The Israel National Cyber Directorate (INCD) issued a special report on the ATP group MuddyWater, which is associated with the Iranian Intelligence Agency (MOIS). The reason for this report is that, as of Q4 2022, the Israel National Cyber Directorate (INCD) has observed an increasing interest in Israeli targets by the group.
MuddyWater has been active since at least 2017. It is also known as Static Kitten, Mercury, Earth Vetala, Seedworm and others. It exploits vulnerabilities such as log4j, as well as malware such as PowerShower and MuddyWater proxy; and employs social engineering tactics, such as spear-phishing.
The INCD noted that the activity was detected thanks to in-depth knowledge of the attack array’s infrastructure, TTPs typical to the group’s activity, and its zooming in on a variety of sectors, especially on academia. The attack on Israel’s Technion in February, for example, is attributed to MuddyWater.
At first, the attack was attributed to an unknown group called Darkbit. In reality, though, this was part of MuddyWater’s social engineering campaign. A few days before the attack, MuddyWater opened a Telegram account under the Darkbit name. This
As part of its social engineering during the Technion attack, MuddyWater opened a Telegram account under the unknown group name “Darkbit” – to which this attack was first attributed. Researchers at first believed that this was a new (or previously undiscovered) threat group, and only later made the connection to MuddyWater.
It is believed that for MuddyWater purpose of creating “Darkbit” was in order to establish a seemingly non-governmental channel that would criticize Israel and spread fake news – but as activists, rather than as a state-sponsored entity. The ransom demanded was also very steep – 80 bitcoin.