Iran’s regime has been known for its state-sponsored cyber-threat groups for several years. These groups have been responsible for various malicious cyber activities, including espionage, theft, and destruction. Over the past years, these groups have continuously upgraded their tools and techniques to launch more sophisticated attacks on targets in the Middle East, Europe, the US, India, and Turkey.

Recently, Microsoft’s Threat Intelligence team reported that the Iranian regime nation-state group known as MuddyWater, an Iran-based actor connected to the country’s Ministry of Intelligence and Security (MOIS), has been carrying out destructive attacks on hybrid environments disguised as ransomware operations.

The attacks were carried out in collaboration with DEV-1084, an emerging activity cluster, and aimed at destruction and disruption. MuddyWater, which primarily targets Middle Eastern nations, has been active since at least 2017 under various names, including Cobalt Ulster, ITG17, Seedworm, and Yellow Nix.

In these recent attacks, DEV-1084 used highly privileged compromised credentials to encrypt on-premises devices and delete cloud resources on a large scale, including server farms, virtual machines, storage accounts, and virtual networks.

The attackers also gained full access to email inboxes through Exchange Web Services and impersonated a high-ranking employee to send messages to both internal and external recipients. The attack lasted for three hours, with DEV-1084 disguising itself as a criminal actor interested in extortion.

Additionally, researchers at Bitdefender discovered a new malware strain called “BellaCiao,” used by Charming Kitten advanced persistent threat (APT) group, another Iranian state-sponsored group, to target organizations in the US, Europe, Turkey, and India.

The malware is a dropper that Charming Kitten uses to gain initial access to target systems. Each sample collected was custom-built for each victim, making it difficult to detect. The malware’s unique approach to receiving command-and-control (C2) commands involves passive communication through DNS name resolution, further evading detection.

Charming Kitten, operational since at least 2014, collects information on people and entities of interest to the Iranian government. After a transition of power in 2021, the group adopted a more aggressive and confrontational approach, demonstrating a willingness to use force to achieve its objectives.

Iranian regime state-sponsored groups and financially motivated threat groups often weaponize newly disclosed exploits and proof-of-concept code, with ransomware attacks being a common method for monetary gain and causing disruptions. However, Bitdefender observed a pattern of sustained involvement by Iranian groups in some campaigns, suggesting long-term objectives.

Iranian regime state-sponsored cyber-threat groups have been operating for several years and have continually upgraded their tools and techniques to launch more sophisticated attacks on their targets.

The recent findings by Microsoft and Bitdefender highlight the need for organizations to remain vigilant and take proactive measures to protect themselves against potential cyber threats from Iranian groups.