all driven by the same reasons that support Iranian national security goals, depending on the intended victims, disruptive or harmful operations, intellectual theft, and espionage.
Author: Sanghamitra Sethy