Joint Cybersecurity Advisory on Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
Critical Infrastructure Industry Partners and SLTT Partners,
Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory on an observed group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater.
As part of Iran’s Ministry of Intelligence and Security (MOIS), the actors are conducting cyber espionage and other malicious cyber operations targeting a range of government and private sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.
MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks.
FBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. Additionally, the group uses multiple malware sets for loading malware, backdoor access, persistence, and exfiltration.
A few specific actions that organizational executives and leaders can take today to protect against malicious activity are:
- Search for indicators of compromise.
- Use antivirus software.
- Patch all systems.
- Prioritize patching known exploited vulnerabilities.
- Train users to recognize and report phishing attempts.
- Use multi-factor authentication
We are urging all businesses, governments, and critical infrastructure organizations to use this joint advisory to detect potential compromise, reduce risk of being a victim of this APT malicious cyber activity, and protect their organization from future attacks.
We encourage you to share this information widely.
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell: 217-299-3954 | firstname.lastname@example.org