cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2.json

{
    "type": "bundle",
    "id": "bundle--744d8b7f-30a9-4ad9-a744-10689a9240dd",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-22T04:59:16.032Z",
            "name": "MuddyWater",
            "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)",
            "aliases": [
                "MuddyWater",
                "Earth Vetala",
                "MERCURY",
                "Static Kitten",
                "Seedworm",
                "TEMP.Zagros"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_version": "4.1",
            "x_mitre_contributors": [
                "Ozer Sarilar, @ozersarilar, STM",
                "Daniyal Naeem, BT Security"
            ],
            "type": "intrusion-set",
            "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
            "created": "2018-04-18T17:59:24.739Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/groups/G0069",
                    "external_id": "G0069"
                },
                {
                    "source_name": "MERCURY",
                    "description": "(Citation: Anomali Static Kitten February 2021)"
                },
                {
                    "source_name": "Static Kitten",
                    "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
                },
                {
                    "source_name": "TEMP.Zagros",
                    "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
                },
                {
                    "source_name": "Seedworm",
                    "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
                },
                {
                    "source_name": "Earth Vetala",
                    "description": "(Citation: Trend Micro Muddy Water March 2021)"
                },
                {
                    "source_name": "MuddyWater",
                    "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)"
                },
                {
                    "source_name": "ClearSky MuddyWater Nov 2018",
                    "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
                    "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
                },
                {
                    "source_name": "ClearSky MuddyWater June 2019",
                    "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.",
                    "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf"
                },
                {
                    "source_name": "CYBERCOM Iranian Intel Cyber January 2022",
                    "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.",
                    "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
                },
                {
                    "source_name": "DHS CISA AA22-055A MuddyWater February 2022",
                    "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.",
                    "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a"
                },
                {
                    "source_name": "Unit 42 MuddyWater Nov 2017",
                    "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
                    "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
                },
                {
                    "source_name": "Talos MuddyWater Jan 2022",
                    "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.",
                    "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html"
                },
                {
                    "source_name": "Anomali Static Kitten February 2021",
                    "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.",
                    "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies"
                },
                {
                    "source_name": "Trend Micro Muddy Water March 2021",
                    "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.",
                    "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
                },
                {
                    "source_name": "Reaqta MuddyWater November 2017",
                    "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.",
                    "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/"
                },
                {
                    "source_name": "FireEye MuddyWater Mar 2018",
                    "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
                    "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
                },
                {
                    "source_name": "Symantec MuddyWater Dec 2018",
                    "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
                    "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}