Security Policy Alert: Cybersecurity Advisory on Malicious Iranian Government-Sponsored Cyber Operations
February 24, 2022
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom's National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory on an observed group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater. The government has asked AAAE to share this information broadly so that airports take specific actions to detect potential compromise, reduce the risk of being a victim of this malicious cyber activity, and protect their organizations from future attacks.
According to CISA, as part of Iran's Ministry of Intelligence and Security, the actors are conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors'”including telecommunications, defense, local government, and oil and natural gas'”in Asia, Africa, Europe, and North America.
MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims' systems and deploy ransomware. These actors also maintain persistence on victim networks.
FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. Additionally, the group uses multiple malware sets for loading malware, backdoor access, persistence, and exfiltration.
A few specific actions to protect against malicious activity are:
'¢ Search for indicators of compromise.
'¢ Use antivirus software.
'¢ Patch all systems.
'¢ Prioritize patching known exploited vulnerabilities .
'¢ Train users to recognize and report phishing attempts .
'¢ Use multi-factor authentication .
For more information on Iranian sponsored activity, see Iran Cyber Threat Overview and Advisories .
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom's National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory on an observed group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater. The government has asked AAAE to share this information broadly so that airports take specific actions to detect potential compromise, reduce the risk of being a victim of this malicious cyber activity, and protect their organizations from future attacks.
According to CISA, as part of Iran's Ministry of Intelligence and Security, the actors are conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors'”including telecommunications, defense, local government, and oil and natural gas'”in Asia, Africa, Europe, and North America.
MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims' systems and deploy ransomware. These actors also maintain persistence on victim networks.
FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. Additionally, the group uses multiple malware sets for loading malware, backdoor access, persistence, and exfiltration.
A few specific actions to protect against malicious activity are:
'¢ Search for indicators of compromise.
'¢ Use antivirus software.
'¢ Patch all systems.
'¢ Prioritize patching known exploited vulnerabilities .
'¢ Train users to recognize and report phishing attempts .
'¢ Use multi-factor authentication .
For more information on Iranian sponsored activity, see Iran Cyber Threat Overview and Advisories .
