Turbid waters: how hackers from MuddyWater attacked a Turkish manufacturer of military electronics



    Iranian pro-government hackers have big problems. Throughout the spring, unidentified people published “secret plums” on Telegram - information about the APT groups associated with the Iranian government - OilRig and MuddyWater - their tools, victims, connections. But not about everyone. In April, Group-IB specialists discovered a leak in the postal addresses of the Turkish corporation ASELSAN A.Ş, which produces tactical military radio stations and electronic defense systems for the Turkish armed forces. Anastasia Tikhonova , head of the Group-IB complex threat research group, and Nikita Rostovtsev , a junior analyst at Group-IB, described the course of the attack on ASELSAN A.Ş and found a possible participant in MuddyWater .

    Telegram exposure


    The “drain” of Iranian APT groups began with the fact that someone Lab Dookhtegan unveiled the source codes of six APT34 tools (aka OilRig and HelixKitten), revealed the IP addresses and domains involved in the operations, as well as data on 66 hacker victims, among which were Etihad Airways and Emirates National Oil. Lab Dookhtegan also "leaked" both data on the group’s past operations and information on employees of the Iranian Ministry of Information and National Security, which are allegedly associated with the group’s operations. OilRig is an Iran-related APT group that has been around since 2014 and is aimed at government, financial and military organizations, as well as energy and telecommunications companies in the Middle East and China.

    After the exposure of OilRig, the “plums” continued - on darknet and Telegram, information appeared on the activities of another pro-government group from Iran - MuddyWater. However, unlike the first leak, this time not source codes were published, but dumps, including screenshots of source codes, control servers, as well as IP addresses of past victims of hackers. This time, Green Leakers hackers claimed responsibility for the MuddyWater leak. They own several Telegram channels and darknet sites where they advertise and sell data related to MuddyWater operations.

    Cyberspies with Middle East


    MuddyWater is a group that has been operating since 2017 in Middle East countries. For example, as Group-IB experts note, between February and April 2019, hackers conducted a series of phishing mailings aimed at government, educational organizations, financial, telecommunication and defense companies in Turkey, Iran, Afghanistan, Iraq and Azerbaijan.

    The group members use a proprietary backdoor based on PowerShell, called POWERSTATS . He can:

    • collect data about local and domain accounts, accessible file servers, internal and external IP address, OS name and architecture;
    • perform remote code execution;
    • download and upload files through C&C;
    • detect the presence of debugging programs used in the analysis of malicious files;
    • disable the system if malware analysis programs are found;
    • delete files from local drives;
    • take screenshots;
    • Disable protective measures for Microsoft Office products.

    At some point, the attackers made a mistake and the researchers from ReaQta managed to get the final IP address, which was located in Tehran. Considering the goals attacked by the group, as well as its tasks related to cyber espionage, experts suggested that the group represents the interests of the Iranian government.

    Attack indicators
    C&C:

    • gladiyator [.] tk
    • 94.23.148 [.] 194
    • 192.95.21 [.] 28
    • 46.105.84 [.] 146
    • 185.162.235 [.] 182

    Files:

    • 09aabd2613d339d90ddbd4b7c09195a9
    • cfa845995b851aacdf40b8e6a5b87ba7
    • a61b268e9bc9b7e6c9125cdbfb1c422a
    • f12bab5541a7d8ef4bbca81f6fc835a3
    • a066f5b93f4ac85e9adfe5ff3b10bc28
    • 8a004e93d7ee3b26d94156768bc0839d
    • 0638adf8fb4095d60fbef190a759aa9e
    • eed599981c097944fa143e7d7f7e17b1
    • 21aebece73549b3c4355a6060df410e9
    • 5c6148619abb10bb3789dcfb32f759a6

    Turkey at gunpoint


    On April 10, 2019, Group-IB specialists discovered a leak in the mailing addresses of the Turkish company ASELSAN A.Ş, the largest military electronics company in Turkey. Its products include radars and electronic equipment, electro-optics, avionics, unmanned systems, ground, naval and weapon systems, as well as air defense systems.

    Studying one of the new samples of the POWERSTATS malware, Group-IB experts found that the group of attackers MuddyWater used a licensing agreement between Koç Savunma, a company manufacturing information and defense technology solutions, and Tubitak Bilgem, an information security and research center, as a decoy document. advanced technology. Koh Savunma's contact point was Tahir Taner Tımış, who served as Programs Manager at Koç Bilgi ve Savunma Teknolojileri A.Ş. from September 2013 to December 2018. He later started working at ASELSAN A.Ş.

    Sample Bait Document

    After the user activates malicious macros, the POWERSTATS backdoor is downloaded to the victim’s computer.

    Thanks to the metadata of this bait document (MD5: 0638adf8fb4095d60fbef190a759aa9e ), researchers were able to find three additional samples containing identical values, including the date and time of creation, username and a list of macros contained:

    • ListOfHackedEmails.doc ( eed599981c097944fa143e7d7f7e17b1 )
    • asd.doc ( 21aebece73549b3c4355a6060df410e9 )
    • F35-Specifications.doc ( 5c6148619abb10bb3789dcfb32f759a6 )

    Screenshot of identical metadata of various bait documents


    One of the documents found named ListOfHackedEmails.doc contains a list of 34 email addresses belonging to the @ aselsan.com.tr domain .

