A sophisticated Iranian cyber operation, believed to be linked to the Iranian Ministry of Intelligence and Security (MOIS), has infiltrated networks belonging to a US bank, an airport, a software firm, and other organizations in the US and Canada, security researchers have revealed. The activity, detected beginning in early February and escalating after recent military actions, raises concerns about potential intelligence gathering and the possibility of future disruptive attacks.
The intrusion was uncovered by the Symantec and Carbon Black Threat Hunter Team after receiving indicators of compromise tied to a threat actor known as MuddyWater (also tracked as Seedworm and Static Kitten). According to researchers, the group has been active since at least 2017, primarily targeting entities in the Middle East, and is widely assessed to be affiliated with Iran’s intelligence apparatus. The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the UK National Cyber Security Centre (NCSC) have all publicly attributed MuddyWater to the MOIS, noting its cyber campaigns have been ongoing since approximately 2018.
Brigid O’Gorman, a senior intelligence analyst with the Symantec and Carbon Black Threat Hunter Team, explained that the initial indicators “led to this cluster of attacks and allowed us to discover additional malware.” The compromised software company is particularly concerning, as it provides technology to the defense and aerospace industries, including entities in Israel, making it a prime target for espionage.
Fresh Backdoors Discovered
Researchers identified two previously unknown backdoors used in the campaign: Dindoor and Fakeset. Dindoor, discovered on networks in Israel, the US bank, and a Canadian nonprofit, utilizes Deno, a secure runtime for JavaScript and TypeScript, to execute. It was signed with a certificate issued to “Amy Cherne.” Fakeset, found on the airport and a US nonprofit’s networks, was signed with certificates issued to both “Amy Cherne” and “Donald Gay,” the latter of which has been previously linked to malware – Stagecomp and Darkcomp – associated with MuddyWater, strengthening the attribution to the Iranian group. The reuse of these certificates is a key indicator of the group’s involvement, according to the analysts.
The attackers attempted to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket, though it remains unclear whether the attempt was successful. While the initial access vector remains unknown, the team notes that MuddyWater typically employs phishing emails or exploits vulnerabilities in publicly accessible applications.
Motives Remain Unclear, Potential for Escalation
Determining the precise intent behind these intrusions is challenging. O’Gorman noted that “Iranian cyber operations span a range of motives,” including intelligence gathering and disruption. “In some cases there’s intelligence gathering involved. In others, it’s disruption.” The group’s history includes a 2025 incident where they compromised CCTV streams in Jerusalem, potentially for surveillance purposes, coinciding with a subsequent bombing of the city. Israeli authorities reported that compromised security cameras were exploited to gather real-time intelligence and refine missile targeting on June 23rd of that year.
Researchers are concerned that even if the initial motive was solely intelligence gathering, the group could pivot to disruptive attacks given their established presence within these networks. “Already having a presence on US and Israeli networks prior to the current hostilities beginning places the threat group in a potentially dangerous position to launch attacks,” O’Gorman warned.
Recent activity indicates a broader trend of increased cyber activity in the region. Check Point researchers reported hundreds of exploitation attempts targeting internet-connected surveillance cameras across Israel and other Middle Eastern countries since February 28th. Other analysts have observed an uptick in spying expeditions, digital probes, and distributed denial-of-service (DDoS) attacks, though no major disruptive attacks have been reported as of yet.
The ongoing situation underscores the critical need for heightened vigilance and robust cybersecurity measures, particularly for organizations with ties to critical infrastructure and national security. As tensions remain high, the potential for escalation in the cyber domain remains a significant concern.
What comes next will likely depend on the evolving geopolitical landscape. Security professionals should remain alert for further indicators of compromise and proactively strengthen their defenses against potential attacks from Iranian state-sponsored actors. Share your thoughts and experiences in the comments below.
