Cyber Threat Actor: MuddyWater
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
2 incidents |
|---|
Profile
MuddyWater, also tracked underthe aliases TEMP.Zagros and Seedworm, is an Iranian threat actor that has been identified in public reporting. The group is publicly associated with the Rana Institute, a contractor that provides services to the Iranian Ministry of Intelligence. This relationship establishes a direct state‑nexus link between MuddyWater and the Iranian government’s intelligence apparatus. Open‑source assessments locate the group’s operational base within the territory of Iran.
MuddyWater’s intrusion activity has been noted chiefly against airlines and online travel‑booking platforms, where it attempts to collect passenger manifests, reservation records and payment‑card information. The stolen data are consistent with an espionage focus rather than a financially motivated scheme, as the information pertains to movement patterns and personal identifiers. Beyond commercial targets, the leaked internal material shows that the group also conducts surveillance of Iranian citizens residing both inside the country and in foreign jurisdictions. These collection efforts align with a strategic objective of gathering intelligence on individuals and entities of interest to the Iranian state.
The 2019 leak of internal documents exposed MuddyWater’s command‑and‑control infrastructure, including specific server configurations that the group used to manage compromised hosts. Victim IP addresses were disclosed without redaction, revealing the addresses of systems that had been accessed during earlier operations. The leaked files also contained operational planning notes, employee rosters and details of the tools and procedures employed in the campaigns against airlines and travel sites. Collectively, these technical and organizational details, together with the confirmed state affiliation, constitute the publicly verified profile of MuddyWater’s tradecraft and targeting patterns. The information disclosed in the leak has been used by security researchers to validate the group’s operational timeline, which extends back to at least 2015.
