According to researchers Ryan Tomcik, Emiel Haeghebaert and Tufail Ahmed, “UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making. Targeting patterns and related lures show a strong focus on geopolitical targets.”
In November 2021, an Iranian geopolitical nexus threat actor was discovered deploying two new targeted malware with “simple” backdoor functionalities as part of an intrusion against an unnamed Middle East government entity.
Mandiant, a cybersecurity firm, attributed the attack to an uncategorized cluster it’s tracking under the moniker UNC3313, which it believes is associated with the MuddyWater state-sponsored group with “moderate confidence.”
MuddyWater was identified by US intelligence agencies in mid-January 2022 as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018 and is known to use a wide range of tools and techniques in its operations.
The attacks are said to have begun with spear-phishing messages to gain initial access, followed by the use of publicly available offensive security tools and remote access software for lateral movement and access to the environment. The phishing emails were designed to entice victims to click a URL to download a RAR archive file hosted on OneHub, opening the way for the installation of ScreenConnect, a legitimate remote access software for gaining a foothold.
A previously unknown backdoor known as STARWHALE, a Windows Script File (.WSF) that executes commands received through HTTP from a hardcoded command-and-control (C2) server, was also discovered.
GRAMDOOR is another implant delivered during the attack, so named because it uses the Telegram API for network communications with the attacker-controlled server in order to avoid detection, emphasising the use of communication tools to facilitate data exfiltration.
The findings also coincide with a new joint advisory from cybersecurity agencies in the United Kingdom and the United States accusing the MuddyWater group of conducting global espionage attacks against the defence, local government, oil and natural gas, and telecommunications sectors.
Finally the researchers concluded that ,” UNC3313 moved quickly to establish remote access by infiltrating systems using ScreenConnect within an hour of initial compromise, adding that the security incident was quickly contained and resolved.
Indicators of Compromise