The US government today imposed sanctions on a company that covered a massive hacking operation organized and executed by the Iranian regime against its own citizens as well as companies and governments of other countries. Sanctions were imposed on Rana Intelligence Computing Company, also known as Rana Institute or Rana. However, the sanctions were imposed not only on the company itself but also on 45 current and former employees, including managers, developers and hacking experts. U.S. officials said Rana was acting as a "front" for the Iranian Ministry of Information and Security (MOIS). Its main tasks were to conduct hacking campaigns both locally and internationally.
Through its local activities, Rana helped the Iranian regime monitor Iranian citizens, dissidents, journalists, former government officials, environmentalists, refugees, students, teachers, and anyone else it considered a threat to the regime.
In addition, Rana violated government networks neighboring countries of Iran, but also foreign Companies operating in various fields such as telecommunications, travel and education. According to officials, Rana, by violating companies from other countries, could identify individuals whom MOIS considered threatening.
At times, Rana's hacking companies left traces through which companies cybersecurity managed to link them to the Iranian regime.
Investigations into these hacking companies, behind which Rana is located, can be found in cybersecurity reports on the activities of a hacking group known as APT39, Chafer, Cadelspy, Remexi or ITG07. Each of these names has been attributed by different cybersecurity companies, but they all refer to the same threat, which in this case is Rana.
However, for a long time, no one knew of Rana's existence, let alone that she was a company working with the APT39 group and the Iranian regime. The first time people heard about it was in a ZDNet article published in May 2019 that referred to information leaks related to Iranian hacking groups. At that time, strangers leaked the source code of malware of the APT34 team, data on MuddyWater server backends and excerpts from Rana internal documents labeled "secret".
The Israeli cybersecurity company ClearSky stated in a report published in May 2019 that these Rana documents are included victim lists, strategies for cyber attacks, areas access, a list of employees and screenshots from sites related to espionage systems. In addition, at the time, cybersecurity companies suspected that Rana was an Iranian APT, but no one could link her to a known hacking group.
This mystery, however, is now solved. In press releases from the US Treasury Department and the Federal Bureau of Investigation, the US government has formally linked Rana with APT39 and MOIS. According to US officials, some of Rana's hacking companies they may not have limited themselves to gathering information, but they have also moved on violations human rights, with unjustified arrests, which were followed by physical and psychological intimidation by MOIS agents.
The sanctions now ban US companies from working with Rana and her 45 current or former employees. Simultaneously with the current sanctions, the FBI issued one notice, which includes eight separate sets of malware used by Rana (MOIS) to invade computers.