Cyber Incident Victim: Rana Institute
Date:
May 2019
Location:
Iran
Summary
A leak exposed Iranian cyber-espionage operations linked to the Rana Institute, a contractor for the Iranian Ministry of Intelligence, revealing internal documents detailing its activities since at least 2015. The compromised materials, disseminated via Telegram channels and Dark Web portals, included secret operational strategies, employee information, victim lists, and evidence of campaigns targeting airlines and travel booking sites to steal passenger manifests, reservations, and payment card data. Security researchers verified the leak's authenticity, highlighting the group's focus on tracking Iranian citizens domestically and abroad. This incident marked one of multiple recent exposures of Iranian state-linked hacking operations, providing unprecedented insight into previously undisclosed espionage tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The Rana Institute cyber-espionage incident came to light through a series of leaks published online between late April and early May 2019. Following an initial leak attributed to the pseudonymous actor Lab Dookhtegan, which exposed malware source code linked to Iranian APT34 (OilRig), two additional leaks emerged in early May. The third leak specifically targeted the Rana Institute, a previously undisclosed Iranian cyber-espionage contractor. This leak materialized through a Persian-language website on the public internet and a Telegram channel, where actors posted classified documents originating from Iran's Ministry of Intelligence. Security firm ClearSky Security verified the authenticity of these documents, which contained operational details dating back to 2015 when the group became active.
The leaked Rana Institute materials included classified documents labeled 'secret' that outlined the group's structure, personnel, victimology, and operational methodologies. These documents revealed that Rana Institute conducted surveillance operations targeting Iranian citizens both domestically and abroad, with particular focus on airline passenger manifests and travel booking systems. Attack strategies involved compromising airlines to obtain passenger data and infiltrating travel reservation platforms to harvest payment card details and booking information. The leak exposed internal espionage system screenshots, lists of compromised victims, and employee identities. While the perpetrators identifying as Green Leakers initially released limited samples through Telegram and Dark Web portals, the full scope of exposed data provided unprecedented visibility into a state-aligned cyber-espionage operation that had evaded public detection for four years. The disclosure prompted immediate analysis by threat intelligence teams, with ClearSky Security publishing a technical report confirming the group's infrastructure and victimology patterns within hours of the leak's emergence.