Full transcript
Gary Ruddell:
Advanced persistent threats. That’s the name given to sophisticated long-term cyber attacks. They’re often state-sponsored, and unlike the flashier cyber attacks designed to crash systems and extort ransoms, APTs usually intend to remain undetected. For cyber espionage groups, the desired outcome isn’t coins, it’s information. They’re after insights on matters of national security, looking for long-term access to strategic intelligence and preparing tactical disruption of their adversaries. In an increasingly unstable geopolitical atmosphere, the digital battlefield is more relevant than ever. Cyber espionage campaigns are being waged behind the scenes, and the state-sponsored groups behind them are becoming more advanced year on year. Two such cyber espionage groups appear on this year’s Top 10 Massed Actors Most Wanted list, and their codenames are MuddyWater and Oilrig. Today, Nick and I are joined by Mansour Almood, one of our own cyber threat intelligence analysts, and he’s responsible for researching APT groups, including MuddyWater and Oil Rig. Mansour, welcome to the podcast. Give the listeners some background on your experience.
Mansour Alhmoud:
Thanks for having me on today. I have been with Group-IB for the past one and a half years as an APT researcher. I work within the Meta region team and I have been investigating the APTs that are targeting this region, which includes MuddyWater and OilIg, as the biggest players here. I have been tracking these groups and their operations closely and learned a lot about them and uncovered many of their campaigns. So hopefully I will be able to give you an insight about them.
Gary Ruddell:
Awesome. Thanks for all your hard work. Let’s just start with some of the basics. What do we know about MuddyWater and Oil Rig?
Mansour Alhmoud:
So both groups are believed to operate under the direction of the Ministry of Intelligence in Iran. Oil rig was first reported in 2014, while MuddyWater appeared more recently in 2017. Both groups are active, are currently active and pose a significant threat not just in the meta-region but worldwide. And just recently we have uh uh detected an operation by MuddyWater. Uh it was a fishing campaign targeting more than 100 governments and uh multiple international organizations. Uh this was an espionage campaign. Uh their goal was to gather geopolitical intelligence related to the tensions in the Meta region. Our observations show a clear difference between Water and Ulric, despite them being uh affiliated with the same uh party. Uh Water has a broader spectrum of operations and often conducts uh opportunistic fishing uh fishing attacks. While uh Ulric tends to be more specific and they uh uh are kind of more specialized and uh change their TTPs more often.
Nick Palmer:
Awesome. Thanks a lot, Mansour, and uh happy that you guys have a good read and tracking capability on these two groups. So tell me who exactly are they targeting?
Mansour Alhmoud:
Okay, uh so without going uh too deep in the political aspect, the objectives of uh state-sponsored trap actors in general are set according to the political goals of their state. Uh, and therefore reflect them. Our observations show that uh both groups focus on high-value intelligent sources like government entities, uh, critical infrastructure like energy and telecom. They also target various companies and organizations and other sectors uh uh if they deemed if these uh uh organizations or companies are deemed interesting to them. So, for example, they can infiltrate these uh companies and uh then uh uh jump from them to other uh targets. Uh our observations also show that uh the primary focus of this group, uh of both these groups, is in the meta-region uh as it aligns with Iranian geopolitical interests. But their operations are not limited just to this region. We have also observed uh campaigns that were broader and uh targeted uh countries uh from uh distant geographies. MuddyWater specifically was observed expanding their operations uh to Europe in uh 2025.
Nick Palmer:
You mentioned specifically their interest, if it interests them. So, what exactly is their intention in targeting these organizations? Can you explain to the listeners what do they hope to gain in their campaigns?
Mansour Alhmoud:
So ultimately it’s about uh providing a strategic advantage to the state they are serving. That’s what the uh state-sponsored actors uh actually do. Uh for MuddyWater and Olrig, the primary objective is uh espionage, as it seems, and gathering intelligence. Uh, but they also have conducted several disruptive operations, they have uh uh caused uh damage and the white servers uh deployed ransomware without the ability of uh uh being able to uh decrypt the data. State sponsored red actors usually do this uh during times of uh political tensions. So the disruptive operations, they don’t just hack and uh disrupt the systems, uh they maintain the access for as long as possible, uh gathering intelligence, uh expanding their access, and uh when the right time uh hits, they uh they would uh perform disruptive operations, as uh history showed.
