US sanctions hacker company linked to Iranian government

by Gabriel E. Hall - - 2020-09-18

The US says Rana company works for the Iranian government

The US government says that Iranian company made a massive hacking operation The US government has imposed sanctions on Rana because this company hid a massive hacking operation.

Today, the US government has imposed sanctions on the well known Iranian company and individuals that hid a massive hacking operation against Iranian citizens, foreign companies, and governments abroad. The Rana Intelligence Computing Company who made these attacks operated as a front for the Iranian Ministry of Intelligence and Security (MOIS).

The US has sanctioned front company and 45 people who are current or former employees of this Iranian company.^[1] The Rana Intelligence Computing Company is also known as Rana or Rana Institute. The FBI wrote:^[2]

Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran’s Ministry of Intelligence and Security (MOIS) has employed a years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, the government networks of Iran’s neighboring countries, and foreign organizations in the travel, academic, and telecommunications sectors. Some of these individuals were subjected to arrest and both physical and psychological intimidation.

According to the US government, Rana was also tracking individuals from foreign companies whom the MOIS considered a threat. Cybersecurity specialists found a lot of clues about these hacking operations. The FBI explained:^[2]

Through Rana, the MOIS also targeted some of the world’s largest travel services companies based here in the U.S. which store the records of millions of travelers. At least 15 U.S. companies were compromised by Rana’s malicious cyber intrusion tools, all of which the FBI has notified, along with hundreds of individuals and entities from more than 30 different countries across Asia, Africa, Europe, and North America.

Connections between Rana and APT39 were not instantaneously found

At first, investigators followed activities of the APT39^[3] hacking group. These hackers also had different names: Chafer, Remexi, ITG07, and Cadelspy. However, even though all these names belong to Rana, for a long time nobody even knew about this company or the fact that its the same threat actor.

Rana's name was cited for the first time only in May 2019, in the cybersecurity overview and analysis document about the leak of confidential information. Then the source code of APT34 malware was leaked and there was data about MuddyWater server backends and snippets from Rana documents. At that time, the ClearSky, a cyber-security firm wrote in its report:^[4]

These [Rana] documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems.

At that time, Rana was described as a government contractor but the security specialist suspected that this company was also an advanced persistent threat from Iran. But all security firms couldn't link Rana to any group of hackers.

The US government prohibits US companies from working with Rana

This question was solved now. The US Federal Bureau of Investigations and Department of Treasury finally said that Rana was working behind the APT39 name. Since the US government has formally linked these hackers to the Iranian MOIS, this decision allows them to impose sanctions on the company. The US prohibits US companies from working with Rana and 45 former or current employees of this company.

Also, the US Department of the Treasury wrote:^[5]

The FBI advisory, also being released today, details eight separate and distinct sets of malware used by MOIS through Rana to conduct their computer intrusion activities. This is the first time most of these technical indicators have been publicly discussed and attributed to MOIS by the U.S. government.

The FBI decided to make this information public because the government wants to stop the Iranian MOIS hacking campaign.

Moreover, sanctions for the APT39 hacking group is not the first action against Iranian threat actors. The US Department of Justice already charged several other hackers. For example, they found out about two Iranian hackers who made years-long cyber espionage, charged three Iranians^[6] for hacking satellite companies and aerospace in the US, etc.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ RECENT ACTIONS Enforcement Actions General Licenses Misc./Other Regulations and Guidance Sanctions List Updates Counter Terrorism Designations; Iran/Cyber-related Designations. U.S. Department of the Treasury. Official website.
^ Kristen Setera. FBI Releases Cybersecurity Advisory on Previously Undisclosed Iranian Malware Used to Monitor Dissidents and Travel and Telecommunications Companies. FBI. The Federal Bureau of Investigation.
^ APT39. Malpedia. Malware Encyclopedia.
^ Iranian Nation-State APT Groups 'Black Box' Leak. Clearsky. Cyber Security.
^ Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry. U.S. Department of the Treasury. Official website.
^ Catalin Cimpanu. US charges Iranian hackers for breaching US satellite companies. ZDNet. News articles.