At a glance.
- US Cyber Command attributes MuddyWater to Iranian intelligence services.
- FCC considers more extensive incident reporting requirements.
MuddyWater officially attributed to Iranian intelligence.
US Cyber Command has publicly confirmed that MuddyWater, a threat group responsible for recent cyberespionage operations, is connected to Iranian intelligence. "MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),” Cyber National Mission Force Public Affairs stated in a press release. “According to the Congressional Research Service, the MOIS ‘conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.’” The briefing goes on to disclose details about the open-source tools being used by the threat group and lists a number of the techniques the group has used to infiltrate victim networks. ZDNet notes, alongside the press release, MuddyWater malware samples were uploaded to the malware repository VirusTotal.
A Cyber Command spokesperson declined to explain how they obtained the tools, stating, “Some of these malware samples are variants of others already in the public domain — what is unique about this disclosure is that it provides a holistic picture of how Iranian malicious cyber actors might be collecting information through use of malware.” The Record by Recorded Future recounts that MuddyWater, also known as SeedWorm, has been active since at least 2015, and recently released research from Symantec’s Threat Hunter Team showed the group had targeted telecom operators and IT service organizations throughout the Middle East and Asia over the past six months. UPI reports that the Iranian government has not yet publicly responded to the accusations.
Morgan Wright, SentinelOne’s chief security advisor (and previously a senior advisor on the US State Department Antiterrorism Assistance Program) commented on the significance of the formal attribution:
“The recent reports by the US Cyber Command identifying Iran (a state sponsor of terrorism) as the country behind the MuddyWater threat group is significant for two reasons.
“First, the Ministry of Intelligence and Security (MOIS) is a surveillance and intelligence gathering unit and MuddyWater had been identified as a sub-unit. For US Cyber Command to specifically identify Iran, the MOIS and MuddyWater means there is ‘high confidence’ in order to assign attribution. In intelligence parlance, high confidence means the intelligence community generally thinks a judgment is based on high-quality information or that the issue is one that allows for a solid judgment. In simpler terms, US Cyber Command knows who did this because they are probably inside the MOIS networks.
“The second reason this is significant is that the two-year anniversary of the targeted killing of Qasem Soleimani, an Iranian Major General in charge of the Quds Force, was January 3, 2022. The Quds force is one of the five branches of The Islamic Revolutionary Guard Corp (IRGC). All are on the US Treasury’s Specially Designated Nationals list. Iran has vowed revenge against Trump administration officials by adding 51 persons to their ’sanctions list’, which is widely known to be a euphemism for targeted killings. It’s very conceivable that MuddyWater may be conducting operations in support of this ’sanctions list’, and seeking to target US officials for attack.
“This is why the specific naming of MuddyWater as an element of the MOIS is a key point in understanding Iran’s motivations, and that they go beyond attacks against networks and critical infrastructure.”
FCC pushes for expanded incident reporting requirements.
US Federal Communications Commission (FCC) Chairperson Jessica Rosenworcel has proposed an expansion of security incident reporting requirements for internet service providers, Nextgov.com reports. In a press release, Rosenworcel expressed that current customer protection laws have not kept up with the ever-evolving cyberthreat landscape. “Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information,” she stated. Rosenworcel’s statement comes on the heels of Congress’s recent struggles to pass comprehensive incident reporting rules, even as government leaders like Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly have warned that such requirements are imperative in preventing and reducing the impact of cyberthreats. As CyberScoop explains, Rosenworcel is proposing the elimination of the seven-business-day waiting period before customer notification of a breach, as well as a requirement instructing businesses to report breaches not just to the Federal Bureau of Investigation and Secret Service, but to the FCC as well.