US Links MuddyWater Hackers to Iranian Intelligence as Cyberwar Heats Up: The US military’s Cyber Command on Wednesday linked the hacking group “MuddyWater” to the Iranian Ministry of Intelligence and Security service. Cyber Command also highlighted the open-source tools that hackers are using to gain access to networks around the globe in order to stop further attacks.
It’s the first time, that the U.S. government has openly connected Iran’s intelligence ministry with MuddyWater that has in recent years tried to hack into data from telecom firms and other organizations across Europe and the Middle East. In a post from their website, Cyber Command accused Iran of being the sponsor of MuddyWater.
MuddyWater is an Iranian threat group; previously, industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations.
MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS). According to the Congressional Research Service, the MOIS “conducts domestic surveillance to identify regime opponents. It also surveils anti-regime activists abroad through its network of agents placed in Iran’s embassies.”
MuddyWater is a key part of Iran’s cyber-espionage organization, according to analysts. The hacking group spent months attempting to gain access to government data networks in Turkey, Jordan, and Iraq beginning in 2019 and continued in earnest after the U.S. had assassinated MG Qassem Soleimani, commander of Iran’s Quds Forces in January 2020. They wanted an increased capability to improve their early warning of U.S. and Israeli operations against Iranian individuals and Iranian infrastructure in Lebanon, Syria, Iraq, Yemen as well as in Iran itself.
Earlier in 2021, the Quds Forces set up a new cyberwarfare unit in Lebanon for Hezbollah that will be responsible for cyberattacks and collection of intelligence to attack cell phones, intercept Wi-Fi signals, collect information from social networks, and penetrate networks of Lebanese government agencies.
And with the amount of hacking going on between Iran, Israel, and the United States, there are fears of a full-blown cyberwar breaking out.
Hacking has been ongoing between the enemies for several years, most notably the alleged hacking by the Israelis of one of the Iranian nuclear facilities at Natanz that caused an explosion in the centrifuge assembly area. Earlier in 2010, the U.S. attacked Iran’s nuclear facilities with a cyberwarfare virus called Stuxnet, which set back their nuclear arms research by several years.
But recently, both sides are attacking, not high-level military or political targets, but low-level civilian infrastructure. In December, an attack that was attributed to Israel hit the University of Tehran, where on-line classes were stopped as well as web-conferencing due to the software using those systems being attacked. Faculty and student records were likewise unavailable.
In November, Iran’s Mahan Airlines,, the country’s second-largest aircarrier had its website made inaccessible after a cyber attack. And a large-scale hack in October disabled pumps at 4,300 gas stations across the country.
The Iranians have been busy as well, an Iranian hacking group called “Charming Kitten” hit a cyber-security firm in Tel Aviv as well as IT services firms in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates and Pakistan.
In mid-December, a hack attributed to Muddy Water was conducted on an unnamed Asian airline from October 2019 until December 2021. IBM’s Security X-Force cyber research professionals discovered that Muddy Water hackers discovered a back door in the app Slack and was trying to access data.
Muddy Water is also known as APT35 that was linked to attacks in 2020 targeting the Trump re-election campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.
Cyber attacks against the U.S. are much more effective since we live in a very open society and have vast areas of business and infrastructure that can be targeted.
Another area that Iran has targeted is that of “Doxing” foes on-line. They recently posted the name, address, phone number, birth date, email address, social media handles and a photograph of the apartment building of an Israeli cyber-security expert who reports on Iranian cyber attacks and has worked for the Israeli government.
Steve Balestrieri is a 1945 National Security Columnist. He has served as a US Special Forces NCO and Warrant Officer before injuries forced his early separation. In addition to writing for 1945, he covers the NFL for PatsFans.com and his work was regularly featured in the Millbury-Sutton Chronicle and Grafton News newspapers in Massachusetts.