Documents associated with the activity of Iranian APT group “Rana” have leaked online recently, exposing the group’s targeting of individuals, as well as information on what appears to be some of the group’s members.
While these two groups have been previously analyzed by the security community, Rana cannot currently be attributed to other known Iranian actors, security firm ClearSky, which analyzed the leak and concluded it is authentic, notes in a report (PDF).
Documents posted on the Black Box channel on May 5 include dozens of confidential documents labeled as “secret,” which is apparently the second highest confidentiality level in Iran. The leak included documents by the Iranian Ministry of Intelligence about the Rana group’s tracking of Iranians in and outside of Iran, and about the group’s members.
“These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems,” ClearSky reveals.
One of the documents, the security firm says, appears to be from the center for IT security incidents Kavesh. However, it was seemingly adapted from the original document by the Islamic Revolutionary Guard Corps.
“This document was partly leaked and contained details regarding a development program of a malware for attacking SCADA systems (similar Stuxnet),” ClearSky says.
The “secret” documents included in the leak appear to originate from a hacking and penetration team within the Iranian Ministry of Intelligence.
An image discovered amongst the documents was supposed to reveal an attempt to conceal currency procurement done via a virtual environment – VMware server.
One document included the first pages of the 2015 end-of-year report, revealing plans to hack airline companies to collect information, and the security firm believes the attacks were carried out.
Information the writers said should be gathered included details on flights and on the individuals who might board them, including suspicious people; details on passengers in specific airlines; details about the flight crew; airline employees; airlines’ financial status; and details on equipment used by the company.
A report on the March 2016 to August 2016 period details several tracking projects, such as attacks on: airlines’ databases (Qatar’s database, and queries on flights; Israir’s database; Dubai activity; Skyward’s activity), the Turkish police database, an insurance company’s databases in Saudi Arabia; and RTA’s databases from the UAE.
The document also includes details on measures taken before attacks, preliminary research, and possible attack vectors, such as meeting with employees from the international airport in Tehran to learn about the airport’s systems.
The leaked documents also reveal information on the hacking of Israel’s insurance companies, on attacks targeting hotel booking websites in Israel, on the targeting of Israeli airlines’ databases, an attack on Teletus website and other hotel booking companies, and an attack on the Israeli Ministry of Agriculture.
Other documents reveal info on attacks on non-Israeli targets, such as government ministries in Kuwait. The goal was the compromise of a Kuwaiti email service to gather information on the Ministry of Foreign Affairs.
The actor also performed phishing and spear-phishing attacks on various firms, including the “Atam Alanya” hospital and the Qatari oil company, as well as people related to the Foreign Ministry.
Another document in the leak details the development of a malware and a command and control (C&C) server, with the goal of damaging SCADA systems. A botnet, the malware works as spyware, packing identification, espionage and remote connection abilities. The project appears unsuccessful, ClearSky says.