BM researchers claim an Iranian-linked crew called MuddyWater has been trying to avoid detection by using Slack to control their malware. It’s believed to be the first time a suspected state-backed hacking outfit has been seen using such a technique.
Back in March, hackers believed to be Iranian cyberspies found a novel use for the workplace messaging app Slack. They’d broken into an Asian airline and installed a backdoor. To hide their communications with that malware, they hooked into the Slack application and sent commands over the tool. Why? So that IT security systems would think it is legitimate traffic and it wouldn’t be detected or blocked.
That’s according to IBM, which is releasing research this Wednesday on that hacking crew, dubbed MuddyWater. The tech giant’s X-Force cybersecurity research division said it looked at MuddyWater’s backdoor, dubbed Aclip, finding it was using Slack application programming interfaces for comms. Such APIs set up the rules needed to combine other apps, such as plugging a social channel’s posts to a Slack group. The MuddyWater group created a Slack workspace and channels from which they could receive system information, such as requested files and screenshots that they were trying to syphon off the network. They could also use the Slack channels to post commands to the backdoor.
As for what they were trying to do, IBM found evidence the airline’s passenger data was targeted, finding one of the attackers’ servers containing files with names including “reservation management.” The use of Slack was part of a patient operation, in which the hackers were on the airline’s network for over a year and a half, according to IBM.
Slack hadn’t responded to a Forbes request for comment but had told IBM: “We investigated and immediately shut down the reported Slack Workspaces as a violation of our terms of service. We confirmed that Slack was not compromised in any way as part of this incident, and no Slack customer data was exposed or at risk. We are committed to preventing the misuse of our platform and we take action against anyone who violates our terms of service.”
While this appears to be the first nation state-affiliated use of Slack for such espionage operations, it is not the first time the app has been used for backdoor communications. In 2018, one dubbed SlackShell was discovered and the next year two more appeared.
Nick Rossmann, global threat intelligence lead at IBM X-Force, said that Slack wasn’t in any way compromised, it simply aided the digital spies “in prolonging the stealth of their operation.”
“While the technique is not new, X-Force does not frequently see threat actors leveraging Slack for [command and control] communication,” Rossman told Forbes.
“For organizations that heavily use Slack, it may be difficult for them to distinguish legitimate Slack network traffic with network traffic generated by this backdoor, which is why we wanted to raise awareness of this tool.
“We aren’t aware of other nation states using it, but it’s possible. Many groups have used the ‘technique’ of leveraging legitimate platforms, like GitHub, Twitter, cloud storage services like OneDrive, or cloud infrastructure.”
Rossman said the incident was a good reminder that organizations needed to more thoroughly scrutinize their use of tools like Slack for any possible malicious traffic. “The industry is passed trying to stop adversaries from getting in, it’s about how quickly you stop them from getting to your data and how quickly you get them out,” he added.
It was also a sign of Iran’s growing sophistication in cyber espionage, he said. “Iran’s a savvy cyber operator, and though its cyber operations are often compared to capabilities from Russia and China, it would be a mistake to underestimate Iranian-sponsored adversaries’ growth.”
MuddyWater, for instance, has previously been linked to ransomware attacks and in recent years, Iran has shown a penchant for using social networks like Facebook and LinkedIn to try to develop relationships with U.S. government targets to gather data from them and to try to infect their employers’ networks. Iranian hackers have also been accused of trying to infiltrate water supplies networks in Israel and in November, two were charged with a disinformation and hacking operation trying to influence the 2020 election.
And on Tuesday, cybersecurity company Mandiant claimed that Iranian hackers, alongside Chinese espionage actors, have been launching attacks via a widespread vulnerability in logging tool Log4j, which has affected many of the world’s biggest tech vendors, from Amazon to Cisco.