Data Dump Purportedly Reveals Details on Previously Unknown Iranian Threat Group

  /     /     /  
Publicated : 23/11/2024   Category : security


Data Dump Purportedly Reveals Details on Previously Unknown Iranian Threat Group


Rana targets airline companies and others in well-planned, well-researched attacks, Israels ClearSky says.



Newly leaked documents purportedly about a hitherto unknown Iranian cyber espionage group called Rana show in some detail the considerable planning and attention that goes into modern advanced persistent threat (APT) operations.
For enterprise organizations, the documents — if authentic — provide a rare glimpse of the methodical manner in which APT groups go after targets, gather information, find weak spots, and devise strategies for exploiting them.
For cyber defenders around the world, it is important to understand how the attackers are working, says Boaz Dolev, CEO at ClearSky Cyber Security, an Israel-based cybersecurity firm that claims to have inspected the documents and found them to be authentic. Looking at what they are doing tells us a lot of what needs to be done to protect against them, Dolev adds.
Dozens of documents supposedly pertaining to Irans Rana operation was publicly leaked May 5 via a user group on the Telegram app called Black Box. The Rana documents were the third set of documents on Irans cyber espionage operations that have been leaked in recent weeks by an unknown actor whose motives remain unclear.
Last month, details on attack tools attributed to Irans OilRig APT group were publicly released via another Telegram group called Lab Dookhtegan. A few days later, details on attack tools associated with Iranian attacker MuddyWater were released, this time through Telegram channel Green Leakers.
Robert Falcone, senior principal researcher for Unit 42 at Palo Alto Networks, says the company has not so far been able to validate the authenticity of the leaked documents. But some of the tools released in the first data dump appeared to be consistent with previous observations and research on the OilRig group. Another leaked tool appeared to be part of DNSpionage, a cyber espionage campaign that targets organizations in the Middle East, Falcone says.
According to ClearSky, the documents on Rana appear to be from a hacking and penetration testing team within Irans Ministry of Intelligence and shed light on the groups targeting, its victims, cyberattack strategies, and its members.
Ranas hacking and cyber espionage activities appear to be part of much broader set of objectives, ranging from the propagation of Islamic culture and ideas to gathering strategic intelligence, developing technological capabilities, and keeping an eye on dissidents in the country,
according to ClearSky
.
The leaked information shows the group (and, likely, other Iranian APTs) is heavily focused on airline companies, government agencies, and communications and phone companies. Rana and likely other operatives in the past few years have targeted and seemingly compromised multiple airlines and other companies. Among the airlines the groups have targeted are Ethiopian Airlines, Malaysian Airlines, AirAsia, Philippine Airlines, and Thai Airways.
One of the leaked files is a report describing Ranas activities between March 2016 and August 2016. The document has references to attacks on and analysis of databases at Qatar Airways, Israeli airline Israir, Turkish police, and an insurance company in Saudi Arabia. The document suggests that attackers gained access to their targeted systems on multiple occasions. A reference to an attack on an Israeli hotel website, for instance, suggested the attackers had gained full access to the websites database and to data such as names, password, and credit card data belonging to some 86,000 users.
Careful Planning
Another document describes the groups preparation before launching an attack. This included meeting with employees at Tehrans international airport to learn about airports systems and gather information on flight and check-in systems as well as security procedures. The team also conducted research on Oracle, SQL Server, and other databases and learned how to quickly enter databases with SQL Loader and Bulk Insert, according to ClearSky.
A report on Ranas activities between March and August 2017 describes an attack against an email service provider in Kuwait involving the use of two separate teams — a hacking squad and a social engineering team. The attack was apparently designed to gain access to the Kuwait Ministry of Foreign Affairs. The hacking teams activities included penetration tests against Foreign Ministry systems and mapping of all IP addresses, domains, websites, and applications that the ministry used, according to ClearSky.
The objective was to find out what systems were open and accessible from the Internet. That information was later relayed to the social engineering team, which then targeted specific people related to the foreign ministry while concurrently setting up a server and website for the operation.
Other documents show that in preparing for attacks on Ethiopian Airlines and Malaysia Airlines, Iranian attackers gathered information on the operational technologies used by airlines and airports and identified database admins and admins of various Internet-exposed systems.
Targets
The data suggests that Rana and other APTs are very persistent, Dolev said. They keep trying and trying till they succeed.
 
Members of Rana appear to be experts in areas such as encryption, firmware, and malware and virus development, ClearSky said. They have been organized into multiple teams including Linux, MacOS, Android, iOS, Windows Mobile, and a malware and virus development team. Some team members appear fluent in multiple languages.
 
Ranas targets have included organizations in more than 30 countries, a vast majority of them in Asia. Targeted countries include India, Thailand, Philippines, Malaysia, Indonesia, and Kuwait. Other countries of interest to the group include Egypt, South Africa, New Zealand, and Australia.
 
The recent data dumps are likely to temporarily slow Rana and other Iranian APT groups, Dolev says. Their first priority likely is going to be to try and find the source of he leaks and close that, he said. If you are so exposed, then maybe all your future plans are also leaked but nobody has reported it yet, he says. They should be very concerned, he says. 
Related Content:
Iran Ups its Traditional Cyber Espionage Tradecraft
Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues
Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
7 Key Stats That Size Up the Cybercrime Deluge
  
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Data Dump Purportedly Reveals Details on Previously Unknown Iranian Threat Group