The Iranian Regime’s cyber-espionage operations have once again been exposed in two leaks published via Telegram channels and sites on the Dark Web and the public Internet. The authenticity was confirmed by researchers at ClearSky Security and Minerva Labs.
These latest leaks come only shortly after someone revealed the source code of several malware strains linked to Iranian government-backed cyber-espionage group APT34 (Oilrig) last month. The figure, who used the pseudonym Lab Dookhtegam, published this information on Telegram and a group called the Green Leakers took responsibility. The authenticity of this leak was confirmed by several cyber-security firms, including Chronicle, FireEye, and Palo Alto Networks.
However, the latest leaks are different because they don’t contain the source code for malware or any free tools, but rather images of the source code of unknown origins, command and control server backends, and lists of past hacking victims.
Despite the clear differences, many are theorising that there is a campaign to expose Iran’s hacking operations, perhaps with the hope that the political fallout will damage Iran’s relations with other countries and that companies may rethink investments in Iran.
The Green Leakers operate two Telegram channels and two different Dark Web portals where they are selling data that they say is from Iranian hacking group, MuddyWater APT. (APT is an initialism for advanced persistent threat, a term used to describe government-backed hacking groups.) They have not posted anything new for a few days now.
There is another leak of Iranian cyber-operations, which has been going on for over a week on a Persian website and Telegram channel. Here, leakers have released small chunks of information from “secret” documents created by the Iranian Ministry of Intelligence, which reveal that the Regime hired the Rana Institute as a contractor for cyber-espionage operations. This was verified by ClearSky Security.
ClearSky wrote in a report: “These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems. The documents shed light on some aspects of the group’s activity, notably: tracking Iranians, tracking Iranian citizens outside of Iran, and the group’s members.”
This is an important information source for a group whose activities have never been spotted, despite being active since 2015.
The Rana hackers were asked to develop malware capable of damaging SCADA industrial control, according to the leaked documents, but ClearSky said the project was “unsuccessful… despite a large budget”.
Source » ncr-iran