Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:30 PM
Connect Directly

Data Dump Purportedly Reveals Details on Previously Unknown Iranian Threat Group

Rana targets airline companies and others in well-planned, well-researched attacks, Israel's ClearSky says.

Newly leaked documents purportedly about a hitherto unknown Iranian cyber espionage group called Rana show in some detail the considerable planning and attention that goes into modern advanced persistent threat (APT) operations.

For enterprise organizations, the documents — if authentic — provide a rare glimpse of the methodical manner in which APT groups go after targets, gather information, find weak spots, and devise strategies for exploiting them.

"For cyber defenders around the world, it is important to understand how the attackers are working," says Boaz Dolev, CEO at ClearSky Cyber Security, an Israel-based cybersecurity firm that claims to have inspected the documents and found them to be authentic. "Looking at what they are doing tells us a lot of what needs to be done to protect against them," Dolev adds.

Dozens of documents supposedly pertaining to Iran's Rana operation was publicly leaked May 5 via a user group on the Telegram app called Black Box. The Rana documents were the third set of documents on Iran's cyber espionage operations that have been leaked in recent weeks by an unknown actor whose motives remain unclear.

Last month, details on attack tools attributed to Iran's OilRig APT group were publicly released via another Telegram group called Lab Dookhtegan. A few days later, details on attack tools associated with Iranian attacker MuddyWater were released, this time through Telegram channel Green Leakers.

Robert Falcone, senior principal researcher for Unit 42 at Palo Alto Networks, says the company has not so far been able to validate the authenticity of the leaked documents. But some of the tools released in the first data dump appeared to be consistent with previous observations and research on the OilRig group. Another leaked tool appeared to be part of DNSpionage, a cyber espionage campaign that targets organizations in the Middle East, Falcone says.

According to ClearSky, the documents on Rana appear to be from a hacking and penetration testing team within Iran's Ministry of Intelligence and shed light on the group's targeting, its victims, cyberattack strategies, and its members.

Rana's hacking and cyber espionage activities appear to be part of much broader set of objectives, ranging from the propagation of Islamic culture and ideas to gathering strategic intelligence, developing technological capabilities, and keeping an eye on dissidents in the country, according to ClearSky.

The leaked information shows the group (and, likely, other Iranian APTs) is heavily focused on airline companies, government agencies, and communications and phone companies. Rana and likely other operatives in the past few years have targeted and seemingly compromised multiple airlines and other companies. Among the airlines the groups have targeted are Ethiopian Airlines, Malaysian Airlines, AirAsia, Philippine Airlines, and Thai Airways.

One of the leaked files is a report describing Rana's activities between March 2016 and August 2016. The document has references to attacks on and analysis of databases at Qatar Airways, Israeli airline Israir, Turkish police, and an insurance company in Saudi Arabia. The document suggests that attackers gained access to their targeted systems on multiple occasions. A reference to an attack on an Israeli hotel website, for instance, suggested the attackers had gained full access to the website's database and to data such as names, password, and credit card data belonging to some 86,000 users.

Careful Planning
Another document describes the group's preparation before launching an attack. This included meeting with employees at Tehran's international airport to learn about airport's systems and gather information on flight and check-in systems as well as security procedures. The team also conducted research on Oracle, SQL Server, and other databases and learned how to quickly enter databases with SQL Loader and Bulk Insert, according to ClearSky.

A report on Rana's activities between March and August 2017 describes an attack against an email service provider in Kuwait involving the use of two separate teams — a hacking squad and a social engineering team. The attack was apparently designed to gain access to the Kuwait Ministry of Foreign Affairs. The hacking team's activities included penetration tests against Foreign Ministry systems and mapping of all IP addresses, domains, websites, and applications that the ministry used, according to ClearSky.

The objective was to find out what systems were open and accessible from the Internet. That information was later relayed to the social engineering team, which then targeted specific people related to the foreign ministry while concurrently setting up a server and website for the operation.

Other documents show that in preparing for attacks on Ethiopian Airlines and Malaysia Airlines, Iranian attackers gathered information on the operational technologies used by airlines and airports and identified database admins and admins of various Internet-exposed systems.

The data suggests that Rana and other APTs are very persistent, Dolev said. "They keep trying and trying till they succeed."
Members of Rana appear to be experts in areas such as encryption, firmware, and malware and virus development, ClearSky said. They have been organized into multiple teams including Linux, MacOS, Android, iOS, Windows Mobile, and a malware and virus development team. Some team members appear fluent in multiple languages.
Rana's targets have included organizations in more than 30 countries, a vast majority of them in Asia. Targeted countries include India, Thailand, Philippines, Malaysia, Indonesia, and Kuwait. Other countries of interest to the group include Egypt, South Africa, New Zealand, and Australia.
The recent data dumps are likely to temporarily slow Rana and other Iranian APT groups, Dolev says. Their first priority likely is going to be to try and find the source of he leaks and close that, he said. "If you are so exposed, then maybe all your future plans are also leaked but nobody has reported it yet," he says. "They should be very concerned," he says. 

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...