Iran’s school for state-sponsored cyberattackers admits it suffered a breach exposing the names and other personal information of its associates and students.

The Ravin Academy was established in 2019, ostensibly to train individuals in all facets of cybersecurity and recruit the best to work on Iranian intelligence (MOIS) projects.

As part of some broader actions against Iran, Ravin was sanctioned by the UK, US, and EU between 2022 and 2023 for its role in recruiting cyber specialists to carry out human rights violations.

In a statement posted to its Telegram channel on October 22, Ravin confirmed that the attack targeted one of the online platforms it hosts, and highlighted the timing as an attempt to undermine confidence in Iranian security.

“As a result of this attack, some of the public information of participants (including username and phone number) on this platform has not been recorded,” the statement read, according to a machine translation from Persian that likely meant the data had been recorded.

“This incident, coupled with the repeated publication of false and misleading content in the past, has the goals of damaging the reputation of this academy, undermining security in Iran, and harming the standing of the National Olympiad in the field of cybersecurity.

“Given the media efforts over the past year to achieve the aforementioned goals, it is natural that the opponents and international competitors of this event seek to damage this great national achievement.”

It acknowledged that details such as names, phone numbers, and usernames of some academy associates were compromised by whoever was behind the attack.

However, UK-based Iranian activist Nariman Gharib claimed to have been sent a copy of the data that was stolen from Ravin Academy, and has made it publicly available via a dedicated website. 

The data includes names, phone numbers, and Telegram usernames – as the academy acknowledged – but also in some cases national ID numbers.

Gharib said that he was supplied the data in the form of a spreadsheet, which also contained the details of the classes each individual attended, although he did not make this data publicly accessible.

The Register spent some time looking into the names and other details exposed in the leak, discovering that many are associated with academics, a sizable subset of whom work as professors at Western universities.

Where we could find public personas, individuals often worked and/or studied in engineering fields, although few were linked to computer science and/or cybersecurity.

Many of those who both appeared in the leaks and could be identified via public sources worked in adjacent STEM fields such as mechanical engineering, electrical engineering, fluid dynamics, and machine learning, among others.

We contacted a number of the academics who appear in the list to verify their affiliation with Ravin Academy.

Ravin and its founders

In addition to being known as the training ground for some of Iran’s cyberattackers, Ravin was also founded by two individuals with alleged ties to MOIS.

Founders Farzin Karimi Mazlganchai and Seyed Mojtaba Mostafavi are also both sanctioned by the UK, US, and EU for their role in establishing Ravin Academy, and according to a PwC report on the school, both have been credibly tied to attacks carried out by MOIS-linked attack group Yellow Nix/MuddyWater/APT34.

“Although we did not directly link the company to the threat actor directly, we assess that Yellow Nix is highly likely familiar with Ravin Academy’s training materials and it is possible the set is comprised of a prior student/s,” the report read. 

It went on to say: “The multitude of professional and personal links involving the Ravin Academy founders demonstrate the complexity of attributing Iran-based threat actor activity, as the lines are often blurred as individuals move around what has shown to be a small, intertwined ecosystem.”

Despite the sweeping sanctions against organizations affiliated with it, and MOIS itself, MuddyWater is still very much alive and kicking. 

Group-IB researchers said just last week that the group was responsible for more than 100 recent intrusions across government entities in the Middle East and North Africa.

MuddyWater and other MOIS-linked groups’ work prompted the 2022 US sanctions against Iran’s intelligence ministry. Perhaps most prominent was their attack on Albanian government infrastructure, which downed public services.

Iran is one of the West’s four main geopolitical adversaries alongside China, Russia, and North Korea.

British intelligence chiefs said in 2024 that more resources are spent on tackling China’s efforts to undermine economic, industrial, and academic progress than on any other single mission at GCHQ.

The UK government repeatedly refers to China as an “epoch-defining challenge,” and previously stated that it seeks technological dominance within 10-15 years.

While Russia’s cyber threat is more immediate and focused on organizations in the near term, China’s activity is seen as the longer-term challenge.

A less technically capable enemy, Iran barely gets a mention in these kinds of conversations, although it is still a highly-active participant in global cyberattacks and routinely targets critical national infrastructure, sometimes with success, and is more mature than North Korea. ®