CISA Alert AA22-055A – Iranian government-sponsored actors conduct cyber operations against global government and commercial networks.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Five Five Alpha.

​​Original release date: February Twenty Fourth, twenty twenty two.

The FBI, CISA, US Cyber Command, and the United Kingdom’s National Cyber Security Centre have observed an Iranian government-sponsored APT known as MuddyWater conducting cyber espionage and other malicious operations against a range of organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. 

MuddyWater, also known as Earth Vetala, Mercury, Static Kitten, and Seedworm, is an element of the Iranian Ministry of Intelligence and Security. This APT group has conducted broad cyber campaigns in support of Iranian government objectives since approximately 2018. MuddyWater actors are positioned to provide stolen data and network accesses to the Iranian government and to share these with other malicious cyber actors.

MuddyWater actors are known to exploit public vulnerabilities and use open-source tools to gain access to sensitive data and deploy ransomware. These actors maintain persistence on victim networks via tactics such as side-loading dynamic link libraries to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions. MuddyWater actors have recently used variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS malware along with open-source tools as part of their malicious activity. 

The alert documentation linked in the show notes provides specific mitigation actions, malware data, and indicators of compromise associated with this Iranian government-sponsored malicious cyber activity. The documentation also includes a full MITRE ATT&CK framework mapping of the threat actor TTPs.

FBI, CISA, Cyber Command, NCSC UK, and NSA recommend organizations apply the alert mitigations and review the additional resources listed in the advisory. Links can be found in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.