The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation. That’s according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084. MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country’s Ministry of Intelligence and Security (MOIS). It’s been known to be active since at least 2017. The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the espionage attacks, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment. In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premises devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks. Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform “thousands of search activities” and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients. The actions are estimated to have transpired over a roughly three-hour time frame starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption). It’s worth noting here that DEV-1084 refers to the same threat actor that assumed the “DarkBit” persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater. The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact. That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it’s a sub-team that’s only summoned when there is a need to conduct a destructive attack.
This is not the first time State-sponsored threat actors have leveraged criminal threat actors to carry-out attacks. This is a common practice being used by Russia in their war against Ukraine. Although these sophisticated attacks are driven by political motivations, organizations should protect themselves as if it were any other ransomware attack. Organizations that are victims of ransomware attacks should seek professional help from incident response and data recovery service providers and consider reporting the incident to law enforcement. Organizations should also initiate proactive measures to ensure they are protected from ransomware.