Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/9/2019
08:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Data Dump Purportedly Reveals Details on Previously Unknown Iranian Threat Group

Rana targets airline companies and others in well-planned, well-researched attacks, Israel's ClearSky says.

Newly leaked documents purportedly about a hitherto unknown Iranian cyber espionage group called Rana show in some detail the considerable planning and attention that goes into modern advanced persistent threat (APT) operations.

For enterprise organizations, the documents — if authentic — provide a rare glimpse of the methodical manner in which APT groups go after targets, gather information, find weak spots, and devise strategies for exploiting them.

"For cyber defenders around the world, it is important to understand how the attackers are working," says Boaz Dolev, CEO at ClearSky Cyber Security, an Israel-based cybersecurity firm that claims to have inspected the documents and found them to be authentic. "Looking at what they are doing tells us a lot of what needs to be done to protect against them," Dolev adds.

Dozens of documents supposedly pertaining to Iran's Rana operation was publicly leaked May 5 via a user group on the Telegram app called Black Box. The Rana documents were the third set of documents on Iran's cyber espionage operations that have been leaked in recent weeks by an unknown actor whose motives remain unclear.

Last month, details on attack tools attributed to Iran's OilRig APT group were publicly released via another Telegram group called Lab Dookhtegan. A few days later, details on attack tools associated with Iranian attacker MuddyWater were released, this time through Telegram channel Green Leakers.

Robert Falcone, senior principal researcher for Unit 42 at Palo Alto Networks, says the company has not so far been able to validate the authenticity of the leaked documents. But some of the tools released in the first data dump appeared to be consistent with previous observations and research on the OilRig group. Another leaked tool appeared to be part of DNSpionage, a cyber espionage campaign that targets organizations in the Middle East, Falcone says.

According to ClearSky, the documents on Rana appear to be from a hacking and penetration testing team within Iran's Ministry of Intelligence and shed light on the group's targeting, its victims, cyberattack strategies, and its members.

Rana's hacking and cyber espionage activities appear to be part of much broader set of objectives, ranging from the propagation of Islamic culture and ideas to gathering strategic intelligence, developing technological capabilities, and keeping an eye on dissidents in the country, according to ClearSky.

The leaked information shows the group (and, likely, other Iranian APTs) is heavily focused on airline companies, government agencies, and communications and phone companies. Rana and likely other operatives in the past few years have targeted and seemingly compromised multiple airlines and other companies. Among the airlines the groups have targeted are Ethiopian Airlines, Malaysian Airlines, AirAsia, Philippine Airlines, and Thai Airways.

One of the leaked files is a report describing Rana's activities between March 2016 and August 2016. The document has references to attacks on and analysis of databases at Qatar Airways, Israeli airline Israir, Turkish police, and an insurance company in Saudi Arabia. The document suggests that attackers gained access to their targeted systems on multiple occasions. A reference to an attack on an Israeli hotel website, for instance, suggested the attackers had gained full access to the website's database and to data such as names, password, and credit card data belonging to some 86,000 users.

Careful Planning
Another document describes the group's preparation before launching an attack. This included meeting with employees at Tehran's international airport to learn about airport's systems and gather information on flight and check-in systems as well as security procedures. The team also conducted research on Oracle, SQL Server, and other databases and learned how to quickly enter databases with SQL Loader and Bulk Insert, according to ClearSky.

A report on Rana's activities between March and August 2017 describes an attack against an email service provider in Kuwait involving the use of two separate teams — a hacking squad and a social engineering team. The attack was apparently designed to gain access to the Kuwait Ministry of Foreign Affairs. The hacking team's activities included penetration tests against Foreign Ministry systems and mapping of all IP addresses, domains, websites, and applications that the ministry used, according to ClearSky.

The objective was to find out what systems were open and accessible from the Internet. That information was later relayed to the social engineering team, which then targeted specific people related to the foreign ministry while concurrently setting up a server and website for the operation.

Other documents show that in preparing for attacks on Ethiopian Airlines and Malaysia Airlines, Iranian attackers gathered information on the operational technologies used by airlines and airports and identified database admins and admins of various Internet-exposed systems.

Targets
The data suggests that Rana and other APTs are very persistent, Dolev said. "They keep trying and trying till they succeed."
 
Members of Rana appear to be experts in areas such as encryption, firmware, and malware and virus development, ClearSky said. They have been organized into multiple teams including Linux, MacOS, Android, iOS, Windows Mobile, and a malware and virus development team. Some team members appear fluent in multiple languages.
 
Rana's targets have included organizations in more than 30 countries, a vast majority of them in Asia. Targeted countries include India, Thailand, Philippines, Malaysia, Indonesia, and Kuwait. Other countries of interest to the group include Egypt, South Africa, New Zealand, and Australia.
 
The recent data dumps are likely to temporarily slow Rana and other Iranian APT groups, Dolev says. Their first priority likely is going to be to try and find the source of he leaks and close that, he said. "If you are so exposed, then maybe all your future plans are also leaked but nobody has reported it yet," he says. "They should be very concerned," he says. 

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.