The U.S. has directly linked a group of hackers that have targeted Israel, Saudi Arabia and Iranian dissidents, to Iran’s military intelligence.
The U.S. Cyber Command issued a warning on Wednesday against MuddyWater, identifying the group as belonging to Iran’s Intelligence and Security Ministry. “These actors ... are part of groups conducting Iranian intelligence activities,” the statement said.
Though Israeli cyber researchers and others have long said the group is affiliated with the Iranian Revolutionary Guard Corps, this is the first time the U.S. has officially identified them as such.
MuddyWater, the Cyber Command said, is “subordinate” to the Iranian ministry, which, according to the Congressional Research Service, “conducts domestic surveillance to identify regime opponents.
“It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies," the U.S. statement noted.
The group has been active since at least 2015, using different names, and has targeted victims from Israel, Saudi Arabia, Jordan, the UAE as well as others in Asia.
Their hacking efforts run the gamut of cyberespionage, offensive attacks, influence operations and even cybercrime, which was used to conceal their true intentions.
- Iranians tried to hack seven Israeli sites using critical vulnerability, Israeli security firm says
- Spyware from two Israeli firms used to hack dissidents' phones in Egypt, India
- Bizarre Iranian spy ring in Israel proves Tehran has trouble recruiting agents
Two years ago, the group launched what researchers called “Operation Quicksand,” which targeted “prominent Israeli organizations."
The attack, which was discovered by Israeli cyber firms Profero and ClearSky, indicated a “new phase” in Iranian attacks against Israel, with tools previously reserved for criminal operations – as opposed to destructive offensive cyberattacks usually deployed by state actors like Iran – being used. The incident marked the beginning of a trend in which offensive attacks against Israel were masked using criminal tactics.
At the time, Israeli authorities refused to confirm the identity of the hackers, though the researchers linked it to an attack on Israel’s water authority and a massive attack against Saudi Arabia.
Earlier last year, the Saudi government’s National Cyber Security Center announced the kingdom too had been hit by a hacking campaign bearing the group’s technical hallmarks. Palo Alto Networks, an Israeli-American cyber firm, had a few weeks prior linked them to attacks that had targeted organizations in Saudi Arabia, Iraq, the UAE, Turkey and Israel, as well as entities outside the Middle East in Georgia, India, Pakistan and the U.S.
The Saudi security agency said in its own statement that the attacks sought to steal data from computers using email phishing techniques targeting the credentials of specific users.
Last year the group was also linked to a social media campaign revealed by Facebook that had sought to target American military officials using fake accounts.
Just last month researchers from IBM said the group was using Slack, a popular communication software, to target an Asian airline. It was the first usage of Slack for this purpose.
The group has also previously been called Static Kitten and has been known to focus almost exclusively on espionage and state-level attacks.
In the world of cyber security, attacks are attributed to specific groups through similarity in the tools and techniques they use. Thus for example, in the months leading up to Operation Quicksand, an attempted attack on a number of Middle Eastern and North African countries was reported using a very similar technique, as was the attack on Israel’s water authority.
The Israeli report by the Israeli cyber security firms noted at the time that some key technological aspects of the hack were identical to those used during the Shamoon cyberattack against Saudi Arabia’s Aramco in August 2012. That attack, attributed to Iran, was described at the time as the biggest hack in history.