Destructive Iranian Attacks Masquerade as Ransomware Operations


April 10, 2023

World map

The Iranian nation-state group known as MuddyWater has been busy conducting destructive attacks disguised as ransomware operations.

"While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the Hacker News reports.

“MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017.”

Takeaway: This latest string of attacks from Iranian threat actor MuddyWater highlights the continued blurring of the lines between nation-state and cybercriminal ransomware operations. Criminal ransomware operations are getting more complex with stealthier attacks designed to penetrate as much of the targeted network as possible before the ransomware payload is delivered, exfiltrating sensitive data along the way. Nation-states are using the "fog of ransomware attacks" to further geopolitical efforts while enjoying a level of plausible deniability by making their espionage and destructive attacks appear to be criminally operated.

There are generally three models that exemplify this crossover, the most prolific being the Russian model where ransomware gangs conduct attacks against Western targets with impunity. These ransomware operators not only share intelligence with the Russian government, but they also appear to be under the direct control of the state as evidenced by some of their targeting and the overlap in attack infrastructure between the operations. For example, Russian criminal ransomware activity took a noticeable dip at the beginning of the conflict in Ukraine, providing pretty clear evidence that many of the Russian ransomware operators are directly controlled by the Russian government and were likely conscripted to support the war effort.

Then, there is the case of DPRK, where we see nation-state ransomware operators conducting ransomware attacks that are most likely designed to both cause disruption for the target nations and to raise funds the cash strapped DPRK can use for other purposes.

Last there is the Iranian model, where ransomware and/or destructive wipers are employed in attacks as a diversionary tactic in conjunction with other attacks, or for general disruption by damaging critical systems. In most cases, no ransom demand is levied, no serious effort was made to collect a payment, or there is no actual mechanism for the victim to pay a ransom - it's all part of a grand deception.

These models show us that criminal elements have increased capabilities by adopting what was, until recently, only seen in APT-level operations. But this also means that there are potentially weeks of detectable activity on the targeted networks before the ransomware payload was delivered. With the right controls in place, we can interrupt attacks like these much earlier in the kill chain. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.