Skip to content

Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise “The Benefits of Eating Healthy” “Gaining Health Through Nutritious Eating”

Cyber War/Cyber Threat:

The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation. Microsoft Threat Intelligence team discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.

MuddyWater has been active since at least 2017 and is tracked by the cybersecurity community under various names. Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities. Microsoft revealed that MuddyWater probably worked together with DEV-1084 to pull off the attack, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment.

DEV-1084 abused highly privileged compromised credentials to perform encryption of on-premise devices, large-scale deletion of cloud resources, and gained full access to email inboxes through Exchange Web Services. The threat actors impersonated an unnamed high-ranking employee to send messages to both internal and external recipients. All these actions transpired over a roughly three-hour timeframe.

The Israel National Cyber Directorate attributed the attack to MuddyWater. Microsoft also added that DEV-1084 presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack. Cisco Talos described MuddyWater as a “conglomerate” comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.

In conclusion, the Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation. The threat actors attempted to masquerade the activity as a standard ransomware campaign, however, it was revealed that destruction and disruption were the ultimate goals of the operation. Microsoft discovered that MuddyWater probably worked together with DEV-1084 to pull off the attack, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment. While MuddyWater is a “conglomerate” comprising several smaller clusters, the emergence of DEV-1084 suggests a nod in this direction.

Key Points:
• MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.
• Microsoft Threat Intelligence team discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster.
• The threat actors attempted to masquerade the activity as a standard ransomware campaign, however, it was revealed that destruction and disruption were the ultimate goals of the operation.
• DEV-1084 abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources.
• Cisco Talos described MuddyWater as a “conglomerate” comprising several smaller clusters rather than a single, cohesive group.
• The emergence of DEV-1084 suggests a nod in this direction.

Leave a Reply

Your email address will not be published. Required fields are marked *