Full Report
New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has discovered evidence of an Iranian hacking group embedding itself in several U.S. companies' networks, including banks, airports, non-profit, and the Israeli arm of a software company. The activity has been attributed to a state-sponsored hacking group called MuddyWater (aka Seedworm). It's affiliated with the Iranian
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
* **Primary Name:** MuddyWater
* **Known Aliases:** Seedworm, Static Tick, Mango Sandstorm (formerly Mercury), TA450, ITG17.
* **Affiliation:** Linked to Iran's Ministry of Intelligence and Security (MOIS).
* **Actor Type:** State-sponsored/Advanced Persistent Threat (APT).
## Activity Summary
According to recent research from Broadcom's Symantec and the Carbon Black Threat Hunter Team, MuddyWater has successfully embedded itself within various U.S.-based organizational networks. This activity demonstrates a persistent presence where the group maintains long-term access to critical infrastructure and corporate systems.
## Tactics, Techniques & Procedures
* **Initial Access:** Delivery of spear-phishing emails containing malicious attachments or links to legitimate cloud storage services.
* **Persistence:** Use of legitimate Remote Monitoring and Management (RMM) tools to maintain a foothold and bypass detection.
* **Lateral Movement:** Exploitation of known vulnerabilities and credential harvesting.
* **Command and Control (C2):** Utilization of customized scripts and legitimate web services to obfuscate traffic.
* **Credential Access:** Dumping credentials from memory or localized databases.
## Targeting
* **Sectors:** Financial Services (Banks), Transportation (Airports), Non-profit Organizations, and Software Development.
* **Geography:** Primarily United States and Israel.
* **Victims:** Several unnamed U.S. companies, including those in the banking and aviation sectors, and the Israeli branch of an international software firm.
## Tools & Infrastructure
* **Malware Families:** Atera, ScreenConnect (ConnectWise), and RemoteUtilities (legitimate RMM tools used maliciously).
* **Custom Tooling:** MuddyC3, PowGoop, and various PowerShell-based backdoors.
* **Infrastructure:**
* **C2:** High reliance on compromised servers and legitimate cloud environments (e.g., Dropbox, OneDrive).
* **Defanged Examples:** hxxps[://]legit-cloud-storage[.]com/share/malicious_payload.zip
## Implications
The presence of MuddyWater in U.S. critical infrastructure (specifically banks and airports) suggests a strategic shift toward long-term espionage and potential preparation for disruptive operations. By targeting non-profits and software arms, the group also seeks to gain insights into geopolitical policy and supply chain vulnerabilities. The actor's ability to remain "embedded" indicates a high level of operational security and a shift toward "living off the land" techniques.
## Mitigations
* **RMM Monitoring:** Implement strict application whitelisting and monitoring for unauthorized use of Remote Monitoring and Management tools (Atera, ScreenConnect, etc.).
* **Phishing Defense:** Enhance email filtering protocols and conduct user awareness training focused on social engineering and malicious cloud storage links.
* **Multi-Factor Authentication (MFA):** Enforce robust MFA across all external-facing services to mitigate the impact of credential harvesting.
* **Endpoint Detection and Response (EDR):** Deploy and tune EDR solutions to alert on suspicious PowerShell execution and unauthorized credential dumping activities.