An attack disguised as a nostalgic game: this is how the Iranian espionage operation worked

The Iranian MuddyWater group, operating on behalf of the Iranian Ministry of Intelligence, is considered one of the most active espionage groups in the Middle East. The campaign mainly targeted infrastructure organizations in Israel and another target in Egypt. According to the findings, the victims in Israel included technology companies, engineering bodies, manufacturing plants, local authorities and academic institutions, which indicates a broad effort to damage vital systems and organizations with system-wide influence capabilities.

As part of the investigation, new tools that were not previously documented were identified, which were designed to improve the attackers’ ability to camouflage, gather information and control the hacked systems. Among the tools was a new tailgate called the MuddyViper. A backdoor in computer systems is a malicious software component that attacks installers after they manage to penetrate the system. Its purpose is to allow them quiet and continuous access even after the initial breach has been discovered or blocked.

A number of advanced password stealers and a malicious file coded to pretend to be a simple computer game were also found, with the aim of delaying its disclosure. These findings indicate a growing ability on the part of the attackers to operate over time within the organization and to carry out significant data collection without arousing suspicion.

The exposed attack method relied on targeted emails that looked completely innocent. The messages included PDF files that contained a link to download remote control software purportedly for technical support or update purposes. In practice, malicious tools were downloaded from free storage sites, and installed by the victims without realizing that it was part of a wide attack chain.

As mentioned, the exposed backdoor allows the attackers to collect general information about the system, run commands, download and upload files and steal login information from the users’ browsers. These capabilities provide attackers with a stable foothold within the organization over time.

The findings of the investigation revealed that in some cases MuddyWater operated simultaneously with another Iranian group, which indicates coordination between several attack elements and the expansion of activity in several arenas at the same time. This phenomenon strengthens the assessment that this is a state attack setup.

The National Cyber ​​Network recommends taking the following actions to prevent attacks: “Make sure to update the software, applications and operating systems, so that they include the latest updates. Avoid opening suspicious emails: make sure you know the sender or that he is indeed reliable and not fake as far as you know. Avoid opening attachments from an unknown party, as well as clicking on links in an email that may point to an impersonating or malicious website.”

“Do not give out your information easily, certainly not bank account and credit card details. Use strong passwords, and make sure that each service has a dedicated password for it. Avoid clicking on advertisements that look suspicious, such as a desirable product at a surprising price or winning a cash prize. The ad can be used as a platform for phishing and by clicking on the ad, for example, you will be led to an impostor website designed to steal account login details. Do not click on links sent to you on WhatsApp or Facebook. Even if they were sent by friends, you can verify with them that they actually sent the link.”

“Use two-step verification (password combined with a code sent in an SMS message) that will strengthen the protection of email or social networks.”