Kaspersky Lab has revealed how the cyberweapons used by Middle Eastern cyberespionage group, MuddyWater, reveal multiple ‘false flag’ attempts to point the finger of attribution at Chinese, Russian, Turkish and KSA threat actors and confuse security researchers and the authorities.
MuddyWater is an advanced threat actor that first surfaced in 2017. In October 2018, Kaspersky Lab reported on a major operation by MuddyWater, targeting governmental and telecom targets entities in the Kingdom of Saudi Arabia (KSA), Iraq, Jordan, Lebanon and Turkey as well as neighbouring countries like Azerbaijan, Afghanistan and Pakistan.
The malicious tools and infrastructure uncovered during this investigation show how the threat actor tried to confuse and distract investigators and the security industry – and also reveal a string of operational security failures that ultimately meant this approach failed.
In the first publicly available report on what happens to MuddyWater victims after initial infection, Kaspersky Lab researchers outline the various deception techniques implemented by the attackers.
These include Chinese and Russian word strings in the malware code, the use of the filename ‘Turk’, as well as attempts to impersonate the RXR Saudi Arabia hacking group.
The attackers appear to have been fairly well equipped to achieve their intended goals. Most of the malicious tools discovered were relatively simple and expendable Python and PowerShell-based tools, and were mainly developed in-house by the group. They seemed to have allowed the attackers flexibility to adapt and customise the toolset for victims.
“MuddyWater’s ability to continuously adjust and enhance its attacks to adapt to changes in the Middle Eastern geopolitical scene, have made this group a solid adversary that keeps growing,” said Mohamad Amin Hasbini, Head of Global Research and Analysis team for META at Kaspersky Lab.
“We expect it to keep developing and to acquire additional tools, maybe even zero-days. Nevertheless, its multiple operational mistakes betray an element of weakness and provide investigators with trails that lead to important information,” he added.
Kaspersky Lab will continue to monitor the group’s activities. Details of the latest threat actor activity is available to subscribers of Kaspersky Lab’s private threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting.