A report this week by Hudson Rock researchers made waves as it outlined two dataleaks published by a threat actor known as “Irleaks“. If the threat actor’s claims were to be believed, it would have been one of the largest data breaches in history, causing the researchers to speculate that it could have been a “coordinated operation conducted by a nation-state actor”.

On December 20th, Irleaks claimed to have stolen over 160 million records from 23 leading insurance companies in Iran. The data purportedly included personal details like names, birth dates, phone numbers, and national codes​​.

Subsequently, on December 30, Irleaks also claimed a major cyberattack against SnappFood, Iran’s largest food delivery platform, stealing 3 terabytes of data. This included sensitive information of 20 million users (emails, passwords, phone numbers), 51 million user addresses, 600,000 credit card details, and data from 180 million devices​​​​​​.

Promotional image of a SnappFood rider. Property of SnappFood.

The SnappFood breach was extensive, affecting various data types, including customer information, vendor records, payment information, device data, product order records, order details, details of bikers or riders, and trip-related information. This compromised data was very detailed, including usernames, password hashes, email addresses, full names, dates of birth, phone numbers, addresses, GPS locations, card numbers, bank names, IP addresses, and more​​.

Researchers from Hudson Rock identified a potentially compromised employee of SnappFood, whose computer was infected with StealC infostealer. This may have been the initial attack vector used against the company​​​​.

The researchers believe these attacks might be part of a coordinated operation potentially conducted by a nation-state actor, although the origin of the breach remains unclear​​​​.

On December 31st, SnappFood acknowledged the breach publicly and disclosed that Iran’s Cyber Police (FATA) is actively working to identify the breach’s source​​.

On January 1st, Irleaks announced on their Telegram channel that SnappFood had come to the table, and something had been negotiated between them.

Iran’s Cybersecurity Landscape

Iran has rapidly improved its cyber capabilities and is ahead of most nations in strategy and organization for cyber warfare. Years of engagement with countries like Israel and Saudi Arabia have improved Iran’s cyber capabilities. Iran uses modified malware from the criminal market, which is progressively becoming more sophisticated​​. It has a sophisticated organizational structure to manage cyber conflict, with cyberattacks seen as part of its asymmetric military capabilities​​.

In 2013, Iran initiated the development of the National Information Network (NIN), a domestic Internet infrastructure aimed at being more secure from foreign cyberattacks and potentially disconnected from the global Internet. However, this doesn’t necessarily trickle down to its private industries, and may not necessarily secure its networks from a threat based within the country, provided the threat actor is capable enough. Regarding data leaks, though, this network allows the Iranian government to exert greater control over content and user data​, and could potentially introduce its own set of vulnerabilities​. Regardless, a threat actor navigating this space would need to be familiar with the machinations of the NIN, and how it might impact the security posture of large businesses.

Internally, Iran’s approach to monitoring, censoring, and controlling the Internet has developed since the mid-1990s. There have been instances of internet censorship and systematic blocking of websites, especially during periods of political unrest​​​​. This was seen widely during the 2022 Mahsa Jhina Amini uprisings.

The Credibility of the Attacks

It’s always wise to take cybercriminals and hacktivists with more than one grain of salt. Especially when the purported magnitude of such a data leak is so unprecedented for a relatively unknown threat actor. This makes up much of the basis for the suspicion of Irleaks having a state hand guiding them. However, based on the available information and further research, several conclusions and speculations can be drawn about Irleaks and the legitimacy of their claims.

Legitimacy of the Attack: The detailed nature of the data exposed, the large volume of records involved, and the confirmation by Hudson Rock researchers that the sample data appears to be genuine all suggest that the attack is legitimate. The specificity of the data stolen (personal user information, credit card details, device information) is typically consistent with real data breaches.

irleaks data leak sample
Sample of the data, provided by Irleaks and Hudson Rock.

Sophistication of the Attack: The scale and sophistication of the attack, targeting multiple organizations and a large amount of data, indicate a high level of capability. This aligns with the actions of organized, advanced threat actors rather than opportunistic, individual hackers.

Possible Motivations: The sale of such a large volume of data and the public announcement of the breach could point to financial gain as a primary motivation. However, the nature and scale of the attack leave room for speculation about political or strategic motives, especially considering the potential involvement of a nation-state actor.

Potential Nation-State Involvement: Researchers’ belief that these attacks might be part of a coordinated operation by a nation-state actor is significant. This could suggest geopolitical motives, especially given Iran’s prominence in regional politics and ongoing cyber conflicts.

Method of Attack: The mention of a compromised employee at SnappFood suggests a possible attack vector. This could indicate a more targeted approach, potentially using social engineering or spear-phishing tactics.

Lack of Counter-Evidence: As of this moment, there are only a few articles on this topic, and none of them articles provide direct evidence or suggestions that the claims made by Irleaks are false. In addition to Hudson Rock‘s findings linked above, Hackread also provides an insightful article.The absence of counter-claims or denials, especially from the affected organizations, adds credibility to the assertion that these breaches did occur.

