Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on the day's biggest business stories

Subscribe to Axios Closer for insights into the day’s business news and trends and why they matter

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Stay on top of the latest market trends

Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sports news worthy of your time

Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tech news worthy of your time

Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Get the inside stories

Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Denver news?

Get a daily digest of the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Des Moines news?

Get a daily digest of the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Twin Cities news?

Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Tampa Bay news?

Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Charlotte news?

Get a daily digest of the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Aïda Amer/Axios

An Iranian cyber operations front organization that’s a target of new U.S. sanctions was itself the victim of an attack that looted its own hacking tools and dumped them on the internet two years ago.

Driving the news: Last week, amid increasing tensions between Washington and Tehran, the Treasury Department announced major new Iran-related sanctions targeting cyber operators working for Iranian intelligence. The sanctions targeted 45 individuals affiliated with Iran’s Ministry of Intelligence and Security (MOIS), Tehran’s main civilian intelligence agency.

  • According to the FBI and Treasury, these individuals worked under the cover of a Tehran-based front organization known as the Rana Intelligence Computing Company, which was also sanctioned last week.
  • Rana “employed a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector,” said the Treasury announcement.

The intrigue: The FBI and Treasury announcements didn’t mention that, beginning in October 2018, Rana’s own hacking tools — many of which were focused on domestic and international counterintelligence — were mysteriously dumped on the Internet, where they quietly began to seep through the threat intelligence community.

  • These leaks, which appear highly disruptive to the operations of Iran’s MOIS, surfaced on blogs, with opaque groups or activists purporting to be behind them.
  • The group or individuals responsible for the theft, and later public release, of Rana’s hacking tools are still shrouded in mystery.

The big picture: The Rana leaks have occurred in parallel to two major evolving trends in 21st-century cyber espionage:

  • The increasing use of cutouts and other seemingly private entities to conduct traditional intelligence activities, including spy services’ core hacking and electronic surveillance work.
  • The intensifying and increasing use by spy services of covert action campaigns involving the hacking and anonymous leaking of data online.

Between the lines: Rana’s own work acting as a front for Iranian intelligence exemplifies the first trend, and it’s very possible that the actions to disrupt MOIS’s hacking tools may exemplify the second.

Yes, but: It’s possible, of course, that the Rana leaks may have originated from dissidents within the Iranian government.

  • Many of the MOIS tools exposed in the leaks were focused on tracking Iranians inside and outside of Iran, and Tehran’s pervasive surveillance of its own people — down to the books Iranians checked out from local libraries — is shocking.
  • But the way in which these leaks occurred, and the way they apparently intended to inflict maximum damage on the MOIS, suggests that a very capable intelligence service may have been the ultimate architect. That could be the Israeli, U.K. or a handful of other Western intelligence services.

Context: The Rana leaks also occurred during a transformative moment for CIA offensive cyber operations.

  • In 2018, the Trump administration signed a secret covert action finding vastly expanding the CIA’s ability to conduct covert operations in cyberspace.
  • According to the presidential order, the CIA no longer has to seek NSC review for many of its covert online activities, and the agency is specifically empowered to target cutout organizations secretly working for foreign intelligence services.
  • The CIA has already carried out hack and dump operations aimed at Iran under these new authorities.

Which hack and dump campaigns have been orchestrated by the CIA remains unknown. But Rana — a putatively private company that is in fact an MOIS front — is precisely the type of entity that the CIA was empowered by the finding to conduct more aggressive operations against.

  • Moreover, in addition to its focus on tracking internal dissidents, Rana’s cyber spying was largely devoted to hacking into programs and databases — like airline reservation systems — that can be used to hunt down the assets of foreign intelligence agencies within a country and government, something that Iran has focused on vis-à-vis the CIA, with devastating results.

Finally, from a traditional intelligence collection perspective, Rana’s hacking tools, including its travel intelligence capabilities, would be of acute interest to rival services like the CIA. 

  • If the CIA were able to penetrate these electronic databases, it could then see what the Iranians knew about who was traveling where and when and adjust its own operations accordingly.

The bottom line: The exact hack-and-dump operations carried out by the CIA since 2018 are unknown. But there is a strong plausible case to be made that Treasury’s recent sanctions against Rana and the FBI’s concurrent release of some of its hacking tools mark the conclusive step in a years-long, multifaceted, highly successful U.S. intelligence operation. Under this scenario:

  • This operation began as a quiet digital intrusion.
  • It evolved into a program of intensive collection and counterintelligence jiujitsu.
  • Then it focused on the execution and dissemination of covert digital releases designed specifically to twist the knife in Tehran.
  • Finally, in its destructive denouement, using Treasury sanctions, it pointed the finger at the Islamic Republic in a very public, valedictory, name-and-shame campaign.

Go deeper

When U.S. politicians exploit foreign disinformation

Illustration: Aïda Amer/Axios

U.S. political actors will keep weaponizing the impact of widespread foreign disinformation campaigns on American elections, making these operations that much more effective and attractive to Russia, China, Iran or other countries backing them.

Why it matters: Hostile powers’ disinformation campaigns aim to destabilize the U.S., and each time a domestic politician embraces them, it demonstrates that they work.

Dec 2, 2020 - World

Iran's nuclear dilemma: Ramp up now or wait for Biden

Illustration: Annelise Capossela/Axios

The world is waiting to see whether Iran will strike back at Israel or the U.S. over the assassination of Mohsen Fakhrizadeh, the architect of Iran's military nuclear program.

Why it matters: Senior Iranian officials have stressed that Iran will take revenge against the perpetrators, but also respond by continuing Fakhrizadeh’s legacy — the nuclear program. The key question is whether Iran will accelerate that work now, or wait to see what President-elect Biden puts on the table.

Dems race to address, preempt stimulus fraud claims

Illustration: Aïda Amer/Axios

Biden officials are working to root out the systematic fraud in unemployment and Paycheck Protection Program claims that plagued the Trump administration’s efforts to boost the economy with coronavirus relief money, Gene Sperling told House committee chairmen privately this week.

Why it matters: President Biden just signed another $1.9 trillion of aid into law, with Sperling tapped to oversee its implementation. And the administration is asking Congress to approve another $2.2 trillion for the first phase of an infrastructure package.