Type
Incident
Actors
MuddyWaterDarkBit
Pub. date
April 7, 2023
Initial access
Unknown
Impact
Data destructionRansomOp
References
https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
Microsoft identified a destructive operation executed by MuddyWater (also known as MERCURY or Mango Sandstorm), a threat actor attributed to the Iranian government, in partnership with “DarkBit” (who gained notoriety for attacking the Technion, an Israeli university, in February 2023). The attacks targeted both on-premises and cloud environments, with destruction and disruption as the ultimate goals. The actors likely exploited known vulnerabilities in unpatched applications for initial access and moved laterally throughout the network, using Azure AD Connect to pivot from the on-premises environment to the Azure AD environment. The attackers then leveraged highly privileged compromised credentials to perform mass destruction of resources.