Not Simon 🐐

Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage (Page last updated November 09, 2024)

Aliases:

• MuddyWater (CERTFA, Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE, Kaspersky, Trellix, Unit 42)
• Seedworm (Symantec)
• TEMP.Zagros (FireEye)
• Static Kitten (CrowdStrike)
• MERCURY (formerly used by Microsoft)
• Mango Sandstorm (Microsoft)
• Boggy Serpens (Unit 42)
• ENT-11 (NTT Security)
• TA450 (Proofpoint)
• Cobalt Ulster (SecureWorks)
• ATK 51 (Thales)
• T-APT-14 (Tencent)
• ITG17 (IBM)
• Yellow Nix (PWC)
• Earth Vetala (Trend Micro)

Vulnerabilities Exploited

• CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
• CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
• CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
• CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA, SentinelOne
• CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky, CISA
• CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
• CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky, CISA

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2024

• October 30, 2024 – Cisco Talos: Writing a BugSleep C2 server and detecting its traffic with Snort (malware analysis)
• October 22, 2024 – k3yp0d: Something phishy is happening in Armenia (independent researcher)
• July 15, 2024 – Sekoia: MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign
• July 15, 2024 – Check Point Research: New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
• May 14, 2024 – ESET Research: ESET APT Activity Report Q4 2023–Q1 2024
• April 24, 2024 – Broadcom: Seedworm exploits Atera Agent in a spear-phishing Campaign
• 22 April 2024 – HarfangLab: Increased activity from Iran sponsored APT MuddyWater, targeting Middle East, African & European organisations.
• April 08, 2024: Unit 42: Boggy Serpens (MuddyWater) Use of AutodialDLL
• April 07, 2024 – Broadcom: Seedworm distributing remote administration management software agents
• March 29, 2024 – Malwation: New MuddyWater Campaigns After Operation Swords of Iron
• March 21, 2024 – Proofpoint: Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
• March 07, 2024 – Israel National Cyber Directorate: An active phishing campaign in Israeli territory – the Iranian attack group MuddyWater (Hebrew language)

2023

• December 19, 2023 – Symantec: Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
• November 08, 2023 – Deep Instinct: MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
• November 01, 2023 – Deep Instinct: MuddyWater eN-Able spear-phishing with new TTPs
• June 29, 2023 – Deep Instinct: PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
• May 5, 2023 – Microsoft: Twitter: “Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.”
• May 02 2023 – ESET Research: APT groups muddying the waters for MSPs
• April 18, 2023 – Group-IB: SimpleHarm: Tracking MuddyWater’s infrastructure
• April 07, 2023 – Microsoft: MERCURY and DEV-1084: Destructive attack on hybrid environment

2022

• December 08, 2022 – Deep Instinct: New MuddyWater Threat: Old Kitten; New Tricks
• September 09, 2022 – U.S. Treasury: Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
• August 25, 2022 – Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
• June 21, 2022 – Lab52: MuddyWater’s “light” first-stager targeting Middle East
• May 11, 2022 – NTT Security: Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020
• March 14, 2022 – EclecticIQ: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat
• March 10, 2022 – Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
• February 24, 2022 – CISA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
  • February 24, 2022 – NCSC-UK: Malware Analysis Report: Small Sieve (PDF)
• January 31, 2022 – Cisco Talos: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
• January 13, 2022 – Picus: TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign
• January 12, 2022 – USCYBERCOM: Iranian intel cyber suite of malware uses open source tools (ATTRIBUTION)
• January 12, 2022 – SentinelOne: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor

2021

• December 14, 2021 – Symantec: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
• March 05, 2021 – Trend Micro: Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East
• February 10, 2021 – Anomali: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies

2020

• October 21, 2020 – Symantec: Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
• October 15, 2020 – Clearsky: Operation Quicksand
• February 26, 2020 – Secureworks: Business as Usual for Iranian Operations Despite Increased Tensions

