The inner workings of two Iran-linked cyberespionage groups have been leaked on the dark web and Telegram channels by mysterious hacker groups. While the first leak exposed the operations of the MuddyWater APT, the second exposed the efforts of a hitherto unknown Iranian cyberespionage group, referred to in official documents as the Rana Institute.

An outfit calling themselves the Green Leakers have reportedly taken responsibility for the MuddyWater hacker group's leak. The group operates two Telegram channels and claims to be selling data pertaining to MuddyWater APT's operations. So far, the Green Leakers have posted images of MuddyWater's C2 servers, and the unreacted IP addressed of the cyberespionage group's victims, ZDNet reported.

Meanwhile, the leak that exposed the operations of the Rana Institute appears to have come from a different source. In this case, the leakers dumped secret government documents that were allegedly obtained from Iran's Ministry of Intelligence. These documents hint at Rana having been hired by the Iranian government to conduct cyberespionage operations. According to the leaked documents, Rana has been active since 2015, although the group's activities had never before been discovered.

“These documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems,” security researchers at ClearSky said in a report.

“The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future,” ClearSky researchers added.

According to the researchers, Rana Institute targeted government entities, telecom firms, airline companies, and IT firms across Asia, Africa, and other regions. The hacker groups also consituted of specific teams that targeted specific types of software, such as Linux, MacOS, Microsoft, and more.

The leaks of MuddyWater and Rana Institute are not the first of its kind. In April, a mysterious hacker, going by the pseudonym “Lab Dookhtegam” leaked the source code of several malware strains developed and used by the Iranian state-sponsored OilRig APT group, aka APT34.

Chinese Hackers
A man types on a computer keyboard in Warsaw in this illustration file picture, Feb. 28, 2013. Reuters/Kacper Pempel/Files

The spate of leaks exposing Iranian cyberespionage operations hint at the possibility that these leaks may the work of an organised effort to reveal and hinder their operations. The first set of leaks regarding APT34 was authenticated by several security firms, including FireEye and Palo Alto Networks. Although the leaks regarding the Rana Institute have been authenticated by ClearSky and Minerva Labs, the authenticity of the exposed data relating to MuddyWater still remains murky.