A Microsoft report has uncovered a new government-backed Iranian hacking campaign. Two hacker groups, Muddy Water and DEV-1084, are believed to be deploying the cyberattacks.
- Microsoft linked the two threat actors by spotting several similarities, including two key ones:
- DEV-1084 operators sent threatening emails from 146[.]70[.]106[.]89, an IP address previously linked to Muddy Water
- DEV-1084 used Mullvad VPN, a VPN used by Muddy Water.
- According
to Microsoft's report, Muddy Water made the initial deployment by
taking advantage of an unpatched security flaw that has yet to be
tracked by its victims.
- The group is believed to hand over the responsibility of espionage and persistence to DEV-1084.
- The
latter was found to have breached server farms, virtual machines,
storage accounts, and virtual networks as part of its six-step infection
chain:
- Access breach,
- Persistence,
- Lateral Movement,
- Execution,
- Impact,
- Communications.
- Muddy Water, also known as Mercury, has been actively launching cyber attacks at least since 2017.
- Last month, the Israel National Cyber Directorate claimed that a February cyberattack against Technion University was conducted by MuddyWater.
