Written by Shannon Vavra

Iran-linked hackers have been running spearphishing email campaigns against governmental organizations in Turkey, Jordan and Iraq in recent months in a likely effort to gather intelligence, according to research published Wednesday by Dell Secureworks.

Most of the targeting, which Secureworks assesses to be focused on espionage, began before the U.S. military killed Qassem Soleimani, the leader of the Iran’s Quds Force, in Baghdad early January. But Alex Tilley, a senior researcher for Secureworks, told CyberScoop the spearphishing activity has increased since the killing.

The research appears to align with information the FBI shared with industry in January, when it warned of an increase in Iranian “cyber reconnaissance activity.” The alert highlighted that Iranian hackers could be zeroing in on the defense industrial base, government agencies, academia and nongovernmental organizations.

The campaign Secureworks’ Counter Threat Unit (CTU) has observed, with activity from mid-2019 to mid-January of 2020, has also targeted intergovernmental organizations and unknown entities in Georgia and Azerbaijan, according to the CTU, which declined to share how many entities, and which ones, have been targeted.

It’s not clear if the activity increase in these apparent espionage operations is in a response to the Soleimani killing or if it is just a natural progression of the campaigns, Tilley told CyberScoop in an interview Tuesday on the sidelines of the RSA Conference in San Francisco.

And while lures from this group in the past have been related to intelligence themes, this espionage campaign is more “generic,” according to Secureworks.

Based on the victims and code similarities, Secureworks assesses the activity to be the work of MuddyWater, an Iranian hacking group that has been known to target Middle Eastern, European, and North American nations.

A new RAT

To execute its attack, MuddyWater has been sending targets malicious Microsoft Excel Spreadsheet files through .zip archives in their spearphishing messages, CTU assesses. In one version of the campaign, the Excel file delivers a remote access trojan (RAT) that has not previously been observed, according to Secureworks. The RAT, which CTU is dubbing “ForeLord,” uses DNS tunneling so that requests are directed to legitimate DNS servers but then rerouted to malicious servers controlled by the attackers.

The tools MuddyWater appears to be deploying after initial intrusion — such as a variant of the Mimikatz malware — appear to show Iran may be interested in gaining credentials from its targets.

“After gaining initial access to a host, the threat actors dropped several tools to collect credentials, test those credentials on the network, and create a reverse SSL tunnel to provide an additional access channel to the network,” the researchers write.

Prepositioning

Tilley says right now MuddyWater may be just biding its time and gathering intel.

“They are definitely looking for data [but] I haven’t seen mass exfiltration of data using these tools. It’s more of an access and recon tool,” Tilley told CyberScoop. “When you get to the next stages that’s where you start to get noisy. A lot of this activity could be seen as prepositioning activity.”

The Department of Homeland Security warned the private sector to be mindful about the risks of Iranian data-wiping attacks in January following the Soleimani killing.

“Although Iran has not launched a cyber retaliation for Soleimani’s death as of this publication, CTU researchers acknowledge that planning and coordinating for a response takes time,” Secureworks’ researchers write. “Iran has destructive and disruptive capabilities that it has historically employed for retaliatory purposes against organizations. In some cases, these responses materialized several months after provocations toward Iran occurred.”

“The kicker here is, is this prepositioning for some sort of retaliatory activity? [Iranian hackers] have shown previously they’ll wait their time, get themselves set up, and get the right activity to kick back,” Tilley said.