In a notable development, the cyber-espionage group MuddyWater, linked to Iran’s intelligence service, has extended its operations to Africa, specifically targeting telecommunications companies in Egypt, Sudan, and Tanzania. Symantec’s threat intelligence analyst, Marc Elias, indicates that this marks the first documented instance of MuddyWater’s activities on the African continent, diverging from its prior focus on the Middle East.
Read also: African Telecom CEOs urge policy changes for digital growth
Espionage and Potential Geopolitical Connections
While the recent attacks in November did not exhibit evidence of data theft, analysts, including Elias, suggest that the primary objective was likely espionage. Notably, MuddyWater has been associated with cyber-espionage activities, with previous campaigns involving entities in the Middle East. The move to African telecom companies may be indicative of the group’s adaptability in aligning its cyber operations with evolving geopolitical events.
One notable observation is the potential link between MuddyWater’s activities in Africa and the ongoing conflict between Israel and the Palestinian group Hamas, reportedly supported by Iran. Elias pointed out, “The targeted country that most stood out was Egypt, which has a border with Gaza and Israel and is quite involved in the ongoing war.” This suggests that MuddyWater may be adjusting its tactics based on broader regional conflicts.
Unveiling New Tactics: MuddyC2Go and Targeted Tools
The recent campaign revealed new tactics employed by MuddyWater, introducing a toolset known as MuddyC2Go. One distinctive feature is the use of a PowerShell launcher—a legitimate Microsoft software often misused by hackers for deploying malware. Elias emphasized, “And if we look at past operations of Iranian groups, a disruption attack could also be possible.” Discovered in November, this toolset may have been in use since 2020 for attacks in the Middle East, allowing the threat actor to gain remote access to victim systems.
In addition to the new toolset, MuddyWater utilized other tools such as SimpleHelp, a legitimate remote device control and management software. This tool can run constantly as a system service, providing attackers with persistent access to compromised devices, even after a reboot. The toolset also included Venom Proxy, a publicly available software enabling control of devices within an organization’s intranet.
Telecom Sector: A High-Value Target for Cyber-Espionage
The choice to target telecommunications companies aligns with broader trends observed in cyber-espionage activities. Researchers at Cisco Talos highlighted, “Telecommunication companies have a huge amount of visibility into national and global internet traffic and are of high value, especially for state-sponsored groups.” MuddyWater, active since at least 2017, has consistently demonstrated an interest in telecom organizations. This underscores the strategic importance of the sector in gathering intelligence.
The targeting of African telecom companies by MuddyWater signifies a strategic expansion of its scope, raising concerns about the increasing sophistication and adaptability of cyber threat actors. As these activities unfold, it underscores the critical importance for organizations in the region to bolster their cybersecurity measures to mitigate potential risks and safeguard sensitive information.
