Two Iranian cyber espionage groups’ activities were leaked on the Dark Web

The latest two incidents of exposing Iranian cyber espionage were leaked online. One of them published the operational data of the MuddyWater hacking organization, while the other revealed information about a new organization, the Rana Institute which is not associated with the currently known Iranian cyberespionage organization.

A mysterious character named Lab Dookhtegam published the source code of the malware of the cyber espionage organization APT34 (Oilrig) related to the Iranian government on a Telegram channel. But this time the leak was different from that of April. The revealer did not publish the source code of the malware. Instead, it published some screenshots of the source code, commands and control server backend screenshots, and screenshots of some victims. Perpetrators may expose Iran’s hacking practices and undermine Iran’s relations with its neighbors, foreign political allies, and private companies.

The Green Leakers organization revealed information from the MuddyWater hacker organization, which still operates two Telegram channels and two dark web sites, and sells MuddyWater APT data on those sites.

They published the command and control (C&C) server source code images used by MuddyWater APT, the MuddyWater C&C server backend image, and the IP addresses of some MuddyWater victims. Since the revealer only revealed a small number of data samples in the form of screenshots, there is no final conclusion on the authenticity of the incident.

ZDNet tracked another similar leak on a Persian public Internet site and a Telegram channel. The unidentified revealer dumped documents from the Iranian intelligence service from documents marked “secret” that described the Rana Institute. Minerva Labs and ClearSky Security’s security researchers confirmed the truth of the disclosure.

The leaked documents were from the APT researchers’ threat intelligence database, which details the information of a new organization, the Rana Institute, which has been active since 2015, but its activities have never been discovered. The file includes a list of victims, cyber attack strategies, access areas, member lists, and screenshots of internal websites related to the spy system. The documents also reveal some of the activities of the organization, such as tracking Iranian citizens inside and outside Iran and members of the organization.  The information posted on the website also contains personal information about Rana Institute members and a wealth of information about organizing events. Most of the organization’s activities are to attack airlines to obtain a list of passengers, as well as to attack travel booking sites to obtain booking and payment card numbers. In addition to airline and travel booking sites, the organization also attacks insurance, IT, telecommunications companies and government agencies around the world.

According to published documents, Rana hackers have also developed malware, one of which is the development of malware that can disrupt the SCADA industrial control system. ClearSky researchers said that despite a lot of investment, the project ultimately did not succeed.

By exposing the Rana organization, the thief reached the goal of undermining Iranian cyber espionage. This move will cause Iranian hacker organizations to postpone current or planned attacks.

Source: ZDNet