Nick Palmer:
Understood, understood. So, Mansour, you mentioned disruption, you mentioned espionage, right? If I’m a normal company, if I’m a private company, um do I have to be concerned about these threat actors in terms of my priority intelligence requirements, their tactics, their techniques, or you know, should I just not care because I’m not critical infrastructure?
Mansour Alhmoud:
Uh well, actually, uh everyone should be concerned about uh EPTs. Uh while uh their goal is uh espionage and high-value targets. It’s often hard to reach these targets uh directly. Uh so they exploit uh other companies, especially the companies that provide services to governments, for example. Uh so this is kind of a supply chain attack, and we have seen many examples previously, not just with these two groups, but uh with other groups, uh PT groups as well.
Gary Ruddell:
APTs, from what I know about them, they build their own malware to get past security measures. Is that right with MuddyWater and OilRig too?
Mansour Alhmoud:
Yes, of course, uh Gary. Uh they build their own malware exploits scripts, etc. And they also use open source tools such as common pen testing and uh administrative uh tools. They also use uh uh legitimate programs such as remote monitoring tools. Uh MuddyWater specifically has been using RMM tools uh since uh 2022. Uh they followed the same playbook for their attacks for a long time. They were actively conducting operations using the same playbook where they send a phishing email with a link to a legitimate file sharing service where the victim downloads legitimate uh remote management uh tools. Uh this this tool uh it allows Medivater to take control of the victim machine, uh, execute commands, upload and download files. And uh the uh the thing uh is with this uh kind of tools is that it is uh signed by the companies that uh distribute them and uh own them. So it is not usually marked as malware by uh by antivirus software. So it really bypasses uh some uh detections and uh uh gives uh threat actors uh an advantage uh uh compared to custom malware.
Gary Ruddell:
You mentioned earlier that uh MuddyWater had carried out a large-scale, ultimately, phishing campaign against governments. It’s surprising to me that that tactic still works against you know governments and critical infrastructure. You’d think they’d be more vigilant.
Mansour Alhmoud:
Yes, of course, uh Gary, and it’s uh very successful. Uh it’s the fact that Human Link is the weakest link in the cybersecurity chain. Uh, it’s easier to exploit human trust or oblivion than uh to uh exploit a system. For example, Ulrich has been uh noted to use emails disguised as personalized job applications uh or business documents. Uh here at Group-IB we have seen MuddyWater using documents uh impersonating uh governments and uh uh seemingly legitimate legitimate uh communications. Also, they often use uh compromised accounts, which also adds to the legitimacy of uh their phishing emails. Uh like the uh they attack the phishing uh campaign that was conducted uh recently. They used a compromised mailbox from a government uh uh uh organization uh to send phishing emails to other governments. So this uh district uh adds legitimacy to this communication uh and uh increases the success of uh such operations. Uh overall phishing is here to stay, especially with the enhanced AI technologies which allow threat actors to craft high-quality phishing messages and scale up their operations. Uh because uh before it was easy to spot uh phishing emails because of imperfections in their writing. Uh there were there were uh grammatical errors, uh, but these days uh AI helps threat actors to craft better phishing uh content. It’s also worth noting that uh phishing techniques continuously uh evolved. For example, the clickfix technique that uh came in late uh 2024, I think. It’s uh it’s a simple yet effective uh technique. Cybercriminals and infrastellar operators were the first to use it. Uh but it was shortly uh but it was adopted uh shortly after by APT groups uh such as MuddyWater and uh even other uh groups uh from other countries.
Nick Palmer:
Yeah, super interesting, Mansour, that the novel techniques of trying to exploit a human is more effective than exploiting a system at the end of the day. And I think this remains true not only for MuddyWater, um, but many of the APT groups. If you take a look at our high-tech crime trends report or a heat map of the mitre attack framework and the different tactics or techniques that APT groups use, there’s an overwhelming um focus on three different things. Fishing, as you rightly mentioned, um, exploiting publicly facing applications, and the other one involving humans is exploiting legitimate credentials, right? That they could gather from you know, phishing or malware attacks where they lure a victim into uh to compromising their credentials. So uh interesting that whatever whatever is not broken, don’t fix it. Yeah. And these threat actors continue to leverage the tried and true techniques.
