Cyber Incident Victim: MuddyWater
Date:
May 2019
Location:
Iran
Summary
Two leaks exposed Iranian cyber-espionage operations, including data linked to the MuddyWater group and a previously unknown entity called the Rana Institute. The MuddyWater leak, shared via Telegram and Dark Web channels by a group named Green Leakers, contained screenshots of command-and-control server infrastructure and unredacted victim IP addresses, though its authenticity remained unverified. The Rana Institute leak, confirmed by security researchers, revealed secret Iranian government documents detailing extensive operations since 2015, including tracking citizens domestically and abroad, hacking airlines for passenger manifests, and compromising travel booking systems to steal payment data. Both leaks provided unprecedented insights into victim targeting, operational tactics, and internal organizational structures of Iranian state-linked threat actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In early May 2019, two separate leaks exposing Iranian cyber-espionage operations emerged through Telegram channels and Dark Web portals, following a prior leak attributed to Lab Dookhtegan in April 2019 that exposed APT34 malware source code. The first of the new leaks, claimed by a group called Green Leakers, purported to contain operational data from the MuddyWater hacking group. This group released images of command and control (C&C) server source code, backend interfaces, and unredacted IP addresses belonging to MuddyWater's victims via two Telegram channels and Dark Web portals where they offered additional data for sale. Unlike the earlier Lab Dookhtegan leak, Green Leakers did not release malware source code freely but instead provided limited samples through screenshots, leading security researchers to withhold definitive authentication of the leak's validity while acknowledging it warranted scrutiny.
The second leak, published on Persian-language websites and Telegram channels, exposed documents labeled 'secret' from Iran's Ministry of Intelligence detailing the activities of the Rana Institute, a contractor conducting cyber-espionage since 2015. ClearSky Security verified these documents, which included victim lists, attack strategies, employee details, and internal espionage system screenshots. The leak revealed Rana's focus on tracking Iranian citizens domestically and abroad, with campaigns targeting airlines to steal passenger manifests and travel booking sites to harvest reservations and payment card data. The website hosting the Rana leak also published personal information of the institute's members. While Chronicle, FireEye, and Palo Alto Networks had authenticated the earlier APT34 leak, ClearSky and Minerva Labs confirmed aspects of these May 2019 disclosures. The cumulative effect of these successive leaks suggested a coordinated campaign to damage Iran's international relations by exposing its cyber-espionage infrastructure and victim data, though the perpetrators' motives remained unconfirmed.