APT39 (Rana Intelligence Group)

APT39, also known as **Rana Intelligence Computing Company**, is a cyber-espionage group linked to the Iranian government, specifically the **Islamic Revolutionary Guard Corps (IRGC)**. This group is known for conducting cyber operations, primarily targeting **telecommunications, travel, and technology** industries, with a focus on surveillance and intelligence gathering. ### **Key Facts About APT39** - **Affiliation**: Tied to the IRGC, particularly involved in intelligence operations. - **Target Sectors**: Telecommunications, travel, high-tech industries, government entities. - **Primary Objective**: Espionage—harvesting personal and travel data for surveillance, especially of individuals of interest to the Iranian government. - **Methods**: - **Spear phishing**: Crafting targeted phishing emails to gain access to networks. - **Malware deployment**: Uses remote access trojans (RATs) and custom malware to maintain persistence in networks. - **Credential theft**: Harvesting login details for further exploitation. - **Use of front companies**: **Rana Intelligence Computing Company** was a front for their activities, which was later sanctioned by the U.S. Treasury Department. ### **Notable Activities** - **Surveillance Operations**: Focus on dissidents, journalists, government officials, and academics. - **Data Harvesting**: Exfiltration of personal data from travel and telecom companies to track individuals of interest. - **Global Reach**: While their focus has been the Middle East, APT39 has also targeted organizations in Europe, the U.S., and beyond. ### **Sanctions and Exposure** - In **September 2020**, the U.S. **Department of the Treasury** sanctioned **Rana Intelligence Computing Company** and its employees for aiding the IRGC in mass surveillance and hacking operations. ### **Comparison to Other Iranian APTs** APT39 is often compared to other Iranian groups like: - **APT33 (Elfin)**: Focused on cyber-sabotage. - **APT34 (OilRig)**: Specializes in espionage and cyber-intrusions. - **MuddyWater**: Engages in cyber-espionage, often overlapping with other groups. ### **Defensive Measures** Organizations can defend against APT39 by: - Implementing **multi-factor authentication (MFA)** to prevent credential theft. - Training employees to recognize **phishing attempts**. - Using **endpoint detection and response (EDR) solutions** to catch malware infections. - Regular **patching** of systems to close known vulnerabilities. ### **APT39 (Rana Intelligence Group) - Notable Attacks & Technical Tools** APT39 has been involved in numerous cyber-espionage operations, primarily targeting individuals and organizations for surveillance. Here are some key attacks and the tools they have used. --- ## **Notable Attacks by APT39** ### **1. Targeting of the Travel and Telecommunications Sector** - **Objective:** APT39 has heavily targeted travel agencies, airlines, and telecom providers to track individuals’ movements. - **Method:** - They breached airline booking systems and hotel databases to obtain travel details of persons of interest. - By infiltrating telecom companies, they could monitor call logs, SMS data, and metadata to track dissidents, government officials, and journalists. - **Example:** - APT39 has been linked to attacks on **Middle Eastern and European airlines** to collect passenger data for intelligence purposes. ### **2. Espionage Against NGOs and Academic Institutions** - **Objective:** Surveillance of activists, human rights organizations, and university researchers. - **Method:** - Phishing campaigns using fake job offers and academic conferences to lure targets into revealing credentials. - Malware-laced documents disguised as research papers or invitations. - **Example:** - Infiltration of **think tanks and human rights groups** working on Iran-related issues. ### **3. Spear Phishing Campaigns Against Government Entities** - **Objective:** Gaining access to sensitive government and military information. - **Method:** - Highly targeted spear-phishing emails using themes such as **official documents, invoices, or security warnings**. - Deployment of **malware payloads** to establish persistent access in government networks. - **Example:** - Campaigns aimed at **diplomatic missions and Middle Eastern government agencies**, likely to gather intelligence. --- ## **Technical Tools & Malware Used by APT39** APT39 employs a mix of **custom malware**, **publicly available hacking tools**, and **open-source frameworks** to conduct cyber-espionage. Some of their key tools include: ### **1. SEAWEED** - **Type:** Remote Access Trojan (RAT). - **Functionality:** - Allows attackers to execute commands, exfiltrate files, and maintain persistence. - **Delivery Method:** Often embedded in phishing attachments or malicious downloads. ### **2. CACHEMONEY** - **Type:** Credential stealer. - **Functionality:** - Captures usernames and passwords from infected machines. - **Usage:** Helps APT39 gain further access to targeted organizations. ### **3. QUASARRAT** - **Type:** Open-source RAT. - **Functionality:** - Keylogging, remote file execution, and system monitoring. - **Usage:** Modified versions have been deployed in espionage campaigns. ### **4. DNS Tunneling Techniques** - **Functionality:** - Used to evade detection by sending malicious data over DNS queries. - **Impact:** Bypasses network security measures to maintain persistence. ### **5. Social Engineering & Credential Harvesting** APT39 frequently registers **fake domains** that mimic legitimate services (e.g., webmail portals, security updates) to steal login credentials. --- ## **Indicators of Compromise (IoCs) & Mitigation** ### **IoCs:** - Suspicious **login attempts from Iranian IP addresses**. - Presence of **QUASARRAT, SEAWEED, or CACHEMONEY** malware. - Fake email domains