Gary Ruddell:
You mentioned the espionage campaign earlier, Mansour. Can you give us a little bit more juice on exactly what that is?
Mansour Alhmoud:
We have recently detected an operation that began on the 19th August 2025. Uh, it was uh focused on gathering intelligence uh around the Middle Eastern uh region and uh the recent uh developments that happened uh during that time. Almost 80% of MuddyWater targets in this campaign were uh embassies, diplomatic missions, and uh ministries of foreign affairs. Uh this attack started by compromising uh one of uh the Ministry of Foreign Affairs email accounts, and this email account was used to send out a massive fishing campaign to over 100 governmental uh entities and even uh international organizations.
Gary Ruddell:
And you know, how is Group-IB able to attribute that uh MuddyWater without giving away any secrets?
Mansour Alhmoud:
Okay, uh this attribution was made based on uh multiple indicators. Uh there are some indicators that come from the general characteristics of this uh campaign, the targeting, the uh the intent, uh, etc. And uh there was also uh factual evidence uh that points directly to uh to MuddyWater. Uh such evidence includes uh the malware that was used, the final payload and the killchain. Uh it was uh the fourth version of uh the Phoenix Blackdoor, it was uh publicly attributed to MuddyWater, but uh the version 4 was uh first seen uh in this uh campaign. Previously we have seen uh the other versions of uh Phoenix Backdoor, and all these campaigns were uh specifically uh attributed to MuddyWater. There was also uh some evidence based on their infrastructure. Uh we found an open directory on uh the server, the C2 server that was uh uh linked to the to the backdoor that was identified. Uh and in this open directory we found uh multiple uh malware that was also previously used by MuddyWater, and we also found uh remote management tools that uh is also used by MuddyWater. So uh all evidence is pointing towards them. Uh that’s why we attributed this attack with high confidence to them.
Gary Ruddell:
Thanks, Mansour. Um, Nick, we’ve talked a lot about MuddyWater and OilRig and how they’re you know disrupting digital systems as a planet as we you know embrace more and more digital transformation. You know, how do you see that playing out from an impact perspective?
Nick Palmer:
I think it’s gonna be an interesting few years in the very near future and certainly beyond. You know, I think if you look at APT groups, they’re interested in really three different things, right? Espionage or uh intelligence gathering, disruption, or financial gain, right? Um if you look at um some of the criminal groups uh like Lazarus, um, you know, they’ve been shut off from the global financial system and they need money to fund themselves, right? So their modus apparenti um for some of their attacks is financial gain. So they’ve taken a liken to targeting specifically cryptocurrency companies as um, you know, money is easy to flow, right? So these digital currencies uh become more attractive for uh nation state actors that maybe don’t have access to the global financial system and need financial gain. I think what’s really interesting for me as you know, you look at more and more of our life becoming automated, right? You can go in Austin, Texas, or California and jump into a car that has no drivers. As that proliferates, you know, does that become a target in terms of disruption? Does, you know, our ability to conduct our banking on our mobile phones become disrupted? You know, I think uh a lot of the critical infrastructure from a disruption standpoint as we become more and more digital than ever before uh becomes an attractive target, especially from a disruption standpoint. And, you know, definitely information collection uh will always reign supreme for APT groups, knowledge is power. So um, you know, that will that will continue. But I think disruption for me is one of the most interesting um targets for nation-state groups in the up and coming decades.
Gary Ruddell:
Yeah, and I guess like digital transformation is a journey, isn’t it? It’s not like this perfect place. It’s always evolving, and there’s always, you know, high-end products that are really well managed and also open source or low-end products that aren’t well managed. You know, the richer countries would probably have the, you know, the better digital transformation. But for all those countries in like the middle and the low end, does that make them more vulnerable?
Nick Palmer:
I think you have to look at the state itself and the ability to put to perform those three different categories, right? Information collection or espionage, disruption, or targeted from financial gain. Um, you know, every country to some degree has digital transformation, some more, some less. Um it’s not to say those countries that haven’t, you know, driverless cars on the road, um, you know, that they won’t be a target for disruption. There’s, you know, I’m sure a lot of um digital transformation in uh logistics for these countries, uh, whether it be train systems or shipping and logistics that can be a target of disruption from different nation-state groups? So um, you know, I think it’s as always, look at yourself either as a country or a business, understand what your threat landscape looks like, who potentially may target that, what tactics and techniques they would use, and then what defensive measures you have in place in order to prevent against those things from happening.
