{ "type": "bundle", "id": "bundle--744d8b7f-30a9-4ad9-a744-10689a9240dd", "spec_version": "2.0", "objects": [ { "modified": "2023-03-22T04:59:16.032Z", "name": "MuddyWater", "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)", "aliases": [ "MuddyWater", "Earth Vetala", "MERCURY", "Static Kitten", "Seedworm", "TEMP.Zagros" ], "x_mitre_deprecated": false, "x_mitre_version": "4.1", "x_mitre_contributors": [ "Ozer Sarilar, @ozersarilar, STM", "Daniyal Naeem, BT Security" ], "type": "intrusion-set", "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0069", "external_id": "G0069" }, { "source_name": "MERCURY", "description": "(Citation: Anomali Static Kitten February 2021)" }, { "source_name": "Static Kitten", "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "TEMP.Zagros", "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "Seedworm", "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "Earth Vetala", "description": "(Citation: Trend Micro Muddy Water March 2021)" }, { "source_name": "MuddyWater", "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)" }, { "source_name": "ClearSky MuddyWater Nov 2018", "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.", "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" }, { "source_name": "ClearSky MuddyWater June 2019", "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.", "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" }, { "source_name": "CYBERCOM Iranian Intel Cyber January 2022", "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.", "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" }, { "source_name": "DHS CISA AA22-055A MuddyWater February 2022", "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" }, { "source_name": "Unit 42 MuddyWater Nov 2017", "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" }, { "source_name": "Talos MuddyWater Jan 2022", "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.", "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" }, { "source_name": "Anomali Static Kitten February 2021", "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.", "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" }, { "source_name": "Trend Micro Muddy Water March 2021", "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.", "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" }, { "source_name": "Reaqta MuddyWater November 2017", "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.", "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" }, { "source_name": "FireEye MuddyWater Mar 2018", "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" }, { "source_name": "Symantec MuddyWater Dec 2018", "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.", "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }