The hacking of Iran's hackers

An Iranian cyber operations front organization that’s a target of new U.S. sanctions was itself the victim of an attack that looted its own hacking tools and dumped them on the internet two years ago.

Driving the news: Last week, amid increasing tensions between Washington and Tehran, the Treasury Department announced major new Iran-related sanctions targeting cyber operators working for Iranian intelligence. The sanctions targeted 45 individuals affiliated with Iran’s Ministry of Intelligence and Security (MOIS), Tehran’s main civilian intelligence agency.

• According to the FBI and Treasury, these individuals worked under the cover of a Tehran-based front organization known as the Rana Intelligence Computing Company, which was also sanctioned last week.
• Rana “employed a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector,” said the Treasury announcement.

The intrigue: The FBI and Treasury announcements didn’t mention that, beginning in October 2018, Rana’s own hacking tools — many of which were focused on domestic and international counterintelligence — were mysteriously dumped on the Internet, where they quietly began to seep through the threat intelligence community.

• These leaks, which appear highly disruptive to the operations of Iran’s MOIS, surfaced on blogs, with opaque groups or activists purporting to be behind them.
• The group or individuals responsible for the theft, and later public release, of Rana’s hacking tools are still shrouded in mystery.

The big picture: The Rana leaks have occurred in parallel to two major evolving trends in 21st-century cyber espionage:

• The increasing use of cutouts and other seemingly private entities to conduct traditional intelligence activities, including spy services’ core hacking and electronic surveillance work.
• The intensifying and increasing use by spy services of covert action campaigns involving the hacking and anonymous leaking of data online.

Between the lines: Rana’s own work acting as a front for Iranian intelligence exemplifies the first trend, and it’s very possible that the actions to disrupt MOIS’s hacking tools may exemplify the second.

Yes, but: It’s possible, of course, that the Rana leaks may have originated from dissidents within the Iranian government.

• Many of the MOIS tools exposed in the leaks were focused on tracking Iranians inside and outside of Iran, and Tehran’s pervasive surveillance of its own people — down to the books Iranians checked out from local libraries — is shocking.
• But the way in which these leaks occurred, and the way they apparently intended to inflict maximum damage on the MOIS, suggests that a very capable intelligence service may have been the ultimate architect. That could be the Israeli, U.K. or a handful of other Western intelligence services.

Context: The Rana leaks also occurred during a transformative moment for CIA offensive cyber operations.

• In 2018, the Trump administration signed a secret covert action finding vastly expanding the CIA’s ability to conduct covert operations in cyberspace.
• According to the presidential order, the CIA no longer has to seek NSC review for many of its covert online activities, and the agency is specifically empowered to target cutout organizations secretly working for foreign intelligence services.
• The CIA has already carried out hack and dump operations aimed at Iran under these new authorities.

Which hack and dump campaigns have been orchestrated by the CIA remains unknown. But Rana — a putatively private company that is in fact an MOIS front — is precisely the type of entity that the CIA was empowered by the finding to conduct more aggressive operations against.

• Moreover, in addition to its focus on tracking internal dissidents, Rana’s cyber spying was largely devoted to hacking into programs and databases — like airline reservation systems — that can be used to hunt down the assets of foreign intelligence agencies within a country and government, something that Iran has focused on vis-à-vis the CIA, with devastating results.

Finally, from a traditional intelligence collection perspective, Rana’s hacking tools, including its travel intelligence capabilities, would be of acute interest to rival services like the CIA. 

• If the CIA were able to penetrate these electronic databases, it could then see what the Iranians knew about who was traveling where and when and adjust its own operations accordingly.

The bottom line: The exact hack-and-dump operations carried out by the CIA since 2018 are unknown. But there is a strong plausible case to be made that Treasury’s recent sanctions against Rana and the FBI’s concurrent release of some of its hacking tools mark the conclusive step in a years-long, multifaceted, highly successful U.S. intelligence operation. Under this scenario:

• This operation began as a quiet digital intrusion.
• It evolved into a program of intensive collection and counterintelligence jiujitsu.
• Then it focused on the execution and dissemination of covert digital releases designed specifically to twist the knife in Tehran.
• Finally, in its destructive denouement, using Treasury sanctions, it pointed the finger at the Islamic Republic in a very public, valedictory, name-and-shame campaign.