2019

• June 09, 2019 – Trend Micro: New MuddyWater Activities Uncovered (PDF)
• June 06, 2019 – Clearsky: Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
• May 29, 2019 – Group-IB: Catching fish in muddy waters
• May 20, 109 – Cisco Talos: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
• April 29, 2019 – Kaspersky: I know what you did last summer, MuddyWater blending in the crowd
• April 15, 2019 – Clearsky: Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
• April 10, 2019 – Check Point: The Muddy Waters of APT Attacks
• March 07, 2019 – NSHC: SectorD02 PowerShell Backdoor Analysis

2018

• December 10, 2018 – Symantec: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
• November 30, 2018 – Trend Micro: New PowerShell-based Backdoor, MuddyWater Similarities
• November 28, 2018 – Clearsky: MuddyWater Operations in Lebanon and Oman
• October 10, 2018 – Kaspersky: MuddyWater expands operations
• June 14, 2018 – Trend Micro: Potential MuddyWater Campaign uses PRB-Backdoor
• March 13, 2018 – FireEye: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
• March 12, 2018 – Trend Micro: Potential MuddyWater Campaign Seen in the Middle East
• March 10, 2018 – Security 0wnage: A Quick Dip into MuddyWater's Recent Activity
• February 01, 2018 – Security 0wnage: Burping on MuddyWater

2017

• November 14, 2017 – Unit 42: Muddying the Water: Targeted Attacks in the Middle East
• October 04, 2017 – Security 0wnage: Continued Activity targeting the Middle East

Country: People's Republic of China (PRC) Organization: Hubei State Security Department (HSSD), of the Ministry of State Security (MSS) Objective: Espionage

Aliases:

• BRONZE VINEWOOD (Secureworks)
• Judgment Panda (CrowdStrike)
• Red keres (PwC)
• TA412 (Proofpoint)
• Violet Typhoon (Microsoft)
• ZIRCONIUM (formerly used by Microsoft, MITRE)
• RedBravo (Recorded Future)

Front Company

• Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ, 武汉晓睿智科技有限责任公司)

Identified Members

• Ni Gaobin (倪高彬)
• Weng Ming (翁明)
• Cheng Feng (程锋)
• Peng Yaowen (彭耀文)
• Sun Xiaohui (孙小辉)
• Xiong Wang (熊旺)
• Zhao Guangzong (赵光宗)

Links

• U.S. Department of Justice: Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians (March 25, 2024)
• U.S. State Department: U.S. Takes Action to Further Disrupt PRC Cyber Activities (March 25, 2024)
• Rewards for Justice: APT31/Wuhan Xiaoruizhi Science &Technology Company, Ltd. (March 25, 2024)
• U.S. Treasury: Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure (March 25, 2024)
• United Kingdom: UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity (March 25, 2024)
• NCSC-UK: UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians (March 25, 2024)

Country: Russia Organization: Military Unit 74455, of the Main Center for Special Technologies (GTsST), of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), formerly known as the Main Intelligence Directorate Objective: Espionage, Attack, Influence Operations

Aliases:

• UAC-0133 (CERT-UA)
• Sandworm Team (Trend Micro, MITRE)
• Sandworm (ESET, Rapid7)
• Iron Viking (SecureWorks)
• CTG-7263 (SecureWorks)
• APT44 (Google Cloud, Mandiant)
• FROZENBARENTS (Google Threat Analysis Group)
• IRIDIUM (formerly used by Microsoft)
• Seashell Blizzard (Microsoft)
• Voodoo Bear (CrowdStrike)
• ELECTRUM (Dragos)
• Quedagh
• Black Energy (Group)
• TEMP.Noble

Personas Used

• Cyber Army of Russia Reborn

Identified Members

• Yuriy Sergeyevich Andrienko:
  • Rewards for Justice
  • FBI Most Wanted
• Sergey Vladimirovich Detistov:
  • Rewards for Justice
  • FBI Most Wanted
• Pavel Valeryevich Frolov:
  • Rewards for Justice
  • FBI Most Wanted
• Anatoliy Sergeyevich Kovalev:
  • Rewards for Justice
  • FBI Most Wanted
• Artem Valeryevich Ochichenko:
  • Rewards for Justice
  • FBI Most Wanted
• Petr Nikolayevich Pliskin:
  • Rewards for Justice
  • FBI Most Wanted

