Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise
The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
That’s according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084.
“While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation,” the tech giant revealed Friday.
MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country’s Ministry of Intelligence and Security (MOIS). It’s been known to be active since at least 2017.
It’s also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.
Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.
The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the attack, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment.
“Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage,” Microsoft said.
In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.
Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform “thousands of search activities” and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.
All these actions are actions are estimated to have transpired over a roughly three-hour timeframe starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).
It’s worth noting here that DEV-1084 refers to the same threat actor that assumed the “DarkBit” persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater.
“DEV-1084 […] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack,” Microsoft added.
The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact.
That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it’s a sub-team that’s only summoned when there is a need to conduct a destructive attack.
Cisco Talos, early last year, described MuddyWater as a “conglomerate” comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.
“While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target,” Talos noted in March 2022.