Public Acknowledgement: SnappFood’s public acknowledgment of the breach and involvement of Iran’s Cyber Police also add legitimacy to the claims.

While there’s always room for skepticism in cyber threat intelligence, the details available suggest that the attacks attributed to Irleaks are credible and likely legitimate. However, it’s important to continue monitoring for any new information or developments that could provide further insights into these incidents, especially in the context of the current conflict in the region.

Irleaks’ History

The way this event is being discussed in the cybersecurity milieu, one might be led to believe that Irleaks is a novel threat actor and that these attacks seemingly came out of nowhere. However, while maintaining a relatively low profile, the individual or individuals going by “Irleaks” have been planning similar operations and perhaps conducting them while leaving less of a trail behind them, since early 2022.

Big thanks in this next section to Falconfeeds.io for providing several of the evidence images.

June 13, 2022: Telegram Channel Established

The oldest channel that I could find on Telegram, which seems to be the threat actor’s preferred mouthpiece outside of various breach forums, was started on 13 June, 2022. There was nothing directly significant I could find on that date, but a horrific accident at a chemical plant, along with a climate of general distrust and protest don’t draw a straight line to any explicit relationship.

First of the irleaks Telegram channel was founded.
The current avatar used by Irleaks
The current avatar used by Irleaks

July 10, 2023: Multiple Insurance Firms (the first claimed attack)

This highly underreported attack was a massive leak similar to the ones seen in December.

Statement (translated from Persian):

Our main activity is infiltrating important Iranian sites and selling information.

To begin with, we have decided to include Asia Insurance information with 25,799,452 records, Razi Insurance with 11,015,722 records, Sina Insurance with 6,013,416 records, and Hafez Insurance with 431,947 records, totaling more than 43 million information. :
We sell name, surname, date of birth, father’s name, phone/mobile number, birth certificate number, national code, national company code, etc. here.

A sample of a spreadsheet published by the threat actors

July 11, 2023: Imam Relief Committee Defacement

An attack by Irleaks that falls very much outside of their pattern is a defacement that was conducted on July 11th of the Imam Khomeini Relief Foundation, allegedly an organization dedicated to assisting poor families. With no real motivation expressed beyond a desire for publicity, it makes me suspect that it may have just been a target of opportunity.

Statement (translated):

The website of the Imam Relief Committee was hacked and defaced just to announce the existence of our team.

Aug 9&10, 2023: 115 million personal records from Iranian insurance companies

In August, Irleaks went after Iran’s insurance industry, once again. This attack, much like the one in July, didn’t seem to make the news.

Sep 02, 2023: Tapsi Database Leak

In September, Irleaks began advertising the entire customer database of Tapsi, an Iranian rideshare company.

Statement (translated):

Tapsi company was hacked!

  • Information of more than 27 million passengers including: name, surname, mobile number, city and sometimes email.
  • Information of more than 6 million drivers including: name, surname, national code, city, mobile number.
  • Information of more than 136 million trips including: passenger ID, full address of origin and destination, short address of origin and destination, geographic information (GPS Locations) of origin and destination.
  • Source code of Tapsi company products such as mobile applications and…
  • Passenger and driver mobile device information.

December 20, 2023: The Most Recent Major Insurance Company Leak

Irleaks claimed to possess personal data from Iranian insurance companies, once again. This data reportedly included vital information relating to the Iranian Army and the IRGC. The post advertising the leak did not provide specific details about the affected organizations or websites, but indicated that the sources were from within the insurance industry.

December 30, 2023: Snappfood Leak

Irleaks had claimed to have obtained personal data from the Grubhub-like Snappfood. The data allegedly encompassed payment details, user profiles, order history, GPS coordinates, and vendor information.

Statement (translated):

Snapfood was hacked!

In short, we have the following:

  • Information of more than 20 million users including: username, password, email, first and last name, mobile number, date of birth, etc.
  • Information on more than 51 million user addresses including: GPS location, full address, phone number, etc.
  • Information on more than 180 million mobile devices including: device type and model, platform, token, app installation store, etc.
  • Information on more than 360 million orders including: orderer’s IP address, received address, received phone number, city, receiving time, first and last name, store or restaurant details, price, product, etc.
  • Information of more than 35 thousand couriers including: name, surname, contact number, national code, city, etc.
  • More than 600,000 order payment information including: card owner’s full name, customer’s full name, contact number, card number, bank name, etc.
  • Information on more than 160 million trips made by couriers including: full name of origin and destination, address of origin and destination, phone number of origin and destination, geographic location of origin and destination, date and…
  • More than 240,000 Vendor information including: full name, address, phone, email, GPS location, collection management name, etc.
  • Information on more than 880 million product orders

There still isn’t a great deal known about Irleaks. As it stands, they’re clearly a very capable threat actor who have found their niche in the complex world of Iran‘s internet infrastructure. I think given the current geopolitical climate, it’s tempting to jump to the conclusion that Irleaks is a state-backed APT simply yet to be named and shamed, and we certainly can’t rule this possibility out. However, if one takes into consideration the year or more of time Irleaks may have had to prepare its particular attack vector, I think the idea of an independent actor remains viable.