Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Leak Reveals Activity of Iranian Hacking Group

Documents associated with the activity of Iranian APT group “Rana” have leaked online recently, exposing the group’s targeting of individuals, as well as information on what appears to be some of the group’s members.

Documents associated with the activity of Iranian APT group “Rana” have leaked online recently, exposing the group’s targeting of individuals, as well as information on what appears to be some of the group’s members.

Posted on the Telegram channel Black Box, the leak is one of the three seen over the past several weeks, which also exposed details related to OilRig and MuddyWatter groups. 

While these two groups have been previously analyzed by the security community, Rana cannot currently be attributed to other known Iranian actors, security firm ClearSky, which analyzed the leak and concluded it is authentic, notes in a report (PDF). 

Documents posted on the Black Box channel on May 5 include dozens of confidential documents labeled as “secret,” which is apparently the second highest confidentiality level in Iran. The leak included documents by the Iranian Ministry of Intelligence about the Rana group’s tracking of Iranians in and outside of Iran, and about the group’s members. 

“These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems,” ClearSky reveals. 

One of the documents, the security firm says, appears to be from the center for IT security incidents Kavesh. However, it was seemingly adapted from the original document by the Islamic Revolutionary Guard Corps. 

“This document was partly leaked and contained details regarding a development program of a malware for attacking SCADA systems (similar Stuxnet),” ClearSky says. 

The “secret” documents included in the leak appear to originate from a hacking and penetration team within the Iranian Ministry of Intelligence. 

Advertisement. Scroll to continue reading.

An image discovered amongst the documents was supposed to reveal an attempt to conceal currency procurement done via a virtual environment – VMware server.

One document included the first pages of the 2015 end-of-year report, revealing plans to hack airline companies to collect information, and the security firm believes the attacks were carried out. 

Information the writers said should be gathered included details on flights and on the individuals who might board them, including suspicious people; details on passengers in specific airlines; details about the flight crew; airline employees; airlines’ financial status; and details on equipment used by the company. 

A report on the March 2016 to August 2016 period details several tracking projects, such as attacks on: airlines’ databases (Qatar’s database, and queries on flights; Israir’s database; Dubai activity; Skyward’s activity), the Turkish police database, an insurance company’s databases in Saudi Arabia; and RTA’s databases from the UAE.

The document also includes details on measures taken before attacks, preliminary research, and possible attack vectors, such as meeting with employees from the international airport in Tehran to learn about the airport’s systems.

The leaked documents also reveal information on the hacking of Israel’s insurance companies, on attacks targeting hotel booking websites in Israel, on the targeting of Israeli airlines’ databases, an attack on Teletus website and other hotel booking companies, and an attack on the Israeli Ministry of Agriculture. 

Other documents reveal info on attacks on non-Israeli targets, such as government ministries in Kuwait. The goal was the compromise of a Kuwaiti email service to gather information on the Ministry of Foreign Affairs.

The actor also performed phishing and spear-phishing attacks on various firms, including the “Atam Alanya” hospital and the Qatari oil company, as well as people related to the Foreign Ministry.

Another document in the leak details the development of a malware and a command and control (C&C) server, with the goal of damaging SCADA systems. A botnet, the malware works as spyware, packing identification, espionage and remote connection abilities. The project appears unsuccessful, ClearSky says. 

Related: Kaspersky Analyzes Hacking Group’s Homegrown Attack Tools

Related: Source Code of Iran-Linked Hacking Tools Posted Online

Related: Former U.S. Air Force Officer Indicted for Aiding Iranian Cyber Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.