U.S. Cyber Command shares new samples of suspected Iranian hacking software

Written by

U.S. Cyber Command posted more than a dozen malware samples to a public repository Wednesday, saying that if network administrators see two or more of these samples on their systems, they may have been targeted by Iranian military hackers.

The samples, posted to VirusTotal early Wednesday afternoon, represent various “open-source tools Iranian intelligence actors are using in networks around the world,” the military agency said in a statement. It’s Cyber Command’s first VirusTotal upload in nine months, according the the agency’s page on the site.

Referring to the actors as “MuddyWater” — the moniker applied to some suspected Iranian government hacking activities dating back to at least 2015 — Cyber Command’s Cyber National Mission Force shared the samples “to better enable defense” against the attackers.

Wednesday’s statement refers to MuddyWater as “a subordinate element” within the Iranian Ministry of Intelligence and Security (MOIS), an arm of the security apparatus focused on both domestic surveillance of regime opponents and anti-regime activists abroad, according to the Congressional Research Service.

It’s the first time the U.S. government has publicly attributed the group to the Iranian government. “There is no specific significance tied to the date of the release,” a Cyber Command spokesperson said.

“Iranian MOIS hacker group #MuddyWater is using a suite of malware to conduct espionage and malicious activity,” U.S. Cyber Command tweeted shortly after issuing its statement.

MuddyWater is a prolific hacking effort that has targeted multiple countries around the world, typically in the Middle East. It has also targeted European and North American countries, as well as countries in Asia. Hackers associated with the group have reportedly threatened to kill researchers who’ve come across their assets in the past.

“Iran fields multiple teams that conduct cyber espionage, cyberattack, and information operations,” Sarah Jones, senior principal analyst for threat intelligence at Mandiant, said in a statement. “The security services that sponsor these actors, the MOIS and the IRGC, are using them to get a leg up on Iran’s adversaries and competitors all over the world.”

The statement noted that MuddyWater, also known as Seedworm, has targeted dozens of organizations spanning government, media, energy, technology, utilities, transportation, academia, financial services, telecommunications and other sectors over the years, typically as part of information gathering or espionage efforts.

Cyber Command typically uses VirusTotal not only to warn potential victims, but also to call out specific U.S. cyberspace adversaries. In 2019, the agency posted 11 samples related to North Korean government hacking activity. Earlier that year it posted samples associated with APT28, the Russian government hacking operation suspected of breaching the Democratic National Committee during the 2016 U.S. election cycle.