{"id":1448,"date":"2023-06-26T22:03:14","date_gmt":"2023-06-26T22:03:14","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=75062"},"modified":"2023-06-26T22:03:14","modified_gmt":"2023-06-26T22:03:14","slug":"the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/06\/26\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics\/","title":{"rendered":"The potent cyber adversary threatening to further inflame Iranian politics"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v20.5 (Yoast SEO v20.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>The potent cyber adversary threatening to further inflame Iranian politics | CyberScoop<\/title> <meta name=\"description\" content=\"A group calling itself GhyamSarnegouni has entered the Iranian cyber fray with a damaging hack-and-leak operation against the government.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/iran-government-hack-leak-documents-hacktivist\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"The potent cyber adversary threatening to further inflame Iranian politics\"> <meta property=\"og:description\" content=\"A group calling itself GhyamSarnegouni has entered the Iranian cyber fray with a damaging hack-and-leak operation against the government.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/iran-government-hack-leak-documents-hacktivist\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-06-26T22:03:14+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/cdn.parsely.com\">\n<link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-0\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1687285576g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1687276873g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-4\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1687284394g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=172264176d4de0f97962\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/75062\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<link rel=\"wlwmanifest\" type=\"application\/wlwmanifest+xml\" href=\"https:\/\/cyberscoop.com\/wp-includes\/wlwmanifest.xml\">\n<meta name=\"generator\" content=\"WordPress 6.2.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=75062\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firan-government-hack-leak-documents-hacktivist%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Firan-government-hack-leak-documents-hacktivist%2F&amp;format=xml\">\n<meta name=\"parsely-title\" content=\"The potent cyber adversary threatening to further inflame Iranian politics\"><br \/>\n<meta name=\"parsely-link\" content=\"http:\/\/cyberscoop.com\/iran-government-hack-leak-documents-hacktivist\/\"><br \/>\n<meta name=\"parsely-type\" content=\"post\"><br \/>\n<meta name=\"parsely-image-url\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?w=150&amp;h=150&amp;crop=1\"><br \/>\n<meta name=\"parsely-pub-date\" content=\"2023-06-26T22:03:14Z\"><br \/>\n<meta name=\"parsely-section\" content=\"Geopolitics\"><br \/>\n<meta name=\"parsely-tags\" content=\"ghyamsarnegouni,iran,israel,lab dookhtegan\"><br \/>\n<meta name=\"parsely-author\" content=\"AJ Vicens\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-75062 single-format-standard\" id=\"readabilityBody\"> <svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-dark-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncG type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncB type=\"table\" tableValues=\"0 0.49803921568627\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-grayscale\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.54901960784314 0.98823529411765\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.71764705882353 0.25490196078431\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-red\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.27843137254902\" \/><feFuncB type=\"table\" tableValues=\"0.5921568627451 0.27843137254902\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-midnight\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0 0\" \/><feFuncG type=\"table\" tableValues=\"0 0.64705882352941\" \/><feFuncB type=\"table\" tableValues=\"0 1\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-magenta-yellow\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.78039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.94901960784314\" \/><feFuncB type=\"table\" tableValues=\"0.35294117647059 0.47058823529412\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-purple-green\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.65098039215686 0.40392156862745\" \/><feFuncG type=\"table\" tableValues=\"0 1\" \/><feFuncB type=\"table\" tableValues=\"0.44705882352941 0.4\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg><svg viewBox=\"0 0 0 0\" width=\"0\" height=\"0\" focusable=\"false\" role=\"none\"><defs><filter id=\"wp-duotone-blue-orange\"><feColorMatrix color-interpolation-filters=\"sRGB\" type=\"matrix\" values=\" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 \" \/><feComponentTransfer color-interpolation-filters=\"sRGB\"><feFuncR type=\"table\" tableValues=\"0.098039215686275 1\" \/><feFuncG type=\"table\" tableValues=\"0 0.66274509803922\" \/><feFuncB type=\"table\" tableValues=\"0.84705882352941 0.41960784313725\" \/><feFuncA type=\"table\" tableValues=\"1 1\" \/><\/feComponentTransfer><feComposite in2=\"SourceGraphic\" operator=\"in\" \/><\/filter><\/defs><\/svg> <a href=\"https:\/\/cyberscoop.com\/iran-government-hack-leak-documents-hacktivist\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.303611738149\">\n<div class=\"single-article__header-content\" readability=\"30.370517928287\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> A group calling itself GhyamSarnegouni has entered the Iranian cyber fray with a damaging hack-and-leak operation against the government. