Irleaks (threat actor), Major Iranian insurance companies, SnappFood (Iran’s largest food delivery platform).
On 20/12/2023, a seemingly novel threat actor, identified as “Irleaks”, claimed to have stolen over 160 million personal records from 23 leading insurance companies in Iran in one of the largest data breaches ever recorded.
Irleaks struck again on 30/12. This time, it was a major cyberattack on SnappFood, with 3 terabytes of data stolen, including sensitive information of 20 million users.
On 2/1/2024, Researchers from threat intelligence group, Hudson Rock, identified a potentially compromised employee at SnappFood as part of their initial reporting on Irleaks, which might have been the initial attack vector.
The SnappFood employee was a victim of the StealC malware. StealC is a type of infostealer. Infostealers are malicious programs designed to collect and exfiltrate sensitive information from an infected system.
While these two incidents have been investigated extensively by Hudson Rock, there is a longer timeline of Irleaks’ history as a threat actor. Massive amounts of personal identifiable information (PII) have been put up for sale on the darkweb and various breach forums by Irleaks, impacting a majority of Iran’s population if the claims are all true.
Irleaks has been active since at least early 2022, initially maintaining a low profile with significant operations, including data leaks and website defacements.
On 10/7/2023, a similar data breach of multiple insurance firms was claimed by Irleaks. This event allegedly pulled client PII from four major companies, totalling 43 million files.
An even larger breach that occurred on 9/8/2023 and was claimed by Irleaks released 115 million files from 19 different organizations.
On 2/9/2023, Irleaks leaked the data of more than 27 million customers of Iranian rideshare app, Tapsi. This included full names, mobile phone numbers, and various account and social security numbers.
Iran’s National Information Network (NIN) development, intended for controlling internal communication, has not necessarily translated into robust defense for private industries. Irleaks’ operations demonstrate a potential exploitation of these vulnerabilities. It could also be that these attacks have had an increased impact because of data required by Iranian structures to be held onto by these targeted companies.
Iran has enhanced its offensive cyber capabilities for peer threats such as Israel, but private industries may remain vulnerable.
The detailed nature and large volume of records suggest that the claims are genuine. Research by Hudson Rock confirms this.
High level of capability indicates organized, advanced threat actor involvement. Potential motivations include financial gain or political/strategic motives. The coordinated nature of Irleaks’ attacks, coupled with Iran's geopolitical situation, raises speculation of nation-state involvement or sanction.
Possible use of social engineering or spear-phishing tactics, indicated by the compromise of an employee at SnappFood.
Irleaks' significant and sophisticated cyber activities mark a notable shift in Iran's cybersecurity landscape. The scale of their breaches suggests the potential involvement of nation-state actors, adding complexity to an already intricate geopolitical context. While the precise motives of Irleaks are unclear, the depth of their penetration into Iran’s internet infrastructure indicates a highly capable threat actor. Considering their long-term operational preparation, Irleaks could be an independent entity, though the possibility of state-backing cannot be discounted. Thorough and ongoing analysis is essential to fully comprehend the extent and ramifications of their actions.
Also of concern is the fact that so much data was retained by the various private entities in Iran. While this may have been a requirement of the government for surveillance purposes, similar situations have been identified in app-based services around the world. Data leaks and breach events remain one of the top cyber threats to organizations, as well as private citizens.