Iranian Cyber-Espionage Exposed
Two new leaks exposing Iranian cyber-espionage operations have been published, via Telegram channels, on the Dark Web and the Internet.
One leak claims to contain operational data from the MuddyWater hacking group, while the second leak reveals information about a new group identified in official Iranian government documents as the Rana Institute, and currently not linked to any known Iranian cyber-espionage group.
Because this data was put up for sale, the leakers did not release any tools for free, like Lab Dookhtegam in the first leak. Instead, they posted images showing the source code of a command and control (C&C) server used by the Iranian MuddyWater hacking group. Also,images of MuddyWater C&C server backends, which also included unredacted IP addresses of some of MuddyWater's victims.
Because the leakers have revealed only a small sample of data in the form of screenshots, the jury is still out on the authenticity of this leak; however, it cannot be discounted for the time being.
Both ZDNet and Minerva Labs have been keeping an eye on this leak for new developments, but besides having the Telegram channels suspended and having to create new ones, nothing new has been shared for a few days now.
The three main Telegram groups on which the leaks were posted are:
- Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed", which is a translation from Persian) – In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more.
- Green Leakers – In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC)
- Black Box – Unlike the previous two channels this has been in existence for some time. On Friday May 5th 2019 dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest - top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.
The documents leaked include documents by the Iranian Ministry of Intelligence (comparable to the FBI and CIA) with information about a group known as "Rana".
At this stage, we cannot attribute the group to other known Iranian actors. These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems.
Further, a one of the document appears to be from the center for IT security incidents Kavesh". Note however that it was adapted from the original document by the Islamic Revolutionary Guard Corps, and now also contains their symbol.
This document was partly leaked and contained details regarding a development program of a malware for attacking SCADA systems, similar to Stuxnet.
ClearSky: ZDNet:
You Might Also Read:
US Electric Grid Suffers Unexplained DDoS Attack: