Show an ad over header. AMP

An Iranian hacking group sanctioned by U.S. was itself the victim of a cyber attack

An Iranian cyber operations front organization that’s a target of new U.S. sanctions was itself the victim of an attack that looted its own hacking tools and dumped them on the internet two years ago.

Driving the news: Last week, amid increasing tensions between Washington and Tehran, the Treasury Department announced major new Iran-related sanctions targeting cyber operators working for Iranian intelligence. The sanctions targeted 45 individuals affiliated with Iran’s Ministry of Intelligence and Security (MOIS), Tehran’s main civilian intelligence agency.


  • According to the FBI and Treasury, these individuals worked under the cover of a Tehran-based front organization known as the Rana Intelligence Computing Company, which was also sanctioned last week.
  • Rana “employed a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector,” said the Treasury announcement.

The intrigue: The FBI and Treasury announcements didn’t mention that, beginning in October 2018, Rana’s own hacking tools — many of which were focused on domestic and international counterintelligence — were mysteriously dumped on the Internet, where they quietly began to seep through the threat intelligence community.

  • These leaks, which appear highly disruptive to the operations of Iran’s MOIS, surfaced on blogs, with opaque groups or activists purporting to be behind them.
  • The group or individuals responsible for the theft, and later public release, of Rana’s hacking tools are still shrouded in mystery.

The big picture: The Rana leaks have occurred in parallel to two major evolving trends in 21st-century cyber espionage:

  • The increasing use of cutouts and other seemingly private entities to conduct traditional intelligence activities, including spy services’ core hacking and electronic surveillance work.
  • The intensifying and increasing use by spy services of covert action campaigns involving the hacking and anonymous leaking of data online.

Between the lines: Rana’s own work acting as a front for Iranian intelligence exemplifies the first trend, and it’s very possible that the actions to disrupt MOIS’s hacking tools may exemplify the second.

Yes, but: It’s possible, of course, that the Rana leaks may have originated from dissidents within the Iranian government.

  • Many of the MOIS tools exposed in the leaks were focused on tracking Iranians inside and outside of Iran, and Tehran’s pervasive surveillance of its own people — down to the books Iranians checked out from local libraries — is shocking.
  • But the way in which these leaks occurred, and the way they apparently intended to inflict maximum damage on the MOIS, suggests that a very capable intelligence service may have been the ultimate architect. That could be the Israeli, U.K. or a handful of other Western intelligence services.

Context: The Rana leaks also occurred during a transformative moment for CIA offensive cyber operations.

  • In 2018, the Trump administration signed a secret covert action finding vastly expanding the CIA’s ability to conduct covert operations in cyberspace.
  • According to the presidential order, the CIA no longer has to seek NSC review for many of its covert online activities, and the agency is specifically empowered to target cutout organizations secretly working for foreign intelligence services.
  • The CIA has already carried out hack and dump operations aimed at Iran under these new authorities.

Which hack and dump campaigns have been orchestrated by the CIA remains unknown. But Rana — a putatively private company that is in fact an MOIS front — is precisely the type of entity that the CIA was empowered by the finding to conduct more aggressive operations against.

  • Moreover, in addition to its focus on tracking internal dissidents, Rana’s cyber spying was largely devoted to hacking into programs and databases — like airline reservation systems — that can be used to hunt down the assets of foreign intelligence agencies within a country and government, something that Iran has focused on vis-à-vis the CIA, with devastating results.

Finally, from a traditional intelligence collection perspective, Rana’s hacking tools, including its travel intelligence capabilities, would be of acute interest to rival services like the CIA. 

  • If the CIA were able to penetrate these electronic databases, it could then see what the Iranians knew about who was traveling where and when and adjust its own operations accordingly.

The bottom line: The exact hack-and-dump operations carried out by the CIA since 2018 are unknown. But there is a strong plausible case to be made that Treasury’s recent sanctions against Rana and the FBI’s concurrent release of some of its hacking tools mark the conclusive step in a years-long, multifaceted, highly successful U.S. intelligence operation. Under this scenario:

  • This operation began as a quiet digital intrusion.
  • It evolved into a program of intensive collection and counterintelligence jiujitsu.
  • Then it focused on the execution and dissemination of covert digital releases designed specifically to twist the knife in Tehran.
  • Finally, in its destructive denouement, using Treasury sanctions, it pointed the finger at the Islamic Republic in a very public, valedictory, name-and-shame campaign.

Saudi Arabia and Qatar near deal to end standoff, sources say

Saudi Arabia and Qatar are close to a deal to end the diplomatic crisis in the Gulf following U.S.-mediated reconciliation talks this week, sources familiar with the talks tell me.

Why it matters: Restoring relations between Saudi Arabia and Qatar would bring a sense of stability back to the Gulf after a 3.5 year standoff. It could also notch a last-minute achievement for the Trump administration before Jan. 20.

Keep reading... Show less

President of Soros foundation leaves amid speculation of potential Biden role

Patrick Gaspard, who served as ambassador to South Africa under President Barack Obama, is stepping down as president of George Soros' Open Society Foundations, fueling speculation that he'll join the Biden administration, potentially as Labor secretary.

What to know: Before his stint as ambassador, Gaspard was Obama's political director in the White House, drawing upon his experience in the labor movement to advance Obama's legislative agenda on health care and financial services reform.

Keep reading... Show less

House passes bill to decriminalize marijuana

The House on Friday voted 228-164 in favor of the Marijuana Opportunity Reinvestment and Expungement (MORE) Act, marking the first time a congressional chamber has voted in favor of decriminalizing marijuana at the federal level.

Why it matters: The Washington Post describes the bill as a "landmark retreat in the nation’s decades-long war on drugs," which has disproportionately affected people of color.

Keep reading... Show less

Clean trucks are paving the road to the electric vehicle era

The electric vehicle revolution is underway, led by the un-sexiest of plug-in models: the commercial truck.

Why it matters: Growing demand for cleaner trucks means 2021 will be a pivotal year for electric vehicles — just not the kind you might have expected.

Keep reading... Show less

Over 13 million people are receiving pandemic unemployment assistance expiring on Dec. 26

Data: Department of Labor; Chart: Axios Visuals

The number of people receiving unemployment benefits is falling but remains remarkably high three weeks before pandemic assistance programs are set to expire. More than 1 million people a week are still filing for initial jobless claims, including nearly 300,000 applying for pandemic assistance.

By the numbers: As of Nov. 14, 20.2 million Americans were receiving unemployment benefits of some kind, including more than 13.4 million on the Pandemic Unemployment Assistance (PUA) and Pandemic Emergency Unemployment Compensation (PEUC) programs that were created as part of the CARES Act and end on Dec. 26.

Keep reading... Show less

The top candidates Biden is considering for key energy and climate roles

Senate Minority Leader Chuck Schumer (D-N.Y.) has urged President-elect Joe Biden to nominate Mary Nichols, chair of California's air pollution regulator, to lead the Environmental Protection Agency, Bloomberg reports.

Why it matters: The reported push by Schumer could boost Nichol's chances of leading an agency that will play a pivotal role in Biden's vow to enact aggressive new climate policies — especially because the plan is likely to rest heavily on executive actions.

Keep reading... Show less

U.S. economy adds 245,000 jobs in November as rate of recovery slows

Axios Visuals. Bureau of Labor Statistics.

The U.S. economy added 245,000 jobs in November, while the unemployment rate fell to 6.7% from 6.9%, the government said on Friday.

Why it matters: The labor market continues to recover even as coronavirus cases surge— though it's still millions of jobs short of the pre-pandemic level. The problem is that the rate of recovery is slowing significantly.

This story is breaking news. Please check back for updates.

Fauci says he accepted Biden's offer to be chief medical adviser "on the spot"

The government's top infectious-disease expert Anthony Fauci said Friday that he "absolutely" will accept the offer from President-elect Joe Biden to serve as his chief medical officer, telling NBC's "Today" that he said yes "right on the spot."

Why it matters: President Trump had a contentious relationship with Fauci, who has been forced during the pandemic to correct many of the president's false claims about the coronavirus. Biden, meanwhile, has emphasized the importance of "listening to the scientists" throughout his campaign and transition.

Keep reading... Show less

Insights

mail-copy

Get Goodhumans in your inbox

Most Read

More Stories