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/06\/the-potent-cyber-adversary-threatening-to-further-inflame-iranian-politics-1.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Iran&#8217;s President Ebrahim Raisi speaks during a meeting with Cuba&#8217;s president Miguel Diaz Canel (out of frame) at the Revolution Palace in Havana, on June 15, 2023. (Photo by YAMIL LAGE \/ AFP) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"140.21787204451\"><body readability=\"281.17852405222\"><\/p>\n<p>Just before 2 a.m. Eastern Standard Time on May 29, someone posted a simple message to a Farsi-language Telegram channel called \u201cGhyamSarnegouni,\u201d which roughly translates to Uprising until Overthrow. \u201cThe entire highly protected internal network of the executioner\u2019s presidential institution in Tehran was captured and out of reach,\u201d it read, according to a Google translation.<\/p>\n<p>Within minutes, images of top Mujahedeen-e-Khalq leaders appeared on the channel, along with the message of \u201cDeath to Khameni Raisi,\u201d the supreme leader of Iran. The Iranian exile group commonly known as MEK has long opposed the Iranian government and advocated for its overthrow. Within a half hour of the original message, a screenshot of an internal presidential document was also posted on Telegram, the first of what has grown to more than 100 related to the office of the president of Iran and other major government agencies.<\/p>\n<p>The documents include diplomatic correspondence, floor plans Iranian president\u2019s office and other officials\u2019 offices and detailed network topology diagrams of various government networks along with associated IP addresses. The leak also included documents that appeared to be related to the country\u2019s nuclear program and <a href=\"https:\/\/t.me\/AminSabeti_CHL\/5027\" target=\"_blank\" rel=\"noreferrer noopener\">reportedly details<\/a> of officials routing money through Chinese banks and other apparent sanctions-evasions activities. In addition to defacing multiple government websites, the hackers claimed to have gained control over 120 servers and databases, the government\u2019s server management networks and access to more than 1,300 computers connected to the presidency\u2019s internal network, according to <a href=\"https:\/\/english.mojahedin.org\/news\/iranian-dissidents-take-over-high-security-servers-of-regime-presidency\/\" target=\"_blank\" rel=\"noreferrer noopener\">a post on the MEK website<\/a> in the hours after the attack went public.<\/p>\n<p>The group claimed to have stolen \u201ctens of thousands of classified, top secret and secret documents,\u201d according to the post from the MEK, which has not officially claimed any connection to the GhyamSarnegouni. Likewise, the hackers have not claimed to have ties to MEK or any other political group or organization. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The Iranian government called the hack \u201c<a href=\"https:\/\/en.irna.ir\/news\/85126097\/Iran-s-Presidency-dismisses-alleged-leaks-as-inauthentic\" target=\"_blank\" rel=\"noreferrer noopener\">fake<\/a>,\u201d and said website updates and maintenance \u2014 caused as the defaced sites were returned to the previous content \u2014 was the reason for any site outages. But <a href=\"http:\/\/%5B4%5D%20https:\/\/cyberscoop.com\/iranian-dissidents-presidential-hack\/\" target=\"_blank\" rel=\"noreferrer noopener\">outside experts agreed<\/a> the documents, and the hack, were likely legitimate.<\/p>\n<p>The scale of intrusion and leak would present a major national security dilemma for any country and send officials and politicians scrambling to find the culprits, identify the vulnerabilities and prosecute the hackers. But, so far, the Iranian government\u2019s reaction \u2014 other than saying the leaked documents are fake \u2014 isn\u2019t public.<\/p>\n<p>Over the past several years in Iran, a patchwork of hacking groups have sprung up with various aims, political motives and ambitions \u2014&nbsp;and it\u2019s nearly impossible to know for certain who is behind each one of them. Some operations appear to be designed to expose Iranian government secrets or support opposition groups, while others target Israel and the U.S. While Iran has long been an active participant in the cyber domain, in the past few years its internal and external attacks have gained new potency and become more public visible since 2020, such as when hackers with <a href=\"https:\/\/www.washingtonpost.com\/national-security\/intelligence-officials-say-attempted-cyberattack-on-israeli-water-utilities-linked-to-iran\/2020\/05\/08\/f9ab0d78-9157-11ea-9e23-6914ee410a5f_story.html\" target=\"_blank\" rel=\"noreferrer noopener\">suspected links to the Iranian government<\/a> targeted water treatment systems in Israel.