Security Experts:

Connect with us

Hi, what are you looking for?



Leak Reveals Activity of Iranian Hacking Group

Documents associated with the activity of Iranian APT group “Rana” have leaked online recently, exposing the group’s targeting of individuals, as well as information on what appears to be some of the group’s members.

Documents associated with the activity of Iranian APT group “Rana” have leaked online recently, exposing the group’s targeting of individuals, as well as information on what appears to be some of the group’s members.

Posted on the Telegram channel Black Box, the leak is one of the three seen over the past several weeks, which also exposed details related to OilRig and MuddyWatter groups. 

While these two groups have been previously analyzed by the security community, Rana cannot currently be attributed to other known Iranian actors, security firm ClearSky, which analyzed the leak and concluded it is authentic, notes in a report (PDF). 

Documents posted on the Black Box channel on May 5 include dozens of confidential documents labeled as “secret,” which is apparently the second highest confidentiality level in Iran. The leak included documents by the Iranian Ministry of Intelligence about the Rana group’s tracking of Iranians in and outside of Iran, and about the group’s members. 

“These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems,” ClearSky reveals. 

One of the documents, the security firm says, appears to be from the center for IT security incidents Kavesh. However, it was seemingly adapted from the original document by the Islamic Revolutionary Guard Corps. 

“This document was partly leaked and contained details regarding a development program of a malware for attacking SCADA systems (similar Stuxnet),” ClearSky says. 

The “secret” documents included in the leak appear to originate from a hacking and penetration team within the Iranian Ministry of Intelligence. 

An image discovered amongst the documents was supposed to reveal an attempt to conceal currency procurement done via a virtual environment – VMware server.

One document included the first pages of the 2015 end-of-year report, revealing plans to hack airline companies to collect information, and the security firm believes the attacks were carried out. 

Information the writers said should be gathered included details on flights and on the individuals who might board them, including suspicious people; details on passengers in specific airlines; details about the flight crew; airline employees; airlines’ financial status; and details on equipment used by the company. 

A report on the March 2016 to August 2016 period details several tracking projects, such as attacks on: airlines’ databases (Qatar’s database, and queries on flights; Israir’s database; Dubai activity; Skyward’s activity), the Turkish police database, an insurance company’s databases in Saudi Arabia; and RTA’s databases from the UAE.

The document also includes details on measures taken before attacks, preliminary research, and possible attack vectors, such as meeting with employees from the international airport in Tehran to learn about the airport’s systems.

The leaked documents also reveal information on the hacking of Israel’s insurance companies, on attacks targeting hotel booking websites in Israel, on the targeting of Israeli airlines’ databases, an attack on Teletus website and other hotel booking companies, and an attack on the Israeli Ministry of Agriculture. 

Other documents reveal info on attacks on non-Israeli targets, such as government ministries in Kuwait. The goal was the compromise of a Kuwaiti email service to gather information on the Ministry of Foreign Affairs.

The actor also performed phishing and spear-phishing attacks on various firms, including the “Atam Alanya” hospital and the Qatari oil company, as well as people related to the Foreign Ministry.

Another document in the leak details the development of a malware and a command and control (C&C) server, with the goal of damaging SCADA systems. A botnet, the malware works as spyware, packing identification, espionage and remote connection abilities. The project appears unsuccessful, ClearSky says. 

Related: Kaspersky Analyzes Hacking Group’s Homegrown Attack Tools

Related: Source Code of Iran-Linked Hacking Tools Posted Online

Related: Former U.S. Air Force Officer Indicted for Aiding Iranian Cyber Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.