Gary Ruddell:
Thanks, Nick. Uh what kind of changes should organizations in government and critical infrastructure be making Mansour to strengthen defenses against groups like MuddyWater and Oilrig?
Mansour Alhmoud:
So when dealing with state-sponsored uh APTs, uh a strong defense is uh essential, one that uh combines active and uh proactive measures to maintain constant protection. It’s important to maintain uh cyber hygiene, uh constantly patching the systems because uh vulnerable vulnerabilities come uh or appear uh every now and then. Uh it’s also very important to share the intelligence uh uh when some attack happens. Uh sharing of this intelligence or sharing of this uh kind of incident informs uh similar targets about uh about uh such a threat and allows them to prepare and and be uh prepared before the attack uh reaches them. The second part is of course about user uh awareness. Uh it’s really important for users and employees, uh especially in governments and uh uh uh let’s say high-value organizations uh to be aware and not fall uh victim for phishing attacks. So uh these two uh points are uh essential for uh uh for protecting against uh epith groups uh such as this.
Nick Palmer:
Yeah, absolutely, Mansour. And you know, I always like to think who is this adversary on the outside of my network trying to get in, right? What are the tools and the techniques and the procedures that they may use to target their business? Are there any indicators of compromise from previous infrastructure that they’ve utilized or malware that they’ve utilized that we can feed our internal systems to the to detect them? You know, I think uh earlier on you said uh phishing was a major um entry point for this particular group. And as I mentioned, many APT groups uh within the threat landscape uh also use phishing. So, you know, enhancing your email and phishing defenses, having regular simulations to understand are my defensive capabilities able to defend against the latest tactics and techniques that these groups use in their phishing campaigns and others may use that are interested to target my business. Um, you know, maybe looking outside of what MuddyWater does for initial access to a corporate network, you know, analyzing my external perimeter, understanding if I have any uh corporate services running and exposed to the public internet, can they be brute force? Um, can someone log into these different corporate services? And I don’t have good IAM uh controls in place to understand if it’s actually my user logging in or not. And finally, you know, what are you going to do or how are you going to know if this bad guy is actually in your network? Right. So understanding your network infrastructure and monitoring inbound and outbound traffic, do you have any endpoints actually communicating to infrastructure from any of these groups with previous indicators of compromise from their campaigns or ongoing tracking? Um, and finally, what happens when you know what hits the fan, right? Is your um incident response team ready to respond? Do I have threat hunters in place looking for them in my network on a regular basis? Um, you know, is my TR team ready to uh respond to such an incident? These are you know other things that come to mind that um would be really great to get in place to be prepared for that masked actor or adversary um that uh comes knocking.
Gary Ruddell:
Thanks, Nick. Thanks, Mansour. Well, Mansour, it’s been awesome having you on today telling us all the things about uh these groups. I’ll definitely keep my eyes peeled for more articles from you on the Group-IB blog. Thanks again for joining us. And that’s all we have time for.
Mansour Alhmoud:
Thanks, Mansour. Thank you. Thank you very much, guys.
Gary Ruddell:
Your data is valuable and it’s under attack. Cyber espionage groups, financially motivated threat actors, ransomware attackers, and other criminal enterprises are on the rise. Working in secrecy to dismantle security perimeters, they spread like a virus through the web. Stoking geopolitical tensions, holding businesses to ransom, and flooding criminal marketplaces with sensitive information. These groups thrive in secrecy now more than ever. Knowing who your adversaries are is critical. So join us as we ask who’s behind the world’s most prolific cyber criminal groups. What are their tactics, their motivations, and their impact? Who are the world’s masked actors? Masked Actors is an independent podcast from Group-IB, a leading voice in the fight against cybercrime. The threat landscape evolves quickly, but all information was correct at the time of recording and based on Group-IB’s high tech crime trends report twenty twenty five. Join in the conversation online using the hashtag masked actors. And don’t forget to subscribe so you don’t miss an episode. Thanks for listening. See you next time as we uncover more of the world’s top masked actors.
