Recent destructive attacks against organizations that masquerade as a ransomware operation called DarkBit are likely performed by an advanced persistent threat (APT) group that’s affiliated with the Iranian government. During some of these operations the attackers didn’t limit themselves to on-premises systems but jumped into victims’ Azure AD environments where they deleted assets including entire server farms and storage accounts.

Researchers from Microsoft track this cluster of malicious activity under the temporary identifier DEV-1084, but they found strong links between it and resources and techniques used in the past by an Iranian APT group known in the security industry as MERCURY or MuddyWater. Last year, the US Cyber Command officially attributed MuddyWater to a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).