U.S. Confirms Iranian Intel Behind Hacker Group That Hit Israel, Saudi Arabia

MuddyWater, said to be working for Iran’s Revolutionary Guard, has been linked to attacks and cyberespionage operations across the world, including an attempted airline hack

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
An Iranian flag is seen on a screen as Israel's Naftali Bennett speaks at a cyber conference in Tel Aviv, last year.
An Iranian flag is seen on a screen as Israel's Naftali Bennett speaks at a cyber conference in Tel Aviv, last year.Credit: Moti Milrod
Omer Benjakob
Omer Benjakob

The U.S. has directly linked a group of hackers that have targeted Israel, Saudi Arabia and Iranian dissidents, to Iran’s military intelligence. 

The U.S. Cyber Command issued a warning on Wednesday against MuddyWater, identifying the group as belonging to Iran’s Intelligence and Security Ministry. “These actors ... are part of groups conducting Iranian intelligence activities,” the statement said.

Though Israeli cyber researchers and others have long said the group is affiliated with the Iranian Revolutionary Guard Corps, this is the first time the U.S. has officially identified them as such. 

MuddyWater, the Cyber Command said, is “subordinate” to the Iranian ministry, which, according to the Congressional Research Service, “conducts domestic surveillance to identify regime opponents. 

“It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies," the U.S. statement noted.

The group has been active since at least 2015, using different names, and has targeted victims from Israel, Saudi Arabia, Jordan, the UAE as well as others in Asia.

Their hacking efforts run the gamut of cyberespionage, offensive attacks, influence operations and even cybercrime, which was used to conceal their true intentions. 

Two years ago, the group launched what researchers called “Operation Quicksand,” which targeted “prominent Israeli organizations."

The attack, which was discovered by Israeli cyber firms Profero and ClearSky, indicated a “new phase” in Iranian attacks against Israel, with tools previously reserved for criminal operations – as opposed to destructive offensive cyberattacks usually deployed by state actors like Iran – being used. The incident marked the beginning of a trend in which offensive attacks against Israel were masked using criminal tactics

At the time, Israeli authorities refused to confirm the identity of the hackers, though the researchers linked it to an attack on Israel’s water authority and a massive attack against Saudi Arabia.

Earlier last year, the Saudi government’s National Cyber Security Center announced the kingdom too had been hit by a hacking campaign bearing the group’s technical hallmarks. Palo Alto Networks, an Israeli-American cyber firm, had a few weeks prior linked them to attacks that had targeted organizations in Saudi Arabia, Iraq, the UAE, Turkey and Israel, as well as entities outside the Middle East in Georgia, India, Pakistan and the U.S.

The Saudi security agency said in its own statement that the attacks sought to steal data from computers using email phishing techniques targeting the credentials of specific users.

Last year the group was also linked to a social media campaign revealed by Facebook that had sought to target American military officials using fake accounts. 

Just last month researchers from IBM said the group was using Slack, a popular communication software, to target an Asian airline. It was the first usage of Slack for this purpose.

The group has also previously been called Static Kitten and has been known to focus almost exclusively on espionage and state-level attacks.  

In the world of cyber security, attacks are attributed to specific groups through similarity in the tools and techniques they use. Thus for example, in the months leading up to Operation Quicksand, an attempted attack on a number of Middle Eastern and North African countries was reported using a very similar technique, as was the attack on Israel’s water authority.

The Israeli report by the Israeli cyber security firms noted at the time that some key technological aspects of the hack were identical to those used during the Shamoon cyberattack against Saudi Arabia’s Aramco in August 2012. That attack, attributed to Iran, was described at the time as the biggest hack in history. 

Click the alert icon to follow topics:

Comments