Ravin Academy, an Iranian state-sponsored institution established in 2019 to train cybersecurity specialists for Iran’s Ministry of Intelligence (MOIS), suffered a data breach exposing sensitive personal information of its associates and students. The leaked data confirmed by the academy includes names, phone numbers, Telegram usernames, and national ID numbers of participants, some of whom are academics affiliated with Western universities. Additional non-public details, such as class attendance records, were also compromised but not fully disclosed. The breach was publicly exposed by UK-based activist Nariman Gharib, who published the data online, further damaging the academy’s reputation and Iran’s cybersecurity standing.The attack targeted an online platform hosted by Ravin, with the timing suggesting an intent to undermine confidence in Iranian security. The academy, already sanctioned by the UK, US, and EU for ties to MOIS-linked cyber groups like MuddyWater/APT34, faces heightened scrutiny. The leaked data reveals connections between Ravin’s founders (Farzin Karimi Mazlganchai and Seyed Mojtaba Mostafavi) and state-sponsored cyber operations, reinforcing concerns over Iran’s cyber warfare capabilities. The breach not only risks operational security for MOIS but also exposes individuals including professors in STEM fields to potential retaliation or espionage risks.Given Ravin’s role in training cyber operatives for geopolitical attacks (e.g., Albania’s 2022 infrastructure disruption), the breach could compromise future MOIS operations and deter recruitment, while emboldening adversaries targeting Iran’s cyber programs.
Source: https://www.theregister.com/2025/10/27/breach_iran_ravin_academy/
TPRM report: https://www.rankiteo.com/company/ravin-ac
"id": "rav4692346102725",
"linkid": "ravin-ac",
"type": "Breach",
"date": "6/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Associates, Students, and '
'Academics (including professors '
'at Western universities)',
'industry': ['Education',
'Cybersecurity',
'Government/Intelligence'],
'location': 'Iran',
'name': 'Ravin Academy',
'type': 'Educational Institution (State-Sponsored '
'Cybersecurity Training)'},
{'industry': ['STEM (Engineering, Machine Learning, '
'Fluid Dynamics, etc.)',
'Cybersecurity (minority)'],
'location': ['Iran',
'Western Countries (e.g., professors at '
'Western universities)'],
'name': 'Individuals Linked to Ravin Academy',
'type': 'Academics/Professionals'}],
'customer_advisories': 'Public statement via Telegram acknowledging the '
'breach but downplaying its severity.',
'data_breach': {'data_exfiltration': 'Yes (Spreadsheet Shared with Activist, '
'Published Publicly)',
'file_types_exposed': ['Spreadsheet (e.g., CSV/Excel)'],
'personally_identifiable_information': ['Names',
'Phone Numbers',
'Telegram Usernames',
'National ID Numbers'],
'sensitivity_of_data': ['High (National ID Numbers)',
'Moderate (Phone Numbers, Usernames)'],
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Academic Records (Class '
'Attendance)']},
'date_publicly_disclosed': '2023-10-22',
'description': "Iran's Ravin Academy, a state-sponsored institution training "
'cyberattackers for Iranian intelligence (MOIS), suffered a '
'breach exposing personal information of its associates and '
'students. The attack targeted one of its online platforms, '
'compromising names, phone numbers, Telegram usernames, and in '
'some cases, national ID numbers. The breach was publicly '
'disclosed on October 22 via Telegram, with leaked data later '
'published by a UK-based activist. The academy, sanctioned by '
'the UK, US, and EU for human rights violations, alleged the '
'attack aimed to undermine Iranian security and damage its '
'reputation. Founders Farzin Karimi Mazlganchai and Seyed '
'Mojtaba Mostafavi, linked to MOIS and the MuddyWater/APT34 '
'group, were also sanctioned. The leaked data revealed ties to '
'academics in STEM fields, including professors at Western '
'universities.',
'impact': {'brand_reputation_impact': ["Severe Damage to Ravin Academy's "
'Reputation',
'Undermined Trust in Iranian National '
'Cybersecurity Olympiad'],
'data_compromised': ['Names',
'Phone Numbers',
'Telegram Usernames',
'National ID Numbers',
'Class Attendance Details (partial)'],
'identity_theft_risk': ['High (National ID Numbers Exposed)'],
'operational_impact': ['Reputational Harm',
'Undermined Confidence in Iranian '
'Cybersecurity'],
'systems_affected': ['Online Platform Hosted by Ravin Academy']},
'initial_access_broker': {'data_sold_on_dark_web': 'No (Data Shared with '
'Activist and Published '
'Publicly)',
'high_value_targets': ["Ravin Academy's Online "
'Platform',
'Personal Data of '
'Associates/Students']},
'investigation_status': 'Ongoing (No Official Technical Investigation Details '
'Released)',
'lessons_learned': ['State-sponsored cyber training institutions are '
'high-value targets for reputational and operational '
'disruption.',
'Sanctions and geopolitical tensions increase the risk of '
'targeted cyberattacks against affiliated entities.',
'Academic and professional ties to sanctioned '
'institutions can expose individuals to unintended '
'scrutiny or risk.',
'Public disclosure strategies by threat actors or '
'activists can amplify the impact of data breaches.'],
'motivation': ['Reputational Damage',
'Undermining Iranian Security',
'Geopolitical Tensions',
'Human Rights Advocacy'],
'post_incident_analysis': {'root_causes': ['Inadequate security measures for '
'an online platform hosting '
'sensitive data.',
'Geopolitical targeting due to '
"Ravin Academy's role in training "
'state-sponsored cyberattackers.',
'Potential insider threats or '
'compromised credentials '
'(unconfirmed).']},
'recommendations': ['Enhance security measures for online platforms hosting '
'sensitive personal data, especially in high-risk '
'sectors.',
'Implement stricter access controls and monitoring for '
'state-affiliated institutions.',
'Conduct thorough background checks on individuals '
'associated with sanctioned entities to mitigate '
'reputational risks for Western academic institutions.',
'Develop crisis communication plans to address breaches '
'involving politically sensitive data.',
'Collaborate with international cybersecurity '
'organizations to track and mitigate threats from '
'state-sponsored groups like MuddyWater/APT34.'],
'references': [{'source': 'The Register'},
{'date_accessed': '2023-10-22',
'source': 'Ravin Academy Telegram Statement'},
{'source': 'PwC Report on Ravin Academy'},
{'source': 'UK/US/EU Sanctions Lists (2022–2023)'},
{'source': 'Group-IB Research on MuddyWater (2023)'}],
'regulatory_compliance': {'legal_actions': ['Sanctions by UK, US, and EU '
'(2022–2023) against Ravin '
'Academy and Founders']},
'response': {'communication_strategy': ['Public Denial of Severe Impact',
'Accusations of Misleading Media '
'Campaigns',
'Emphasis on National Achievement'],
'incident_response_plan_activated': 'Yes (Public Statement '
'Issued via Telegram)'},
'title': 'Ravin Academy Data Breach Exposes Personal Information of '
'Associates and Students',
'type': ['Data Breach', 'Cyber Espionage', 'Targeted Attack']}