Harmonia

MuddyWater is a threat actor which has been encountered in various espionage activities and operations since it was first encountered in 2014. The “Cyber Threat Status Report” published by the STM Cyber Fusion Center and the “MuddyWater APT Analysis Report” published by the ADEO DFIR team provide detailed information on the MuddyWater actor profile and their harmful activities.

Today, Cyber Espionage stands before us as a workspace that is currently invested by many countries and being used as an area of activity. According to the APT (Advanced Persistent Threat) report from a security company; The number of days which an APT attack is noticed in an institution was 260 days on average in 2018.

In other words, the security investment of the company, institution or organizations subjected to an APT attack is of no importance. Firewall and Antivirus applications are often helpless in this matter because these malware use complication techniques and have the ability to bypass security products.

In 2015, John McAfee, founder of McAfee, says: “Antivirus has died”.

What is this MuddyWater?

MuddyWater is an Iranian threat actor with high technical profile and has been operating extensively since its first sighting in 2014. This group, also known as TEMP.Zagros and SeedWorm, is counter spying Middle Eastern and South Asian countries, mainly targeting governmental agencies, telecommunications, the oil sector and critical infrastructures.

Tension Between the U.S. and Iran

In recent weeks, U.S. CyberCom announced that they launched a cyber-attack against an Iranian spy group supporting “limpet mine” attacks on American merchant ships, according to two former intelligence officials in the Gulf of Oman.

Sadly, our country also has a very unfortunate incident in its past, regarding the Limpet mine. The journey of the Refah Freighter, which was ordered from England by Turkey to sail to the Mediterranean Sea while World War II was going on with all its violence, had become one of the most severe disasters in the history of the Turkish Navy. On June 23, 1941, the Refah Freighter, carrying the soldiers assigned to bring four Reis class submarines, has sailed from Mersin without protection or support. Refah had 199 people in it, along with 31 crew members, as well as submariners and aviators. Just 5 hours after leaving the Mersin Port, the ship had sunk in the waters of the Mediterranean Sea due to a very powerful explosion at the bottom. It was previously thought that the French submarine Vichy had sunk the ship with a torpedo it ‘accidentally’ sent, but in the following years it was suggested that it could actually be the work of the Italian submarine, Ondina. Retired Marine Colonel Osman Öndeş said that the most tragic event in the history of Turkish submarines was carried out by Italian spies.

On June 21, 2019, before the events in the Strait of Hormuz erupted, U.S. CyberCom reported that an operation was being carried out against a cyber espionage organization of Iranian origin.

In fact, there are a few clues that the group U.S. CyberCom has faced is APT33 (also known as Elfin) of Iranian origin. In March 2019, John Lambert, director of the Microsoft Threat Intelligence Center, said in a statement that “Iranian-linked hackers are specifically targeting oil and gas, heavy industry machinery manufacturers and international major holding companies in Saudi Arabia, Germany, the UK, India and the United States.”

In addition to the links between the Nasr Institute and the Kavosh Security Group in Iran, there is also a conviction that three separate factions, the Iranian groups APT33, APT35 and MUDDYWATER are related to each other, suggested due to the overlap of technical and personal analyses made by some security research groups.

One very strong example is FireEye’s detection in a 2017 report. They found that the username “xman_1365_x” found in the PDB path inside the source code of a backdoor called TURNEDUP, developed by the APT33 group, belonged to someone from the Nasr Institute. The same username was later found in malware “NewsBeef” and “StoneDrill” as well. In March 2017, investigators linked StoneDrill to the Operation Shamoon 2 and the APT35 threat actor. From this point of view, the appearance of a username in the APT33 Group malware in other malware which were used by the APT35 group in their attacks reveals the relation between two groups.

As the father of dialectics Heracles of Ephesus (BC. 535–475) said: Everything is in a state of change, but change takes place according to an unchanging law. This law requires an interaction between opposites, but this interaction takes place in such a way that it creates harmony when it is observed as a whole.

The war of the opposites is the only condition of existence. If it were not for this war, nothing would have existed. Cosmos is a harmony of the battle in this war between opposites, a “harmonia”.

In conclusion, the world’s two opposite poles will ensure the continuity of this harmonia.

#muddywater #cybersecurity #harmonia #apt33