resembling known government or corporate services. - Increased DNS queries to **unknown or rarely used domains**. ### **Mitigation Strategies:** - **Multi-Factor Authentication (MFA)** to prevent credential theft. - **Regular security audits** to detect unauthorized access. - **Endpoint Detection & Response (EDR) solutions** to monitor for RAT activity. - **User training** to recognize phishing emails and fake login pages. --- ### **Final Thoughts** APT39 is a **highly targeted cyber-espionage group** that prioritizes intelligence gathering over disruption. Their methods suggest a long-term strategy focused on **surveillance and tracking individuals**, particularly those of interest to the Iranian government. ### **Comparison of APT39 with Other Iranian APT Groups** Iranian state-sponsored cyber groups have different specializations, but they often share tools, techniques, and infrastructure. Here's how **APT39 (Rana Intelligence Group)** compares with other major Iranian APTs: --- ## **1. APT39 (Rana Intelligence Group) – Focus on Surveillance & Espionage** - **Primary Goal:** **Tracking individuals** through **telecom, travel, and government** sector breaches. - **Targets:** Airlines, hotels, telecom providers, activists, NGOs. - **Key TTPs (Tactics, Techniques, Procedures):** - Spear-phishing for credential theft. - RATs (SEAWEED, QUASARRAT) for long-term access. - Data exfiltration from **call logs, passenger records, and personal devices**. - **Unique Trait:** Heavy focus on **mass surveillance and human tracking** rather than sabotage. ### **How APT39 Stands Out:** ✅ **Surveillance-driven:** Unlike other groups that aim to destroy or disrupt, APT39 is all about intelligence gathering. ✅ **Travel & telecom targeting:** Unique compared to others that focus on critical infrastructure or government networks. ✅ **Rana Intelligence Computing Company:** APT39 operated under this front company, which was **sanctioned by the U.S.** --- ## **2. APT33 (Elfin) – Cyber Sabotage & Destructive Attacks** - **Primary Goal:** **Cyber-sabotage**, mainly in the **energy and aerospace sectors**. - **Targets:** Oil and gas companies, defense contractors, aviation firms. - **Key TTPs:** - **Shamoon malware**: Data-wiping attacks causing operational damage. - **Phishing & password spraying** to gain access to networks. - **Custom backdoors & wipers** to destroy data. - **Unique Trait:** Focuses on **destructive attacks** rather than long-term espionage. 🔴 **Example Attack:** - The **2012 and 2018 Shamoon attacks** wiped data from Saudi Aramco and other oil companies. 💥 **How it differs from APT39:** - APT33 wants to **cause disruption**, while APT39 just wants **data for intelligence operations**. - APT33 **targets critical industries (oil, aerospace)**, while APT39 **tracks people and organizations**. --- ## **3. APT34 (OilRig) – Cyber-Espionage & Credential Theft** - **Primary Goal:** **Espionage & long-term infiltration** of government and financial sectors. - **Targets:** Middle Eastern governments, financial institutions, energy firms. - **Key TTPs:** - Spear-phishing with malicious Excel/Word documents. - **DNS tunneling** to bypass security measures. - Use of **custom malware (Karkoff, Helminth)** to maintain persistence. - **Unique Trait:** Uses **sophisticated phishing** and **custom backdoors** for long-term access. 🔴 **Example Attack:** - APT34 was caught **mimicking LinkedIn job offers** to lure in government employees and steal credentials. 💥 **How it differs from APT39:** - Both groups conduct **espionage**, but APT34 **targets high-value organizations** (gov’t & finance), while APT39 **tracks people via telecom & travel records**. - APT34 relies more on **DNS tunneling & backdoors**, while APT39 prefers **RATs & credential theft**. --- ## **4. MuddyWater – Hybrid Cyber-Espionage & Disruption** - **Primary Goal:** **Espionage & semi-disruptive attacks** on regional governments. - **Targets:** Middle Eastern and Asian governments, universities, and telecom firms. - **Key TTPs:** - **Social engineering & phishing** to gain access. - **PowerShell-based malware** to manipulate systems. - **Living-off-the-land techniques (LoTL)** to avoid detection. - **Unique Trait:** Less sophisticated than other APTs, but **persistent and opportunistic**. 🔴 **Example Attack:** - Used **fake government emails** with malware-laden documents to compromise state entities. 💥 **How it differs from APT39:** - MuddyWater is **more chaotic**, often using messy tactics, whereas APT39 is **more strategic**. - MuddyWater targets **government entities**, while APT39 focuses on **tracking people & gathering personal data**. --- ## **Final Comparison Chart** |**APT Group**|**Main Goal**|**Targets**|**Key Tactics**|**Notable Attack**| |---|---|---|---|---| |**APT39 (Rana Intelligence)**|**Surveillance & intelligence gathering**|Telecom, travel, NGOs, gov't|Spear-phishing, RATs, credential theft|Tracking dissidents & gov't critics via travel/telecom hacks| |**APT33 (Elfin)**|**Cyber-sabotage**|Oil, aerospace, defense|Data-wiping malware (Shamoon), credential stuffing|2012 & 2018 **Shamoon attacks** on Saudi Aramco| |**APT34 (OilRig)**|**Espionage & network infiltration**|Middle Eastern gov't, finance, energy|DNS tunneling, custom malware, phishing|**LinkedIn phishing campaign** targeting gov’t officials| |**MuddyWater**|**Espionage & low-level disruption**|Gov’t, telecom, universities|Phishing, PowerShell malware, LoTL tactics|Fake gov't emails spreading PowerShell backdoors| --- ### **Final Thoughts** - **APT39 = Surveillance & tracking individuals (travel, telecom, personal data).** - **APT33 = Sabotage & destruction (energy, defense, oil).** - **APT34 = Espionage & long-term infiltration (gov't, finance).** - **MuddyWater = Mix of espionage & disruption (less sophisticated but persistent).**