Hackers affiliated with Iran's cyber-espionage group, MuddyWater, have extended their focus to target telecommunications companies in Egypt, Sudan, and Tanzania.
As revealed by cybersecurity researchers, including Marc Elias from Symantec, this marks a departure from MuddyWater's previous emphasis on entities in the Middle East, marking their first known operation against African organizations.
The cyber-attacks, conducted in November against unspecified telecom companies, have not shown evidence of successful information theft. However, analysts suggest that the primary objective of the campaign is likely espionage, based on MuddyWater's historical patterns. There is also speculation about the potential for disruption attacks, drawing on the tactics of Iranian hacking groups in the past.
The hackers' activities in Africa may be influenced by the ongoing Israel-Hamas conflict, with Egypt a prime target due to its proximity to Gaza and Israel.
MuddyWater's recent campaign, analyzed by Symantec, stands out for its use of a PowerShell launcher from a newly identified toolset called MuddyC2Go. Discovered in November, the toolset may have been operational since 2020, granting threat actors remote access to victim systems.
In addition to the PowerShell launcher, MuddyWater deployed other tools, including the legitimate remote device control and management software SimpleHelp. The software, once installed, operates as a system service, providing attackers continuous access and the ability to execute commands with administrator privileges.
Active since at least 2017, MuddyWater has consistently demonstrated an interest in targeting telecom organizations, aligning with broader trends observed among cyber-espionage groups.