Last Updated on 28/02/2022 by Nidhi Khandelwal
In November 2021, an Iranian geopolitical nexus threat actor was caught deploying two new targeted malware with “basic” backdoor functions as part of an incursion against an unidentified Middle Eastern government agency.
Mandiant, a cybersecurity firm, ascribed the attack to an unnamed cluster it’s investigating under the codename UNC3313, which it believes is linked to the MuddyWater state-sponsored group with “moderate confidence.”
Researchers Ryan Tomcik, Emiel Haeghebaert, and Tufail Ahmed claimed UNC3313 conducts surveillance and collects strategic information to support Iranian goals and decision-making. “Targeting patterns and accompanying lures show a strong focus on geopolitical nexus targets.”
MuddyWater (also known as Static Kitten, Seedworm, TEMP.Zagros, or Mercury) is a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018 and is known to use a wide range of tools and techniques in its operations, according to US intelligence agencies.
The attacks are reported to have started with spear-phishing email to acquire initial access, then used publicly accessible offensive security tools and remote access software to move around and keep access to the environment.
Multiple victims were duped into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which prepared the way for the installation of ScreenConnect, a legitimate remote access software, to get a footing.
“Within an hour of first intrusion, UNC3313 moved quickly to establish remote access by utilizing ScreenConnect to infiltrate systems,” the researchers said, adding that the security breach was promptly controlled and remediated.