Iranian Cyber-Espionage Exposed

Uploaded on 2019-05-17 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW

Two new leaks exposing Iranian cyber-espionage operations have been published, via Telegram channels, on the Dark Web and the Internet.

One leak claims to contain operational data from the MuddyWater hacking group, while the second leak reveals information about a new group identified in official Iranian government documents as the Rana Institute, and currently not linked to any known Iranian cyber-espionage group.

Because this data was put up for sale, the leakers did not release any tools for free, like Lab Dookhtegam in the first leak. Instead, they posted images showing the source code of a command and control (C&C) server used by the Iranian  MuddyWater hacking group. Also,images of MuddyWater C&C server backends, which also included unredacted IP addresses of some of MuddyWater's victims.

Because the leakers have revealed only a small sample of data in the form of screenshots, the jury is still out on the authenticity of this leak; however, it cannot be discounted for the time being. 

Both ZDNet and Minerva Labs have been keeping an eye on this leak for new developments, but besides having the Telegram channels suspended and having to create new ones, nothing new has been shared for a few days now.

The three main Telegram groups on which the leaks were posted are: 

  • Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed", which is a translation from Persian) – In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. 
  • Green Leakers – In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) 
  • Black Box – Unlike the previous two channels this has been in existence for some time. On Friday May 5th 2019 dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest - top secret) were posted on this channel. The documents were related to Iranian attack groups' activity. 

The documents leaked include documents by the Iranian Ministry of Intelligence (comparable to the FBI and CIA) with information about a group known as "Rana".

At this stage, we cannot attribute the group to other known Iranian actors. These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems. 

Further, a one of the document appears to be from the center for IT security incidents Kavesh". Note however that it was adapted from the original document by the Islamic Revolutionary Guard Corps, and now also contains their symbol. 

This document was partly leaked and contained details regarding a development program of a malware for attacking SCADA systems, similar to Stuxnet. 

ClearSky:          ZDNet

You Might Also Read: 

US Electric Grid Suffers Unexplained DDoS Attack:

 

« Cyber Breaches Will Kill
Google Blocks Huawei From Android »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Vertical Structure

Vertical Structure

Vertical Structure services include Security & Penetration Testing, Information Assurance, Bespoke Training Programs and Secure Hosting.

FlashRouters

FlashRouters

FlashRouters offers DD-WRT compatible router models with improved performance, privacy/security options, and advanced functionality.

Spirion

Spirion

Spirion offers data discovery, classification, and protection tools for your business's privacy, security, and compliance program to avoid gaps and risks.

Direct Recruiters Inc

Direct Recruiters Inc

Direct Recruiters is a relationship-focused search firm that assists IT Security and Cybersecurity companies with recruiting high-impact talent.

Certego

Certego

Certego is a company of the VEM Sistemi Group specialised in providing managed computer security services and to combat Cyber Crime.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Taoglas

Taoglas

Taoglas Next Gen IoT Edge software provides a pay as you go platform for customers to connect, manage and maintain their edge devices in an efficient and secure way.

Quantum Xchange

Quantum Xchange

As the provider of unbreakable quantum-safe encryption, Quantum Xchange gives commercial enterprises and government agencies the ultimate defense to keep high-value data safe.

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance is a global, non-profit industry association which is working to enable a secure connected future.

Microchip Technology

Microchip Technology

Microchip Technology Inc. is a leading provider of smart, connected and secure embedded control solutions.

Camel Secure

Camel Secure

Camel Secure is a company specialized in the development of products for information security and technology risk management.

R-Tech

R-Tech

R-Tech GmbH manages the digital start-up initiative, whose goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

Seemplicity

Seemplicity

Seemplicity revolutionizes the way security teams work by automating, optimizing and scaling all risk reduction workflows in one workspace.

Delta Partners

Delta Partners

Delta Partners is a venture capital firm investing in Ireland and the United Kingdom with a strong focus on early stage technology companies.

InfoSight

InfoSight

InfoSight offers proven Cyber Security, Regulatory Compliance, Risk Management and Infrastructure Solutions to protect your business and your customers from cyber crime and fraud.

Triovega

Triovega

Triovega are a leading provider for production security and efficiency. Our solutions enhance OT security, and reduce production downtime.