A data leak exposed the personal details of over 1,000 individuals linked to Ravin Academy, an Iranian cyber institute tied to state-backed hacking group APT34 (MuddyWater/OilRig). The breach, published by activist Nariman Gharib, included names, national ID numbers, phone numbers, Telegram usernames, and other sensitive information many belonging to scientists, engineers, and academics potentially unaware of their association with Iran’s Ministry of Intelligence and Security (MOIS). The leak occurred during Ravin’s Technology Olympiad, a state-backed event, and was framed by Iranian officials as a foreign attack to undermine national security.The exposed records reveal Ravin’s role as a recruitment pipeline for offensive cyber operations, with evidence linking it to exploits (e.g., CVE-2020-0688, CVE-2020-1472) later used by APT34. The breach raises ethical concerns about unwitting civilian involvement in state-sponsored cyber warfare and risks of academic/industrial espionage under the guise of collaboration. Western experts warn of reputational damage to global universities and tech firms partnered with such institutions, though Iran’s cyber ambitions are unlikely to be deterred. The incident aligns with Iran’s history of high-profile attacks, including those on Israeli critical infrastructure and multinational corporations.
Source: https://www.ynetnews.com/tech-and-digital/article/s1pcv5c1bx
TPRM report: https://www.rankiteo.com/company/ravin-ac
"id": "rav2503325110725",
"linkid": "ravin-ac",
"type": "Breach",
"date": "6/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,000+ individuals (including '
'civilians, researchers, and '
'potential recruits for '
'APT34/MuddyWater)',
'industry': ['Cybersecurity',
'Education',
'Government/Intelligence'],
'location': 'Tehran, Iran',
'name': 'Ravin Academy',
'type': ['Cyber Institute',
'State-Backed Training Facility']},
{'industry': ['Science', 'Engineering', 'Academia'],
'location': ['Iran',
'International (Western academics with '
'ties to Ravin)'],
'name': 'Individuals Linked to Ravin Academy',
'type': ['Students',
'Researchers',
'Potential Recruits for State Cyber '
'Operations']},
{'industry': 'Education',
'location': ['Global (partners or collaborators with '
'Ravin Academy)'],
'name': 'Western Academic Institutions',
'type': ['Universities', 'Research Organizations']}],
'data_breach': {'data_exfiltration': 'Yes (leaked and published by activist)',
'number_of_records_exposed': '1,000+',
'personally_identifiable_information': ['Names',
'National ID Numbers',
'Phone Numbers',
'Telegram Usernames'],
'sensitivity_of_data': 'High (includes national IDs, contact '
'details, and potential links to state '
'cyber operations)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Recruitment Records',
'Academic/Professional '
'Backgrounds']},
'date_publicly_disclosed': '2023-10-22',
'description': 'Details of over 1,000 individuals connected to Ravin Academy, '
'an Iranian cyber institute tied to state-backed hacking group '
'APT34 (MuddyWater/OilRig), were exposed in a data leak. The '
'breach, published by activist Nariman Gharib on October 22, '
'2023, included personal data such as names, national ID '
'numbers, phone numbers, and Telegram usernames. The leak '
'coincided with Ravin’s Technology Olympiad in Tehran and has '
'raised concerns about civilian and Western academic '
'involvement in Iran’s cyber programs. Ravin Academy, '
'sanctioned by the U.S., UK, and EU, confirmed the breach but '
'framed it as a foreign attack to undermine Iran’s '
'cybersecurity efforts.',
'impact': {'brand_reputation_impact': ['Severe Damage to Ravin Academy’s '
'Credibility',
'International Scrutiny of Iran’s '
'Cyber Programs',
'Potential Distrust in Academic '
'Collaborations with Iranian '
'Institutions'],
'data_compromised': ['Names',
'National ID Numbers',
'Phone Numbers',
'Telegram Usernames',
'Personal Details of Individuals with '
'Science/Engineering Backgrounds'],
'identity_theft_risk': ['High (Exposed PII includes national IDs, '
'phone numbers, and Telegram usernames)'],
'operational_impact': ['Reputational Damage to Ravin Academy',
'Disruption of Iran’s National '
'Cybersecurity Olympiad',
'Exposure of State-Linked Cyber Recruitment '
'Pipeline']},
'investigation_status': 'Ongoing (no official investigation details '
'disclosed; activist-driven exposure)',
'lessons_learned': ['Exposure of state-linked cyber recruitment pipelines can '
'have significant reputational and operational '
'consequences.',
'Western academic institutions must exercise caution in '
'partnerships with entities in states known for offensive '
'cyber operations.',
'Leaked PII of individuals connected to such programs can '
'pose personal and professional risks, including identity '
'theft or espionage accusations.',
'State-backed cyber institutes may use academic cover for '
'offensive operations, unlike defensive-focused programs '
'in Western countries.'],
'motivation': ['Espionage',
'Reputational Damage to Iran’s Cyber Apparatus',
'Exposure of State-Linked Cyber Recruitment',
'Potential Counterintelligence'],
'post_incident_analysis': {'root_causes': ['Likely insider threat or external '
'compromise leading to data '
'exfiltration.',
'Inadequate safeguards for '
'sensitive recruitment/personnel '
'data at Ravin Academy.',
'Use of academic institutions as '
'cover for state cyber operations '
'increases risk of exposure.']},
'recommendations': ['Global universities and tech firms should reassess '
'collaborations with Iranian cyber institutions like '
'Ravin Academy.',
'Enhanced due diligence is required for academic '
'partnerships in regions with state-sponsored cyber '
'threats.',
'Individuals listed in the leak should monitor for '
'identity theft or targeted phishing attempts.',
'Western governments may need to expand sanctions or '
'warnings related to Iran’s cyber recruitment networks.'],
'references': [{'date_accessed': '2023-10-26 (reported on October 26, 2023)',
'source': 'Dark Reading'},
{'date_accessed': '2023-10-22 (leak published)',
'source': 'Nariman Gharib (Activist)'},
{'date_accessed': '2023-10-22',
'source': 'Ravin Academy Telegram Post'},
{'source': 'PwC Cybersecurity Reports'},
{'source': 'U.S./UK/EU Sanctions Lists'}],
'regulatory_compliance': {'regulatory_notifications': ['Ravin Academy is '
'sanctioned by the '
'U.S., UK, and EU for '
'its role in '
'state-backed cyber '
'operations']},
'response': {'communication_strategy': ['Telegram Post by Ravin Academy',
'Statements by Iranian Officials',
'Activist Nariman Gharib’s Public '
'Disclosure'],
'incident_response_plan_activated': 'Yes (Ravin Academy '
'acknowledged the breach via '
'Telegram)',
'recovery_measures': ['Public Denial of Wrongdoing',
'Framing the Leak as a Foreign Attack']},
'stakeholder_advisories': ['Western governments may issue warnings to '
'academic institutions about collaborations with '
'Ravin Academy.',
'Cybersecurity firms (e.g., PwC) have linked Ravin '
'to offensive cyber operations, including exploits '
'later used by APT34.'],
'threat_actor': 'Unidentified (leaked by British-Iranian activist Nariman '
'Gharib)',
'title': 'Ravin Academy Data Leak Exposes 1,000+ Individuals Linked to '
'Iranian State-Backed Cyber Operations',
'type': ['Data Leak',
'Exposure of Sensitive Information',
'State-Sponsored Cyber Activity']}