top of page

New Microsoft findings reveal Iranian nation-state group MuddyWater's destructive ransomware attacks

MuddyWater, an Iran-based nation-state group, has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation, according to new findings from the Microsoft Threat Intelligence team. The team discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084. "While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant revealed Friday. MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017. It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix. Cybersecurity firm Secureworks, in its profile of Cobalt Ulster, notes that it's not entirely uncommon in the realm of the threat actor to "inject false flags into code associated with their operations" as a distraction in an attempt to muddy attribution efforts. Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.


bottom of page