Kathy Gibson is with Kaspersky Lab in Cape Town – Kaspersky Lab has uncovered a new cybercrime group operating in the Middle East, Turkey and Africa (META) region.

The company has been tracking the organisation for some time and published its first publication in 2017, explains Amin Hasbini, head of Global Research and Analysis Team at Kaspersky Lab.

After publication, the group started communicating with Kaspersky, complaining that their code was better than reported and leaving messages for researchers. “Our response was to detect more,” Hasbini says.

MuddyWater has targeted a number of government, telecommunications and educational organisations.

Maher Yamout, senior security researcher: Global Research and Analysis Team at Kaspersky Lab, explains that the main vector for attack is phishing, with interesting lures like official documents used.

The toolset includes an arsenal of Python tools and Powershell scripts.

They are mostly developed in-house, designed to infect victims, collect data and upload it. They also include tools to infect other systems, with lateral code execution, as well as other scripts and tools.

The techniques used by the attackers to hide themselves make it difficult to determine where they are. “They planted false flags to mask who they are,” Hasbini says.

Code analysis usually gives clues to attacker nationality, but MuddyWater included strings in Chinese, Russian and Arabic.

“These were implanted by the attackers to misdirect researchers.”

One of the victims was a telecommunication organisation in the Middle East, which only knew it had been attacked when Kaspersky Lab notified them. “They had attackers running around the system and didn’t know about it,” Hasbini says.

The estimated loss was about $300 000.00 on incident response; $100 000.00 on recovery, containing the incident and new implementing new technology; $150 000 to investigate what data had been stolen and sold; $180 000.00 on brand reputation damage and hundreds of thousands more to prevent the attackers coming back for more; and up to $1,5-million in government fines and legal costs.

The total damage cost well over $2,5-million. “And this is just one victim of MuddyWater,” Hasbini says.

A twist in the tale is that another group has now hacked MuddyWater, and is selling its information.