Cyber Incident Victim: TEMP.Zagros
Date:
May 2019
Location:
Iran
Summary
New leaks exposed Iranian cyber-espionage operations, revealing internal data from the MuddyWater group and a previously unknown entity called the Rana Institute. The compromised materials included command-and-control server configurations, unredacted victim IP addresses, operational strategies, employee details, and evidence of targeting Iranian citizens domestically and abroad. Security researchers verified portions of the leaks, which highlighted campaigns against airlines and travel booking sites to harvest passenger manifests, payment data, and reservation records. The disclosures compromised operational security of Iranian threat actors and exposed victim organizations' sensitive information through Telegram channels and dark web portals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early May 2019, two separate leaks exposing Iranian state-sponsored cyber-espionage operations surfaced through Telegram channels and Dark Web portals, following a prior leak attributed to the pseudonymous Lab Dookhtegan in April 2019. The first of these new leaks, claimed by a group calling themselves the Green Leakers, purported to contain operational data from the MuddyWater hacking group (also known as TEMP.Zagros). This leak included screenshots of command-and-control (C&C) server source code, backend interfaces, and unredacted IP addresses belonging to MuddyWater's victims. Unlike the earlier Lab Dookhtegan leak that distributed malware source code freely, the Green Leakers monetized their data, offering it for sale through two Telegram channels and Dark Web portals while only releasing limited proof-of-concept images publicly. Cybersecurity firms Chronicle, FireEye, and Palo Alto Networks had previously validated the authenticity of the Lab Dookhtegan leak, but the MuddyWater data's legitimacy remained unconfirmed at the time of reporting due to the limited sample size released.
The second leak, emerging simultaneously through Persian-language websites and Telegram channels, exposed documents labeled "secret" from Iran's Ministry of Intelligence detailing the operations of a previously unknown entity called the Rana Institute. Security researchers from ClearSky Security verified these documents, which revealed Rana's role as a government contractor conducting cyber-espionage since 2015. The leaked materials included lists of victims, operational strategies, employee identities, internal espionage system screenshots, and specifics about targeting Iranian citizens domestically and abroad. Primary victim sectors included airlines and travel booking platforms, with compromised data encompassing passenger manifests, reservation records, and payment card details. The leak's website additionally published personal information of Rana Institute personnel alongside campaign histories. This disclosure marked the first public identification of Rana's activities, providing unprecedented insights into Iran's surveillance apparatus. The cumulative effect of these leaks amplified scrutiny of Iran's cyber operations, potentially straining diplomatic and commercial relationships due to exposed victim data and operational methodologies.