The Microsoft Threat Intelligence team has identified the MuddyWater APT group (also known as MERCURY) as responsible for a series of destructive attacks on hybrid environments. The attacks were disguised as a ransomware operation but were designed to cause damage to both on-premises and cloud environments.
Microsoft suggests that MERCURY likely partnered with another actor, tracked as DEV-1084, to carry out the attacks. The group is linked to Iran’s Ministry of Intelligence and Security (MOIS), according to USCYBERCOM.
The attackers likely gained initial access by exploiting known vulnerabilities in unpatched applications before handing off access to DEV-1084 to conduct extensive reconnaissance and establish persistence. DEV-1084 was then observed leveraging highly privileged compromised credentials to cause damage, including server farms, virtual machines, storage accounts, and virtual networks.
Microsoft suggests that the hackers used highly privileged credentials and access to domain controllers to bypass security defenses and deploy the ransomware payload in NETLOGON shares on several domain controllers.
The group maintained persistence by registering a scheduled task using Group Policy Objects (GPO) and employed Exchange Web Services to gain full access to email inboxes. The attackers performed “thousands of search activities” and impersonated a high-ranking employee to send emails both internally and externally.
DEV-1084 presented itself as a cybercrime group, likely as an attempt to hide its true motivation as a nation-state actor. The link between DEV-1084 and MERCURY was established based on several pieces of evidence, including the use of the same IP address and VPN, as well as the use of a similar version of Ligolo in previous attacks.
Microsoft has provided mitigations for destructive attacks to secure both on-premises and Azure AD environments. These include keeping systems up to date, enforcing multi-factor authentication, and implementing security best practices.
Organizations are advised to assume that they will be targeted by nation-state actors and to take appropriate measures to defend against such attacks.
