Iranian nation-state group MuddyWater has been found executing destructive attacks on hybrid environments while pretending to be a ransomware operation. Microsoft Threat Intelligence found the group targeting on-premises and cloud infrastructures, working with the emerging cluster, DEV-1084.
A deceptive collaboration
MuddyWater, linked to Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2017. The group is known by various names within the cybersecurity community, such as Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix. MuddyWater is known for focusing on Middle Eastern nations and has exploited the Log4Shell vulnerability in recent attacks on Israeli entities.
According to Microsoft‘s latest findings, MuddyWater likely joined forces with DEV-1084 to carry out espionage attacks. After MuddyWater successfully infiltrated the target environment, DEV-1084 executed the destructive actions. The collaboration between the two groups involved MuddyWater exploiting known vulnerabilities in unpatched applications for initial access. Afterward, they handed off access to DEV-1084, which conducted extensive reconnaissance, established persistence, and moved laterally throughout the network.
DEV-1084’s destructive actions
DEV-1084 utilized highly privileged compromised credentials to encrypt on-premise devices and delete extensive cloud resources, including server farms, virtual machines, storage accounts, and virtual networks. The threat actors gained full access to email inboxes through Exchange Web Services, carrying out thousands of search activities and impersonating a high-ranking employee to send messages to both internal and external recipients.
The activities took place in a roughly three-hour window. First, the attacker logged into Microsoft Azure using compromised credentials. Later, after successfully disrupting the cloud environment, the attacker sent emails to other parties.
Relationship between MuddyWater and DEV-1084
The connections between MuddyWater and DEV-1084 involve infrastructure, IP address, and tooling overlaps. However, there is not enough evidence to determine their exact relationship. It is unclear if DEV-1084 operates independently, collaborates with other Iranian actors, or acts as a MuddyWater sub-team for destructive attacks. Cisco Talos previously suggested that MuddyWater is a “conglomerate” of smaller clusters, rather than a single cohesive group. The emergence of DEV-1084 supports this idea.
{{user}} {{datetime}}
{{text}}