Research from Broadcom's Symantec and Carbon Black Threat Hunter Team reveals that the Iranian hacking group MuddyWater has infiltrated various U.S. companies, including banks and airports, as well as a software firm with ties to Israel. Allegedly connected to the Iranian Ministry of Intelligence and Security, this group’s activities have been linked to cyber operations that began in early February, coinciding with military actions involving the U.S. and Israel against Iran.
The security analysis indicates that the targeted software company, which serves the defense and aerospace sectors, appears to be a primary focus of these attacks. A new backdoor, referred to as Dindoor, exploits the Deno JavaScript runtime and has been identified alongside attempts to exfiltrate sensitive data to a Wasabi cloud storage bucket. Meanwhile, another backdoor named Fakeset was discovered within the networks of a U.S. airport and a non-profit organization, with origins traced back to Backblaze servers.
Notably, the digital certificate used for Fakeset has been linked to other malware such as Stagecomp and Darkcomp, suggesting a consistent operational signature by MuddyWater. Experts have highlighted that Iranian cyber capabilities are increasingly sophisticated, demonstrating advanced techniques in social engineering and spear-phishing, amidst a growing wave of cyber warfare stemming from the ongoing military tensions in the region.