MuddyWater cloud destruction operation

Type

Incident

Actors

💧MuddyWater 🕶️DarkBit

Pub. date

April 7, 2023

Initial access

Unknown

Impact

Data destructionRansomOp

References

https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel

Status

Finalized

Last edited

Jun 2, 2024 8:02 AM

Microsoft identified a destructive operation executed by MuddyWater (also known as MERCURY or Mango Sandstorm), a threat actor attributed to the Iranian government, in partnership with “DarkBit” (who gained notoriety for attacking the Technion, an Israeli university, in February 2023). The attacks targeted both on-premises and cloud environments, with destruction and disruption as the ultimate goals. The actors likely exploited known vulnerabilities in unpatched applications for initial access and moved laterally throughout the network, using Azure AD Connect to pivot from the on-premises environment to the Azure AD environment. The attackers then leveraged highly privileged compromised credentials to perform mass destruction of resources.