MuddyWater’s Resurgence: Iran’s Ever-Evolving Cyber Threat

A new INCD report reveals how the Iranian cyber group has intensified its attacks on Israel following the Swords of Iron war. The group has adopted advanced tactics, developed custom tools, and expanded its targeting of key sectors, posing a growing strategic threat

Mandi Kogosowski |
MuddyWater’s Resurgence: Iran’s Ever-Evolving Cyber Threat

Illustration: REUTERS/Dado Ruvic

Iranian cyberattack group MuddyWater has undergone significant evolution since its inception.  A new report by the Israel National Cyber Directorate (INCD) provides an in-depth analysis of the group’s activities within the Israeli cyber domain in 2024, focusing on their tactics, techniques, and procedures (TTPs), tools, and primary attack targets. T

Discovered in 2017, MuddyWater, which operates under the Iranian Ministry of Intelligence and Security (MOIS), primarily focuses on countries in the Middle East, but has also operated in the US and in Africa. Following the outbreak of the Swords of Iron War, a marked increase in cyber activity attributed to the MuddyWater group was observed within Israel. 

The INCD report notes that this resurgence follows a period of relative inactivity, which may have been influenced by the public exposure of the group's members at the CyberTech Tel Aviv conference in 2023. The exposure, which was incorporated into a speech delivered by the Head of the Israel National Cyber Directorate (INCD), Gabi Portnoy, heightened awareness of the group’s operations and their potential implications.

Analysis of the group’s operations reveals a strategic emphasis on establishing sustained access within targeted organizations to gather long-term, strategic intelligence. It’s primary focus in sectors vital to the functionality of both the state and the economy, such as local authorities, civil aviation, tourism, healthcare, telecommunications, information technology, and small and medium-sized enterprises (SMEs).

MuddyWater employs various tactics such as phishing, which includes impersonating recognizable entities and distributing emails from compromised organizations, as well as tailored messages and exploiting internal organizational infrastructure. 

“In the most recent broad campaign identified, the INCD detected over 10,000 email accounts, including several Israeli accounts, that received an email impersonating a legitimate software update from Microsoft. In actuality, the email contained a link designed to download and install a remote management tool (RMM|),” the researchers note. 

The threat group has significantly enhanced its capabilities over the past year, according to the report. In addition to  has developed its very own offensive toolkit in-house and also improved its persistence and use of legitimate websites. The group invests substantial resources in developing new methods to evade detection systems, enhancing its efficiency and complicating efforts to identify its activities.

Tags
img
Rare-earth elements between the United States of America and the People's Republic of China
The Eastern seas after Afghanistan: the UK and Australia come to the rescue of the United States in a clumsy way
The failure of the great games in Afghanistan from the 19th century to the present day
Russia, Turkey and United Arab Emirates. The intelligence services organize and investigate
ad