    Group-IB specialists checked the mailing addresses for leaks that are in the public domain and found that 28 of them were compromised in leaks previously discovered. Checking the mix of available leaks revealed about 400 unique logins associated with this domain, and passwords for them. The attackers may have used this data from open access to attack ASELSAN A.Ş.

    Screenshot of ListOfHackedEmails.doc


    Screenshot of a list of more than 450 detected login-password pairs in public leaks

    Among the samples found was also a document called F35-Specifications.doc , referring to the F-35 fighter. The bait document is a specification of the F-35 multi-functional fighter-bombers, indicating aircraft characteristics and price. The theme of this bait document is directly related to the US refusal to supply the F-35 after Turkey’s purchase of the S-400 systems and the threat of transferring information about the F-35 Lightning II to Russia.

    All the data obtained indicated that the main target of the MuddyWater cyber attacks was organizations located in Turkey.

    Who are Gladiyator_CRK and Nima Nikjoo?


    Earlier, in March 2019, malicious documents were discovered created by one Windows user under the nickname Gladiyator_CRK. These documents also distributed the POWERSTATS backdoor and connected to the C&C server with the similar name gladiyator [.] Tk .

    Perhaps this was done after Nima Nikjoo posted a post on Twitter on March 14, 2019, in which he tries to decode the obfuscated code associated with MuddyWater. In the comments on this tweet, the researcher said that he could not share indicators of compromise of this malicious program, since this information is confidential. Unfortunately, the record has already been deleted, but its traces remained on the network:



    Nima Nikjoo is the owner of the Gladiyator_CRK profile on Iranian video hosting sites dideo.ir and videoi.ir. On this site, he demonstrates PoC exploits for disabling anti-virus tools of various vendors and bypassing sandboxes. Nima Nikjoo writes to himself that he is a specialist in network security, as well as a reverse engineer and malware analyst who works for MTN Irancell, an Iranian telecommunications company.

    Screenshot of saved videos in Google search results:



    Later, on March 19, 2019, user Nima Nikjoo on the social network Twitter changed his nickname to Malware Fighter, and also deleted related posts and comments. The Gladiyator_CRK profile on the video hosting dideo.ir was also deleted, as on YouTube, and the profile itself was renamed N Tabrizi. However, after almost a month (April 16, 2019), the Twitter account again began to use the name Nima Nikjoo.

    In the course of the study, Group-IB experts found that Nima Nikjoo was already mentioned in connection with cybercrime. In August 2014, Iran Khabarestan's blog published information on individuals affiliated with the Iranian Nasr Institute cybercriminal group. One FireEye study said the Nasr Institute was a contractor for APT33 and also participated in DDoS attacks on US banks between 2011 and 2013 as part of a campaign called Operation Ababil.

    So, the same blog mentioned Nima Nikju-Nikjoo, who was involved in the development of malware to spy on Iranians, and his email address: gladiyator_cracker @ yahoo [.] Com.

    Screenshot of data related to cybercriminals from Iranian Nasr Institute:


    Translation dedicated to Russian: Nima Nikio - Developer spyware - Email: .

    As you can see from this information, the email address is associated with the address used in the attacks, and users of Gladiyator_CRK and Nima Nikjoo.

    In addition, an article dated June 15, 2017 stated that Nikjoo turned out to be somewhat careless by posting links to Kavosh Security Center in his resume. It is believed that the Kavosh Security Center is supported by the Iranian state to finance pro-government hackers.

    Information about the company Nima Nikjoo worked for:


    On a user’s profile on LinkedIn, Nima Nikjoo, a Twitter user, identified Kavosh Security Center as his first job, where he worked from 2006 to 2014. During his work, he studied various malicious programs, and also dealt with reverse and work related to obfuscation.

    Information about the company Nima Nikjoo worked for on LinkedIn:


    MuddyWater and high self-esteem


    It is curious that the MuddyWater group carefully monitors all reports and reports of information security experts published about them, and even specially left false flags first to knock researchers off the trail. For example, their first attacks misled experts because they discovered the use of DNS Messenger, which was usually associated with the FIN7 group. In other attacks, they inserted strings in Chinese into the code.

    In addition, the group is very fond of leaving messages to the researchers. For example, they did not like the fact that Kaspersky Lab in its ranking of threats for the year placed MuddyWater in third place. At that very moment, someone - presumably the MuddyWater group - uploaded an exploit to YouTube that turned off the LK antivirus on YouTube. They left a comment under the article.

    Screenshots of the video on disabling Kaspersky Lab antivirus and the comment below it:



    It is still difficult to make an unambiguous conclusion about the involvement of Nima Nikjoo. Group-IB experts are considering two versions. Nima Nikjoo, indeed, may be a hacker from the MuddyWater group, who showed up due to his carelessness and increased activity on the network. The second option - it was specially “spotlighted” by other members of the group in order to avert suspicions. In any case, Group-IB continues its research and will certainly report on its results.

    As for the Iranian APTs, after a series of leaks and drains, they are likely to face a serious “debriefing” - hackers will be forced to seriously change their tools, clean up the tracks and find possible moles in their ranks. Experts did not rule out that they would even take a timeout, but after a short break, the attacks of Iranian APTs continued again.

    Also popular now: