Cyber Threat Actor: Rana Institute
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
3 incidents |
|---|
Profile
The threat actorknown as the Rana Institute operates under that alias and has been identified as a contractor for the Iranian Ministry of Intelligence. Prior to the 2019 disclosures, the group was not publicly recognized as a distinct entity. The leaked internal materials, shared via Telegram channels and Dark Web portals, included employee rosters, victim lists and operational planning documents. Security researchers verified the authenticity of the leak, confirming that the records dated back to at least 2015. The organization is located in Iran, as indicated by its ties to the state intelligence service. These facts establish the Rana Institute as an Iran‑state‑linked entity engaged in cyber‑espionage.
The leaked materials show that the Rana Institute targets airlines and travel‑booking platforms to obtain passenger manifests, reservation details and payment card information. In addition, the group conducts surveillance of Iranian citizens both within the country and abroad, collecting data on their movements and personal identifiers. The documents also contain extensive victim lists that enumerate individuals whose travel and personal data were compromised. Employee rosters and internal planning notes reveal how the group organizes its campaigns against aviation and travel services. These activities serve dual purposes: gathering intelligence on individuals and harvesting financial data that can be monetized. The strategic objectives therefore combine espionage with financially motivated data theft.
One representative operation disclosed in the 2019 leak involved compromising the booking systems of several airlines to exfiltrate passenger travel itineraries and associated credit‑card data. Another campaign focused on monitoring the movements of Iranian nationals overseas by accessing travel reservation databases and tracking their itineraries. The leaked files also contained command‑and‑control server configurations and unredacted victim IP addresses that illustrated the group’s infrastructure. Internal operational strategies, employee listings and victim inventories were included, showing a structured approach to planning and execution. The exposure of this information via Telegram and Dark Web channels compromised the operational security of Iranian threat actors and revealed sensitive data belonging to victim organizations. Collectively, these examples illustrate the Rana Institute’s sustained focus on aviation‑related targets and diaspora surveillance.
