London, 16 Mar – Cyber security researchers have warned that Iranian-based cyber warfare group TEMP.Zagros, aka MuddyWater, is conducting the massive phishing campaign currently attacking both Asia and the Middle East.
This group have also significantly improved their technique, notably by using new backdoor entry tools, making them an even greater danger.
In a blog on Tuesday, FireEye researchers Sudeep Singh, Dileep Kumar Jallepalli, Yogesh Londhe and Ben Read wrote: “We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. In this campaign, the threat actor’s tactics, techniques and procedures shifted after about a month, as did their targets.”
Those targeted in the latest campaign, through the use of targeting scope, malicious macros, similarly-themed decoy materials, and malware, include Turkey, Pakistan, Tajikistan, and India.
This builds on other research into the group by Unit 42 and Trend Micro. On Monday, Trend Micro said that there appeared to be links between MuddyWater’s previous campaigns, documented by Unit 42 in November, and the current attacks, which trick targets into downloading infected documents that compromise their computer networks through bogus emails purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.
This indicates that these attacks are not isolated and will continue, which also indicates the involvement of the Iranian Regime in directing them. This current campaign has been running since January.
Sarah Hawley, the principal analyst at FireEye, said: “Given the type of entities targeted, we believe this activity is strategic in nature, primarily conducting reconnaissance and collection operations for geopolitical, defence, and economic data that could support nation-state interests and decision making… These factors, as well as the operation’s focus on geopolitical entities and targeting scope led us to assess with moderate confidence that this activity has a nexus to Iran.”
Cyber warfare is a key part of the Iranian Regime overall malign military plan. The Regime knows that it has neither the military nor economic power to take on other countries, especially the US and Saudi Arabia who have been frequent victims of Iran’s attacks in the past, and so it uses cyber warfare to gain information on their enemies capabilities, by targeting defence systems, or hamper their access to relevant data about Iran.
Much like the proxy militias that Iran has all over the Middle East, this malign military campaign allows Iran to attack other countries, while also being able to shift the blame onto someone else if they are caught.