An Iranian state-sponsored hacking group has expanded its cyberwar operations into U.S. and Israeli networks amid rising regional tensions.
MuddyWater, also known as Seedworm and Mercury, has compromised networks in the U.S., Israel, and Canada, targeting an aerospace/defense contractor, a bank, and NGOs.
The group has deployed two backdoors—Dindoor and Fakeset—signed with certificates attributed to 'Amy Cherne' and 'Donald Gay.' These signatures suggest a deliberate effort to mimic legitimate software, a tactic consistent with the group’s historical use of certificate spoofing to evade detection.
While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks.
Officially linked to Iran’s Ministry of Intelligence and Security (MOIS), MuddyWater has been active since 2017.
The APT previously deployed Android spyware during the Israel-Iran conflict and hacked live CCTV feeds for a missile attack in 2023.
The surge in its activity aligns with recent U.S.-Israel-Iran military strikes, suggesting a strategic escalation in cyber operations as part of broader geopolitical maneuvering.
Source: Thehackernews | Securityweek