On October 22^nd, during the usual OSInt monitoring, Cluster25 detected the Farsi speaking hacktivist TA known as Black Reward claiming to have hacked into an email account belonging to employees of the Iranian Nuclear Power Production and Development (NPPD), exfiltrating and then leaking confidential data related as the group stated ”Contracts of Iran Atomic Energy Production and Development Company (NPPD) with domestic and foreign partners, management and operational schedules of Bushehr power plant, identity details and paystub of engineers and employees of the company as well as passports and visas of Iranian and Russian specialists of Bushehr power plant”.

Before talking about the leak, let’s outline the geopolitical background on the energy deals that are being signed around the world, between Moscow, Teheran, and Ankara.

Recently as the energetic crisis is getting worse and the tension around the Ukrainian conflict is rising, during the period between the 12^nd and the 23^rd of October 2022, Turkish President Tayyip Erdogan has been quite active in strengthening economic ties and partnerships with both countries, Iran, and Russia, which will likely get to Turkey more accountability and power among the Arab Countries, and the Caucasus area.

On October 19^th, 2022, President Putin and President Erdogan reached an agreement on the creation of a gas hub, permitting Europe to use Russian gas passing through the natural gas pipeline TurkStream. In the following days, Ankara proposed to President Putin the creation of an oil hub, managing to purchase and transport oil from Russia without the need for Western financing or insurance, as declared by Turkish Finance Minister Nureddin Nebati. As for the gas hub, also the creation of a Turkish oil hub will likely be useable by European countries, offering tools and a platform for trade, which will likely at the same time ease the energetic pressure among Europe and increase Erdogan’s influence in the international scenario.

Along with the Russian-Turkish gas hub accord, President Erdogan has reached several agreements with Iran in the fields of gas exports, in addition to the already 10 billion cubic meters of gas per year (circa) Iranian supply, through the Tengiz-Ankara gas pipeline. As reported by the National Gas Company of Iran Mohammad Reza Jolayi “In accordance with these agreements, various activities related to the export of Iranian gas to Turkey will be carried out over the next six months with the coordination of the parties.”

Another commercial way that these countries are exploiting in the recent years is the International North–South Transport Corridor (INSTC). On May 16^th, 2002, Russia, Iran, and India signed the agreement for the INSTC, a 7,200-km-long multi-mode network of ship, rail, and road route for moving freight between India, Iran, Azerbaijan, Russia, Central Asia, and Europe. The objective of the study was to identify and address key bottlenecks, such as the Suez Canal, saving both time and money. Opening a huge highway for goods and services, mimicking the ancient glories of the Silk Road, interconnecting these countries, and saving a lot of money in the meantime.

Both Russia and Iran are under international sanctions, while Turkey has gained that amount of power on the geopolitical arena that can bend the international law on its favor. Stating so, it’s natural that the three would cooperate in different sectors, from the import/export of goods to the military and weapon sector, and of course the energy sector, given the double ended ties between Tehran, Moscow and Ankara.

Talking about the energy sector, following the information found in the data-leak shared by Black Reward it’s now clear how the Kremlin has a really in deep collaboration within the atomic energy sector and how Rosatom and the Iranian nuclear program are connected. Analyzing the documents, Cluster25 found several maps underlining the uranium logistics from Russia to Iran and vice versa that will follow the INSTC routes.

Summarizing what happened, on October 22^nd, the Iranian hacktivist group Black Reward exposed several confidential documents related to the Iranian government’s nuclear project with the Russian Federation. This was an act of hacktivism linked to the ongoing demonstrations and riots shaking up the Iranian soil, where people are protesting the behaviors towards the civilians of the Government and the Islamic Revolutionary Guard Corps (IRGC).

This whole wave of manifestations started on September 18^th in response to Mahsa Amini’s death on September 16^th.

As reported through its social profile and channels, the Iranian hacktivist group exposed 75.18 GB of data after the 24 hours threat deadline given to NPPD in exchange for the liberation of the political prisoners detained after the riots.

The leak contains images, visas requests for Russian engineers to go to Iran, their passports, WhatsApp chats between Iranian and Russian engineers about technical drawings, Assessments, emails, and others.

The revindication of the leak by the group.

INSIGHTS

C25 analyzed most of the data leak consisting in email attachments, around 42k files. The majority of the files are technical drawings, internal documents, curricula and chats. Interesting to note how a lot of these documents are both in Russian and English, linked to Russian experts in the atomic sphere.

Following some screenshots taken from the leaked files.

Relying on the eternal power of God and in the light of faith and national determination and planned and deliberate collective effort and on the path to realizing the ideals and principles of the constitution, in the twenty-year perspective, Iran is a developed country with the first economic, scientific and technological position at the level The region with Islamic and revolutionary identity, inspiring in the Islamic world and with constructive and effective interaction in international relations. (Document on the vision of the Islamic Republic of Iran in the horizon of 1404 AH)”

Iran Nuclear program is monitored by the International Atomic Energy Agency (IAEA) and the World Association of Nuclear Operators (WANO). And this is no news for the scope of this report. In fact, on April 13th the WANO declared the successful pass of their assessments of the Bushehr Nuclear Plant.

Some of the files are showing a clear link with Russia, starting from antivirus licenses to Russian experts’ passports, Irani visas for Russian citizens to lists of spare parts and other Russian language documents.

Bushehr Nuclear Power Plant map and internal photos, technical drawings, internal documents as shared by the group to Russian speaking individuals

Transportation options for Uranium along the INSTC from Russia to Iran and vice versa

A license gave to the Russian company JSC “All-Russian Production Association “Zarubezhatomenergostroy” sent to the Iranian plant

JSC “All-Russian Production Association “Zarubezhatomenergostroy” performs services in the field of quality assurance of manufacturing and supply of equipment for nuclear facilities in Russia and abroad. JSC “VPO “ZaES” has been carrying out technical acceptance of nuclear fuel, conformity assessment of manufactured equipment, instruments and materials for nuclear power plants, examination of design documentation and quality assurance audits of enterprises since 1973. Geography of the organization – 4 branches, 46 representative offices throughout the Russian Federation.

As stated before, in the leaked files are present a large number of Russian passports, visa requests and other travel document, all linking to a really deep collaboration between Moscow and Teheran.

Russian Passports and visas requests

Two PCR tests given to Russian citizens, probably asked to the Islamic republic to enter the country during the covid-19 pandemic.

Most of the documents found in the leak are official documents referring to the nuclear sector (see image below) and they are redacted both in Russian and in English, showing a close link between the two countries in this field.

Another set of files that was found in the leak is material requests, given the fact that Iran is under sanctions, these files could suggest that there are other ways for Teheran to get the equipment needed, especially because most of them are in English.

An interesting mail found in the leak

MALICIOUS FILES FOUND

An Iranian mailbox in theory, considering the country’s past in the field of cyber intrusion and malware infections, needs to be checked very carefully. Indeed, among the leaked files, very interesting files from a cyber point of view were found. Below there is an introduction of the groups behind these files, and in the next paragraph a list of IoCs linked to the found files.

CONCLUSIONS

Cluster25 after having thoroughly analyzed most of the documents, can confirm the fact that ties in the nuclear and atomic fields are strong, intense and frequent between Moscow and Tehran. A long list of experts, Russian citizens, nuclear engineers, frequently go to Iran to advise the Islamic Republic and check on the plants. This is just the confirmation of what is publicly said by the political leaders, thus going to underline the effective help that comes from the Kremlin in the Middle East.

News dated 04/11/2022

INDICATORS OF COMPROMISE