Two new leaks exposing Iranian cyber-espionage operations have been published online, via Telegram channels and websites on the Dark Web and the public Internet.
One leak claims to contain operational data from the MuddyWater hacking group, while the second leak reveals information about a new group identified in official Iranian government documents as the Rana Institute –and currently not linked to any known Iranian cyber-espionage group.
A FIRST LEAK HAPPENED LAST MONTH
These two leaks come after last month, a mysterious figure using the Lab Dookhtegam pseudonym dumped on a Telegram channel the source code of several malware strains associated with APT34 (Oilrig), an Iranian government-backed cyber-espionage group.
These two new leaks are different from the first. None of them include source code for malware. Instead, they contain images of source code of unknown origins, images of command and control server backends, and images listing past hacked victims.
Multiple cyber-security firms, such as Chronicle, FireEye, and Palo Alto Networks, confirmed the authenticity of this first leak. Security researchers from ClearSky Security and Minerva Labs have confirmed this last batch.
With two additional leaks hitting the airwaves, the theory that we are witnessing a well-orchestrated campaign to expose Iran’s hacking operations looks now more valid than ever.
The perpetrators may be hoping that the political fallout from exposing Iran’s hacks would damage the country’s relations with neighbors, foreign political allies, and private sector companies that may rethink their operations and relations with the Iranian government. Read more