THE Iranian APT MuddyWater has hacked into the networks of several US organisations, including an aerospace and defence contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports, with activity observed since February. The threat actor has been present in the environments of an airport, a bank, a US/Canada NGO, and a software company with a presence in Israel.
As part of the campaign, the APT deployed a new backdoor dubbed Dindoor on the software supplier’s Israeli branch, the US bank, and the Canadian NGO, with the backdoor signed by a certificate issued for ‘Amy Cherne’. Broadcom’s team also discovered a Python backdoor dubbed Fakeset on the networks of a US airport and a non-profit organisation, again signed with the Amy Cherne certificate and with a certificate issued for ‘Donald Gay’.
The observed activity has been disrupted, but other organisations might still be vulnerable to compromise, the Symantec and Carbon Black team says. MuddyWater, active since at least 2017 and also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, has been officially linked by the US to the Iranian MOIS.