Who’s Behind Iranian Cyber Threat Actor Group MuddyWater?
On January 12, US Cyber Command attributed the Iranian cyber threat group “MuddyWater” to Iran’s Ministry of Intelligence and Security (MOIS)—one of Iran’s premier intelligence organizations accountable only to Ayatollah Khamenei, Iran’s supreme leader. Though the threat actor group has been conducting cyber espionage operations since 2017, this is the first time that the U.S. government has publicly acknowledged its ties to the MOIS. MuddyWater’s commonly targets the Middle East, as well as Europe and North America in some instances.
Why the MuddyWater-MOIS connection matters
In recent years, Iran has invested heavily in educating a new generation of cyber actors, schooling them in the technical skill sets necessary to carry out offensive and defensive cyber operations on behalf of the state; MuddyWater’s alleged former leader has played a crucial role in this process.
Having an understanding of what cyber threat actors in Iran are being taught from a technical standpoint can assist security teams better prepare for what types of attacks to expect in the future. In this article, Flashpoint analysts examine evidence that points to MuddyWater’s alleged former leader, and the impact this cyber threat actor is having on a new generation of Iranian cyber threat actors.
Green Leakers names a leader
In March, 2019, the whistleblower group “Green Leakers” alleged on Telegram that the leader of MuddyWater’s cyber operations is an Iranian individual named Farzin Karimi Marzeghan Chai (AKA Farzin Karimi). Green Leakers appears to have also created a LinkedIn profile intended to dox Farzin Karimi by reporting that he is a cyber threat actor from the Islamic Revolutionary Guard Corps (IRGC).
Flashpoint assesses that the Green Leakers’ doxxing of Karimi as a MuddyWater threat actor is credible because the Green Leakers had previously revealed command and control (C2) panels for MuddyWater malware that displayed its actual victims. The Green Leaker’s access to MuddyWater C2 panels indicated that they had successfully infiltrated MuddyWater C2 servers. Having provided proof of this type of access to MuddyWater, it is likely that the group would have also had the level of sophistication required to gather additional intelligence on the group including MuddyWater operators.
Related reading: A Second Iranian State-Sponsored Ransomware Operation ‘Project Signal’ Emerges
Although Green Leakers alleged Karimi was tied to MuddyWater—and the IRGC and US Cyber Command has since attributed MuddyWater to the MOIS—it should be noted that individual cyber threat actors working on behalf of Iran’s intelligence services are not necessarily tied to one intelligence service permanently.
For example, Iranian cyber threat actor Mehdi Farhadi was doxxed by Iranian whistleblower “Roshanegaran-Asr” in 2016 for allegedly working on behalf of the IRGC. Later, in 2019, Farhadi was doxxed by Lab Dookhtegan for being a purported APT34 actor allegedly on behalf of the MOIS. Farhadi was later indicted by the US Department of Justice for carrying out extensive state-sponsored malicious cyber activity on behalf of Iran. Based on the Farhadi’s alleged ties to both the IRGC and the MOIS at separate times, its plausible that Farhadi could have worked on behalf of both groups.
Educating a new generation of Iranian cyber threat actors
In January 2020, MuddyWater’s alleged former leader Karimi co-founded the Iranian cybersecurity research and education company Ravin Academy, along with Saeed Mojtaba Mostafavi. Mostafavi was doxxed by Lab Dookhtegan in September 2019 as an alleged APT34 cyber threat actor, just six months after the Green Leakers doxxed Karimi as a MuddyWater cyber threat actor. Due to Karimi’s recent public involvement with Ravin Academy and his doxxing in 2019, he is assumed to be the former leader of MuddyWater but could continue to be involved in MuddyWater.
According to its website and social media profiles, Ravin Academy is currently active and continues to provide offensive and defensive cyber education courses in Iran. Additionally, Ravin Academy also offers threat research and cybersecurity consulting services. Based on the history of Karimi and Mostafavi, it’s likely their work at Ravin Academy benefits both students with a desire to enter either Iran’s commercial cybersecurity industry or operate in the cyber realm on behalf of the state.
Regardless of the career path chosen by Ravin Academy students, the education provided certainly advances the regime’s objective to become a major international cyber power.
Learn More About Flashpoint Ransomware Readiness Response
Sign up for a free trial or request a demo and see firsthand how Flashpoint’s Threat Readiness and Response offerings ensure your entire team is prepared to respond to a ransomware attack and stay ahead of the ever-evolving threat actor landscape.