Newly leaked documents purportedly about a hitherto unknown Iranian cyber espionage group called Rana show in some detail the considerable planning and attention that goes into modern advanced persistent threat (APT) operations.

For enterprise organizations, the documents — if authentic — provide a rare glimpse of the methodical manner in which APT groups go after targets, gather information, find weak spots, and devise strategies for exploiting them.

"For cyber defenders around the world, it is important to understand how the attackers are working," says Boaz Dolev, CEO at ClearSky Cyber Security, an Israel-based cybersecurity firm that claims to have inspected the documents and found them to be authentic. "Looking at what they are doing tells us a lot of what needs to be done to protect against them," Dolev adds.

Dozens of documents supposedly pertaining to Iran's Rana operation was publicly leaked May 5 via a user group on the Telegram app called Black Box. The Rana documents were the third set of documents on Iran's cyber espionage operations that have been leaked in recent weeks by an unknown actor whose motives remain unclear.

Last month, details on attack tools attributed to Iran's OilRig APT group were publicly released via another Telegram group called Lab Dookhtegan. A few days later, details on attack tools associated with Iranian attacker MuddyWater were released, this time through Telegram channel Green Leakers.

Robert Falcone, senior principal researcher for Unit 42 at Palo Alto Networks, says the company has not so far been able to validate the authenticity of the leaked documents. But some of the tools released in the first data dump appeared to be consistent with previous observations and research on the OilRig group. Another leaked tool appeared to be part of DNSpionage, a cyber espionage campaign that targets organizations in the Middle East, Falcone says.

According to ClearSky, the documents on Rana appear to be from a hacking and penetration testing team within Iran's Ministry of Intelligence and shed light on the group's targeting, its victims, cyberattack strategies, and its members.

Rana's hacking and cyber espionage activities appear to be part of much broader set of objectives, ranging from the propagation of Islamic culture and ideas to gathering strategic intelligence, developing technological capabilities, and keeping an eye on dissidents in the country, according to ClearSky.

The leaked information shows the group (and, likely, other Iranian APTs) is heavily focused on airline companies, government agencies, and communications and phone companies. Rana and likely other operatives in the past few years have targeted and seemingly compromised multiple airlines and other companies. Among the airlines the groups have targeted are Ethiopian Airlines, Malaysian Airlines, AirAsia, Philippine Airlines, and Thai Airways.

One of the leaked files is a report describing Rana's activities between March 2016 and August 2016. The document has references to attacks on and analysis of databases at Qatar Airways, Israeli airline Israir, Turkish police, and an insurance company in Saudi Arabia. The document suggests that attackers gained access to their targeted systems on multiple occasions. A reference to an attack on an Israeli hotel website, for instance, suggested the attackers had gained full access to the website's database and to data such as names, password, and credit card data belonging to some 86,000 users.

Careful Planning
Another document describes the group's preparation before launching an attack. This included meeting with employees at Tehran's international airport to learn about airport's systems and gather information on flight and check-in systems as well as security procedures. The team also conducted research on Oracle, SQL Server, and other databases and learned how to quickly enter databases with SQL Loader and Bulk Insert, according to ClearSky.

A report on Rana's activities between March and August 2017 describes an attack against an email service provider in Kuwait involving the use of two separate teams — a hacking squad and a social engineering team. The attack was apparently designed to gain access to the Kuwait Ministry of Foreign Affairs. The hacking team's activities included penetration tests against Foreign Ministry systems and mapping of all IP addresses, domains, websites, and applications that the ministry used, according to ClearSky.

The objective was to find out what systems were open and accessible from the Internet. That information was later relayed to the social engineering team, which then targeted specific people related to the foreign ministry while concurrently setting up a server and website for the operation.

Other documents show that in preparing for attacks on Ethiopian Airlines and Malaysia Airlines, Iranian attackers gathered information on the operational technologies used by airlines and airports and identified database admins and admins of various Internet-exposed systems.

Targets

The data suggests that Rana and other APTs are very persistent, Dolev said. "They keep trying and trying till they succeed."

Members of Rana appear to be experts in areas such as encryption, firmware, and malware and virus development, ClearSky said. They have been organized into multiple teams including Linux, MacOS, Android, iOS, Windows Mobile, and a malware and virus development team. Some team members appear fluent in multiple languages.

Rana's targets have included organizations in more than 30 countries, a vast majority of them in Asia. Targeted countries include India, Thailand, Philippines, Malaysia, Indonesia, and Kuwait. Other countries of interest to the group include Egypt, South Africa, New Zealand, and Australia.

The recent data dumps are likely to temporarily slow Rana and other Iranian APT groups, Dolev says. Their first priority likely is going to be to try and find the source of he leaks and close that, he said. "If you are so exposed, then maybe all your future plans are also leaked but nobody has reported it yet," he says. "They should be very concerned," he says. 

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.