A state-sponsored Iranian hacking group has pivoted to attacks against high-profile targets in Turkey.
This week, cybersecurity researchers from Cisco Talos said that MuddyWater, an advanced persistent threat (APT) group with ties to Iran’s Ministry of Intelligence and Security (MOIS), has been linked to campaigns against private organizations in Turkey alongside the country’s government.
Active since at least 2017, MuddyWater, also known as Mercury or Static Kitten, has been tied to attacks against organizations in the US, Israel, Europe, and the Middle East in the past.
Earlier this year, US Cyber Command linked the APT to the Iranian government, saying that MuddyWater is one of many groups “conducting Iranian intelligence activities.”
“MuddyWater is a subordinate element within the MOIS,” US Cyber Command says. “According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.””
According to Talos researchers Asheer Malhotra and Vitor Ventura, the latest MuddyWater campaign, dating back from November 2021, is utilizing malicious PDFs and Microsoft Office documents as an initial attack vector.
Phishing emails containing these malicious attachments are spoofed to appear to be from the Turkish Health and Interior Ministries. Targets included the Scientific And Technological Research Council of Turkey (Tubitak).
The malicious documents contained embedded VBA macros designed to trigger a PowerShell script, leading to the execution of a downloader for executing arbitrary code, the creation of a registry key for persistence, and the use of Living Off the Land Binaries (LOLBins) to hijack the machine.
Once inside a target system, MuddyWater tends to focus on three aims: conducting cyberespionage for state interests; stealing intellectual property with a high economic value, and deploying ransomware to deliberately disrupt a victim organization’s operators or to “destroy evidence of their intrusions,” according to Talos.
However, the researchers were not able to secure the final payload in this campaign due to verification checks on the operator’s command-and-control (C2) server.
The APT has also adopted canary tokens to keep track of their intrusions. Canary tokens are digital “canaries” that warn that a file has been opened – and while often used by defenders to detect and monitor potential breaches, cyberattackers can also use them to track successful infections.
“Tracking tokens may also be used as another means of anti-analysis: timing checks,” Talos says. “A reasonable timing check on the duration between the token requests and the request to download a payload can indicate automated analysis. […] Tracking tokens can also be a method to detect the blocking of the payload server. If they keep receiving requests to the token but not to the payload server, that is an indication of their payload server being blocked, and by whom.”
An advisory issued by Trakya and the Turkey National Cyber Incident Response Center (USOM) warning of an APT-level attack listed IPs and an email address that were also uncovered in the Talos analysis of this campaign.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0