The United States military identified Iranian intelligence as being behind a group of hackers widely known as MuddyWater on Wednesday, confirming previous reports by private cybersecurity groups.
MuddyWater has reportedly attacked both government and private enterprise networks in the Middle East, but has also targeted organizations in the United States.
The group, also believed to be known as Seedworm, Static Kitten, TEMP.Zagros and MERCURY, has reportedly targeted government, telecom and NGO organizations in Israel, Saudi Arabia, Turkey, Jordan, Iraq, the United Arab Emirates, Pakistan and Georgia as far back as 2017.
In September 2020, MuddyWater launched a broad ransomware campaign known as Operation Quick Sand targeting prominent Israeli organizations. The attack was identified by Israeli firm Clear Sky Cyber Security, and carried out in part via emailed PDF and Excel files.
“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and security,” Cyber Command said in a statement today.
The US agency also publicly identified a number of open-source tools used by Iranian intelligence, to help network operators identify possible Iranian attacks.
Iran has been engaged in a quiet cyberwar with its adversaries, particularly Israel and the United States. The conflict has heated up since the Donald Trump administration ramped up pressure on Tehran and walked out of the 2015 nuclear agreement in 2018.
In November, the US Department of Homeland Security, along with the UK and Australian governments, warned of widespread cyberattacks by the Iranian government. Some of the attacks targeted transportation networks and hospitals in the US, the DHS’s Cybersecurity and Infrastructure Security Agency said.
Washington’s top general, Chairman of the Joint Chiefs of Staff Gen. Mark Milley, said that month that the Pentagon’s systems are regularly hit with an “astronomical” number of attacks, though the overall success of Iranian cyberattacks on US targets remains unclear.
US Cyber Command adopted a new doctrine in 2018 known as “defend forward,” or preemptively disrupting cyberattacks on networks as far from the US homeland as possible.
“We’re in competition every day,” the head of the US National Security Agency, Gen. Paul Nakasone, said at the Aspen Security Forum in November.
“We had a new strategy that said, Hey, we’re going to operate outside the United States, and we’re going to look for adversaries that might be trying to do us harm. We’re not going to just watch anymore.”