MuddyWater is muddying the waters of incident response with a ruse to cover data exfiltration and cyber-sabotage, according to a new report.
Credit: rarrarorro / Shutterstock
An Iranian state-sponsored espionage group is pretending to be a regular ransomware gang in a new wave of ransomware attacks targeting enterprises.
APT group MuddyWater (aka Seedworm) is masquerading as the Chaos ransomware-as-a-service group to confuse incident response and mask its spying and cyber-sabotage, according to research by security vendor Rapid7.
The attacks — geared toward stealing data rather than encrypting it — typically involve social engineering through messaging platforms such as Microsoft Teams. More specifically, the attackers utilized interactive screensharing to harvest credentials and manipulate multifactor authentication (MFA).
The attackers gained long-term persistence through remote management tools such as DWAgent. Attacks were followed with extortion messaging and leak site publication but focused on data exfiltration rather than encryption.
Organizations with strategic intelligence value, particularly in the United States, Western countries, APAC, and the Middle East, are being targeted through the ongoing campaign.
Technical artefacts, including a specific code-signing certificate and command-and-control (C2) infrastructure, allowed researchers at Rapid7 to link an incident under investigation to MuddyWater with “moderate confidence.” MuddyWater is a cyber-espionage group affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
Adopting criminal tactics enables these state-aligned actors to introduce ambiguity and delay defensive response, according to Rapid7, which today published a technical blog post detailing the attack.
“If defenders see a ransom note, leak-site pressure, or a known ransomware brand, the initial response often focuses on business disruption, data theft, and negotiation,” said Christiaan Beek, VP of Cyber Intelligence at Rapid7. “That can distract from the deeper question of what access did the actor establish, what persistence remains, and what intelligence value did they gain.”
The incident highlights the increasing convergence between state-sponsored intrusion activity and cybercriminal tradecraft, according to Rapid7.
ChamelGang, a China-nexus espionage group, has been reported using ransomware to disguise espionage activity. North Korean state-linked groups have also used ransomware and cybercrime tactics, although often for revenue generation rather than pure deception.
