Dubai : technology.

The cyber-weapons used by Middle Eastern cyberespionage group, MuddyWater, reveal multiple ‘false flag’ attempts to point the finger of attribution at Chinese, Russian, Turkish and Saudi Arabian threat actors and confuse security researchers and the authorities, according to an in-depth analysis of the cyber-arsenal by Kaspersky Lab.

MuddyWater is an advanced threat actor that first surfaced in 2017. In October 2018, Kaspersky Lab reported on a major operation by MuddyWater, targeting governmental and telecom targets entities in Saudi Arabia, Iraq, Jordan, Lebanon and Turkey as well as neighboring countries like Azerbaijan, Afghanistan and Pakistan. The malicious tools and infrastructure uncovered during this investigation show how the threat actor tried to confuse and distract investigators and the security industry – and also reveal a string of operational security failures that ultimately meant this approach failed.

In the first publicly available report on what happens to MuddyWater victims after initial infection, Kaspersky Lab researchers outline the various deception techniques implemented by the attackers.  These include Chinese and Russian word strings in the malware code, the use of the filename ‘Turk’, as well as attempts to impersonate the RXR Saudi Arabia hacking group.

The attackers appear to have been fairly well equipped to achieve their intended goals. Most of the malicious tools discovered were relatively simple and expendable, Python and PowerShell-based tools, and were mainly developed in-house by the group. They seemed to have allowed the attackers flexibility to adapt and customize the toolset for victims.

“MuddyWater’s ability to continuously adjust and enhance its attacks to adapt to changes in the Middle Eastern geopolitical scene, have made this group a solid adversary that keeps growing,” said Mohamad Amin Hasbini, Head of Global Research & Analysis team for META at Kaspersky Lab. “We expect it to keep developing and to acquire additional tools, maybe even zero-days. Nevertheless, its multiple operational mistakes betray an element of weakness, and provide investigators with trails that lead to important information,” he added.

Kaspersky Lab will continue to monitor the group’s activities. Details of the latest threat actor activity is available to subscribers of Kaspersky Lab’s private threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware-hunting. For more information, please contact: intelreports@kaspersky.com

More information on MuddyWater’s arsenal of malicious tools is available in the public blogpost on Securelist.