Iran-Linked Threat Actor The MABNA Institute’s Operations in 2020

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

The report aims to provide insight into Iran-linked MABNA Institute campaign activity that was reported on by Insikt Group throughout 2020, as well as by the broader cyber research community. The report is most likely to be of use to scientific organizations, academic institutions, and software groups that service the academic sector. This report will be of interest to blue team defenders working to secure academic and scientific organization’s networks, as well as CTI groups that research Iran-nexus cyber activity. The Recorded Future® Platform, Insikt Group threat research, and that from Proofpoint, RiskIQ, and Malwarebytes are referenced. Data sources used to conduct this analysis include the Recorded Future® Platform, Farsight DNSDB, DomainTools and other common open-source tools and techniques.

Executive Summary

The MABNA Institute, a threat actor which has been associated with the Iran’s Islamic Revolutionary Guard Corps (IRGC) by the US Department of Justice, continued its global operations against academic and research sector institutions using similar tactics, techniques, and procedures (TTPs) in 2020 as previous years, with large-scale phishing and credential theft characterizing their operations.

Throughout 2020, the MABNA Institute, or operational clusters suspected to be associated with the actor, continued to use infrastructure, including domain registration and hosting services, inside and outside of Iran. Notably, our research did not reveal new evidence of the threat actor’s adoption of malware in its campaigns. This continues to suggest that while the threat actor is highly determined to lead its credential theft operations internationally and sell credentials inside Iran to research-oriented organizations, it likely sees no practical use to maintaining persistence in victim networks. This however does not preclude other elements associated with the MABNA Institute from conducting malware-based intrusions against different sectors. 

Insikt Group research has further uncovered evidence to suggest that groups which hold no evidence-based association with the MABNA Institute are likely also engaging in almost identical activity. This is suggestive of an underground market that engages interested buyers with illicit access to university and library institutions all around the world. 

The threat actor maintained an elevated operational tempo throughout 2020, and this pace of operations is highly likely to persist through 2021 and proceed into the Persian new year of 1400 (March 2021 to March 2022) much as it has in the past, with renewed targeting against academic and scientific organizations remaining top priorities.

Key Judgments

• Recorded Future Network Traffic Analysis from February to March 2021 revealed network communications between MABNA Institute portals and academic institutions in Spain and Switzerland.
• Due to the demand for access to research and information in Iran and international sanctions that have impacted it, the illicit market for stolen credentials will highly likely continue to drive the MABNA Institute’s operations in the future. 
• International tertiary academic institutions from North America, the United Kingdom, Europe, the Middle East, Africa, Asia, and the Asia-Pacific region, have been identified by Insikt Group as targets for suspected MABNA Institute operations. This characteristic in victimology is likely to continue into the future.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.