Iranian Hackers Spying on Israeli OrganizationsEspionage Group Uses Legitimate Tools, Lures on Victims During Israel-Hamas War
Security researchers say an Iranian state hacking group is likely using spearfishing and using a legitimate content hosting service in a cyberespionage campaign targeted against Israel.
Researchers at New York-based cybersecurity company Deep Instinct said the Iranian hacker group, tracked as MuddyWater, likely mounted a new campaign after the onset of fighting instigated by an Oct. 7 incursion by Hamas from the Gaza Strip into Israel.
MuddyWater - also known as Earth Vetala, Mercury, Static Kitten, Seedworm and TEMP.Zagros - used a content management system called Storyblok to host a multistage infection vector, including an
.lnk file and an executable file called
Diagnostic.exe that executes a legitimate remote administration tool, N-able Advanced Monitoring Agent.
"MuddyWater continues to attack Israeli targets in various ongoing campaigns," the researchers said. U.S. Cyber Command attributed MuddyWater in 2022 as a "subordinate element within the Iranian Ministry of Intelligence and Security."
The multistage infection displays a decoy document to trick users into believing the malicious email came from the Israeli government. The decoy document is a copy of an Israeli government memo publicly available on the website of the Israeli Civil Service Commission and contains advice for citizens on what to do if a government worker expresses an opinion against the Israeli state on social networks.
The Israeli government in March said MuddyWater has launched a series of cyberattacks against Israeli organizations in the finance, academic and public sectors starting in late 2022. The Israeli National Cyber Directorate said the group had targeted Haifa-based Technion University in February to disseminate "disinformation with Anti-Israeli content."
The Israeli agency says the group exploits n-day vulnerabilities and uses social engineering and malicious tools such as PowerShower, PowerStallion and a MuddyWater proxy for espionage purposes.
U.S. and British government officials in 2022 said MuddyWater had conducted cyberespionage activities against telecommunications, defense, local government, and oil and natural gas sectors in Asia, Africa, Europe and North America.
"After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target," Deep Instinct researchers said. "After the reconnaissance phase, the operator will likely execute PowerShell code which will cause the infected host to beacon to a custom C2 server."