Links

• U.S. Department of Defense: New Sandworm malware Cyclops Blink replaces VPNFilter (PDF, February 23, 2022)
• U.S. Department of Justice:
  • Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace (October 19, 2020)
  • Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (April 6, 2022)
• CISA: Infamous Chisel Malware Analysis Report (August 31, 2023)
• NSA: Government Agencies Report New Russian Malware Targets Ukrainian Military (August 31, 2023)
• NCSC-UK: New Sandworm malware Cyclops Blink replaces VPNFilter (February 23, 2022)

Country: Russian Federation Organization: Federal Security Service (FSB) Center 18 Motivation: Espionage (Page last updated October 02, 2024)

Aliases

• SEABORGIUM (formerly used by Microsoft)
• Star Blizzard (Microsoft)
• TA446 (Proofpoint)
• COLDRIVER (Google Threat Analysis Group)
• TAG-53 (formerly used by Recorded Future)
• BlueCharlie (Recorded Future)
• Iron Frontier (Secureworks)
• Blue Callisto (PwC)
• Calisto (Sekoia)
• The Callisto Group (F-Secure, now called WithSecure)
• UNC4057 (Mandiant)
• Gossamer Bear (CrowdStrike)

Identified Members

• Ruslan Aleksandrovich Peretyatko
  • Rewards for Justice
  • FBI Most Wanted
• Andrey Stanislavovich Korinets
  • Rewards for Justice
  • FBI Most Wanted

References (Sorted by Chronological Order)

2024

• October 01, 2024 – Zimperium: Zimperium Coverage on COLDRIVER Phishing Campaign
• September 07, 2024 – Free Russia Foundation: Free Russia Foundation Response to Data Breach
• April 25, 2024 – Mandiant: Poll Vaulting: Cyber Threats to Global Elections

2023

• December 13, 2023 – Sekoia: CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets
• December 8, 2023:
  • NCSC-NZ: Joint Advisory: Russian state cyber actors’ global spear-phishing campaigns
  • ACSC ASD: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
• December 7, 2023: (ATTRIBUTION)
  • NCSC-UK: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns
  • United Kingdom: UK exposes attempted Russian cyber interference in politics and democratic processes
  • CISA: Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns
  • FBI: Russian FSB cyber actor Star Blizzard continues worldwide spear-phishing campaigns. (PDF)
  • U.S. Cyber Command: US, Allies Highlight Russian-State Cyber Actor “Star Blizzard” Spear-phishing Campaigns
  • U.S. Department of Justice: Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign
  • U.S. Treasury: United States and the United Kingdom Sanction Members of Russian State Intelligence-Sponsored Advanced Persistent Threat Group
  • U.S. State Department: U.S. Takes Action to Further Disrupt Russian Cyber Activities
  • Microsoft: Star Blizzard increases sophistication and evasion in ongoing attacks
• August 02, 2023 – Recorded Future: BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023
• February 15, 2023 – Mandiant/Google TAG: Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (PDF)
• January 26, 2023 – NCSC-UK: SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest
• January 06, 2023 – Reuters: Exclusive: Russian hackers targeted U.S. nuclear scientists (News article)

2022

• December 05, 2022:
  • Sekoia: Calisto show interests into entities involved in Ukraine war support
  • Recorded Future: Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
• December 02, 2022 – PwC: Blue Callisto orbits around US Laboratories in 2022
• August 15, 2022 – Microsoft: Disrupting SEABORGIUM’s ongoing phishing operations
• June 22, 2022 – Sekoia: CALISTO continues its credential harvesting campaign
• May 03, 2022 – Google Threat Analysis Group: Update on cyber activity in Eastern Europe
• March 30, 2022 – Google Threat Analysis Group: Tracking cyber activity in Eastern Europe

2017

• April 13, 2017 – F-Secure: The Callisto Group (PDF)