The USG just shared some information regarding the Iranian MOIS hacker group MuddyWater. Mandiant calls this group TEMP.Zagros, which they’ve been tracking since 2017.
- We have directly observed TEMP.Zagros conduct operations against dozens of organizations spanning the government, media, energy, technology, utilities, transportation, academia, financial services, telecommunications, and construction and engineering sectors in North America, Europe, Northern Africa, the Caucasus, South Asia, West Asia, and Southeast Asia.
- While Mandiant is unable to independently confirm the attribution of TEMP.Zagros to the Iranian Ministry of Intelligence, known and suspected targets indicate that TEMP.Zagros is likely tasked to conduct reconnaissance and collect strategic information, including geopolitical, diplomatic, defense, and possibly energy-related materials that could support Iranian nation-state interests and decision making. Furthermore, the targeting of telecommunications entities may signal TEMP.Zagros’ use of third parties to enable access to primary targets and facilitate other intrusion activities.
- The group consistently updates it tactics, techniques, and procedures to ensure its cyber espionage operations are successful.
- We have observed the group sending spear-phishing emails from compromised inboxes of legitimate accounts, also known as man-in-the-mailbox behavior, containing publicly available and legitimate remote access software to perform initial compromise of a victim. The group also frequently relies on decoy content to socially engineer users to download or open a malicious attachment, such as Microsoft Office files, that contain malware.
- In recent months, TEMP.Zagros has displayed a particular focus on blending in with legitimate user behavior, for example by using the COVID-19 pandemic as a lure theme, using legitimate remote access software to gain access to a victim’s host, and even relying on Telegram channels for command-and-control communications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.