US sanctions Iranian government front company hiding major hacking operations

US says the Iranian government used the "Rana Intelligence Computing Company" as a front for the APT39 hacking group.

iranian-hackers-have-been-hacking-vpn-se-5e4e92c9db1d010001ac4677-1-feb-21-2020-21-08-22-poster.jpg

The US government has imposed sanctions today on a front company that hid a massive hacking operation perpetrated by the Iranian government against its own citizens, foreign companies, and governments abroad.

Sanctions were imposed on the "Rana Intelligence Computing Company," also known as the Rana Institute, or Rana, as well as 45 current and former employees, such as managers, programmers, or hacking experts.

US officials said Rana operated as a front for the Iranian Ministry of Intelligence and Security (MOIS). Rana's main duties were to mount national and international hacking campaigns.

Through its local operations, Rana helped the government monitor Iranian citizens, dissidents, journalists, former government employees, environmentalists, refugees, students, professors, and anyone considered a threat for the local regime.

Externally, Rana also hacked the government networks of neighboring countries, but also foreign companies in the travel, academic, and telecommunications sectors. Officials said Rana used the access to the hacked foreign companies to track individuals whom the MOIS considered a threat.

rana-graph.png

Image: US Treasury Department

Across the years, Rana's hacking operations left a long trail of clues that cyber-security firms traced back to Iran.

Investigations into these past Rana-linked operations can be found in cyber-security reports about the activities of a hacking group known as APT39, or Chafer, Cadelspy, Remexi, and ITG07 — all different names given by different security firms, but referring to the same threat actor, in this case, Rana.

Rana exposed in May 2019

However, for a long time, nobody even knew that Rana existed, let alone that it was a front company for APT39 and the Iranian regime.

The first time the world heard about Rana was in a ZDNet article published in May 2019, documenting the leak of confidential information pertaining to Iranian hacking groups.

At the time, shadowy entities leaked the source code of APT34 malware, data about MuddyWater server backends, and snippets from internal Rana documents labeled as "secret."

"These [Rana] documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems," Israeli cyber-security firm ClearSky said in a report published in May 2019.

Iran Rana leak on the clear web

Image: ZDNet

At the time, the Rana leak was considered odd because it didn't fit with the other two.

The first two leaks —APT34 and MuddyWater— were two very well-known Iranian hacking groups.

On the other hand, Rana was described as a mere government contractor. 

At the time, security firms suspected that Rana was also an Iranian APT (advanced persistent threat), but noone could link Rana to any known group.

This mystery was solved today. In press releases by the US Department of Treasury and the Federal Bureau of Investigations, the US government has formally linked Rana to APT39 and the MOIS for the first time.

This official link now allows for the contractor's full spectrum of hacks to come into the limelight. And according to US officials, some of these operations might have crossed the line from intelligence gathering to human rights abuses, such as unwarranted arrests, followed by physical and psychological intimidation by MOIS agents.

Today's sanctions prohibit US companies from doing business with Rana and its 45 current or former employees.

At the same time with today's sanctions, the FBI has also issued a private industry notification (PIN) with eight separate and distinct sets of malware used by Rana (MOIS) to conduct their computer intrusion activities.

rana-fbi-pin.png

Iranian week

The APT39 sanctions are just the latest in a long series of actions the US has prepared against Iranian entities this week. Previously this week, the DOJ also charged:

  • an Iranian hacker on Tuesday for defacing US websites following the US killing of an Iranian military general;
  • two hackers on Wednesday for orchestrating a years-long hacking campaign at the behest of the Iranian government, but also for their own personal financial gains;
  • three Iranians today, Thursday, for hacking aerospace and satellite companies in the US.