Cyber-Politics: Iran’s ‘static kitten’ strikes govt agencies of UAE and Kuwait

Cyber Warfare Asia
3 min readFeb 22, 2021


Since its origin in 2017, MuddyWater, a cyber-espionage group reportedly based in Iran, has been tied to a number of attacks primarily against Middle Eastern nations. It exploits Zerologon vulnerability in real-world attack campaigns to strike prominent Israeli organizations with malicious payloads.

The government agencies of the United Arab Emirates (UAE) and Kuwait are targets of a new cyber espionage campaign potentially carried out by Iranian threat actors, according to a new research conducted by Anomali, a US-based cyber security company.

Static Kitten Campaign Infection Chain

Attributing the operation to be the work of Static Kitten (aka MERCURY or MuddyWater), Anomali said the “objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties,” with malware samples and URLs masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait and the UAE National Council.

The state-sponsored hacking group is believed to be working at the behest of Iran’s Islamic Republic Guard Corps (IRGC), the country’s primary intelligence and military service.

Anomali said it spotted two separate lure ZIP files hosted on Onehub that claimed to contain a report on relations between Arab countries and Israel or a file relating to scholarships.

According to Anomali, “We assess that Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand”.

Static Kitten Lure Document .docx

In mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in the region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s MOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.

Furthermore, in October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000 jobs and $2 billion in revenue on each side. In that same month, Static Kitten reportedly conducted Operation Quicksand, which targeted prominent Israeli organizations and included the use of file-storage service OneHub.

The ultimate goal of the attackers, it appears, is to use the software to connect to endpoints on client networks, enabling them to conduct further lateral movements and execute arbitrary commands in target environments in a bid to facilitate data theft.

Iran is one of the most sanctioned countries in the world, which is proving to be counter-productive. Sanctions have hardened the Islamic nation, which is finding self-reliance as an answer to the various sanctions. It has strengthened its cyber skills and become a huge challenge for the countries on the opposite bloc.

While most countries take outside help to perform cyber operations, Iran has built that ability more or less on its own. For instance, UAE and Saudi Arabia took help from Israeli NSO Group and Germany’s Gamma International, while Qatar took help from US firm, GRA, and Turkey.



Cyber Warfare Asia

Providing news related to state sponsored cyber warfare in Asia