<\/p>\n<p>Looking to stir up trouble inside Iran, a growing number of groups have taken aim at the current government. These include groups such as <a href=\"https:\/\/cyberscoop.com\/iran-nuclear-emails-hack-leak-black-reward\/\" target=\"_blank\" rel=\"noreferrer noopener\">Black Reward<\/a>, <a href=\"https:\/\/www.iranintl.com\/en\/202203146632\" target=\"_blank\" rel=\"noreferrer noopener\">Tapandegan<\/a> and <a href=\"https:\/\/cyberscoop.com\/sanctions-iran-masha-amini-cyber\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lab Dookhtegan<\/a>. Another group known as <a href=\"http:\/\/%5B5%5D%20https:\/\/cyberscoop.com\/gonjeshke-darande-israel-hackers-iran-steel-hacktivist\/\" target=\"_blank\" rel=\"noreferrer noopener\">Predatory Sparrow<\/a>, which has <a href=\"https:\/\/www.timesofisrael.com\/gantz-orders-probe-after-tv-reports-hint-idf-behind-iran-steel-plant-cyberattack\/\" target=\"_blank\" rel=\"noreferrer noopener\">possible ties to Israel<\/a>, targeted steel mills with alleged ties to the Islamic Revolutionary Guard Corps (IRGC), posting a video after an apparent breach that showed what appeared to be the inside of an industrial facility. <\/p>\n<p>The U.S. government and American tech companies have long accused the Iranian government of hiding behind hacktivist personas to carry out hack and leak operations and destructive attacks on targets around the world. A <a href=\"https:\/\/cyberscoop.com\/iranian-information-operations-hacking-microsoft-report\/\" target=\"_blank\" rel=\"noreferrer noopener\">May 2023 report from Microsoft<\/a> details more than a dozen hacktivist personas with links to either the IRGC or the Iranian Ministry of Intelligence, many thought operated by Emennet Pasargad, a U.S. government-sanctioned Iranian cyber group. That same organization is thought to have been involved with a <a href=\"https:\/\/cyberscoop.com\/two-iranian-hackers-charged-in-sprawling-effort-to-interfere-in-2020-u-s-election\/\" target=\"_blank\" rel=\"noreferrer noopener\">sprawling plan to interfere with the 2020 U.S. election<\/a>, according to the U.S. Department of Justice.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Homeland Justice, an Iranian front group according to researchers with <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\" target=\"_blank\" rel=\"noreferrer noopener\">Mandiant <\/a>and also multiple western governments, <a href=\"http:\/\/%5B8%5D%20https:\/\/cyberscoop.com\/albanian-cyberattack-diplomatic-iran\/\" target=\"_blank\" rel=\"noreferrer noopener\">hacked multiple Albanian government systems in July 2022<\/a>, stealing data and wiping systems with faux ransomware, in response to Albania\u2019s hosting of the MEK. Albania, a NATO member, cut diplomatic ties with Iran over the attack. The U.S. government sanctioned Iran\u2019s Ministry of Intelligence over the attacks, and the U.S. Cyber National Mission Force deployed what it said was its <a href=\"http:\/\/%5B9%5D%20https:\/\/www.cybercom.mil\/Media\/News\/Article\/3337717\/committed-partners-in-cyberspace-following-cyberattack-us-conducts-first-defens\/\" target=\"_blank\" rel=\"noreferrer noopener\">first-ever defensive cyber operation<\/a> in response to the Iranian-linked attacks.<\/p>\n<p>\u201cWe\u2019ve observed multiple cyber groups in action,\u201d said Nariman Gharib, a U.K.-based Iranian opposition activist and independent cyber espionage investigator. \u201cOne focuses on human rights, unmasking the darker side of the regime, while another specializes in cyber operations, exposing the regime\u2019s cyber tactics. There\u2019s also a group dedicated to sabotage. They execute their task with efficiency in executing disruptive attacks and [GhyamSarnegouni] is that group.\u201d<\/p>\n<p>Indeed, the latest hack claimed by GhyamSarnegouni involving highly sensitive government documents takes the role that hackers and hacktivists are playing in Iran\u2019s internal politics to a new level, experts say, given the depth of information accessed, which touches on aspects of not only the office of Iranian President Ebrahim Raisi, and correspondence related to multiple sensitive agencies.<\/p>\n<p>The hack is \u201cone of the worst cases that has been publicly discussed and people are aware of about the compromise of classified documents and information from a government network,\u201d said Hamid Kashfi, an independent security consultant originally from Iran, formerly a consultant for Trail of Bits and Immunity, who has uncovered multiple malicious Iranian government cyber activities over the years.<\/p>\n<p>\u201cWhat\u2019s scary, if I was an Iranian government entity, or someone in charge of [assessing the situation] is what they\u2019re not releasing and what they\u2019re not exposing,\u201d he said. \u201cBecause that\u2019s a huge pile of A-plus grade intel and very interesting and very useful information for any government to be able to access.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The attack is the fourth major hack and leak operation claimed by GhyamSarnegouni, a group that seemed to come out of nowhere in January 2022 when it claimed to have been behind the <a href=\"https:\/\/research.checkpoint.com\/2022\/evilplayout-attack-against-irans-state-broadcaster\/\" target=\"_blank\" rel=\"noreferrer noopener\">hacking and disruption of Iran\u2019s national broadcast service<\/a>. The attack included the broadcast of the faces of the long-missing Massoud Rajavi, and his wife Maryam Rajavi \u2014 the leaders of the MEK, which has been <a href=\"https:\/\/www.theguardian.com\/news\/2018\/nov\/09\/mek-iran-revolution-regime-trump-rajavi\" target=\"_blank\" rel=\"noreferrer noopener\">variously characterized as a cult<\/a> and was, <a href=\"https:\/\/www.state.gov\/foreign-terrorist-organizations\/\" target=\"_blank\" rel=\"noreferrer noopener\">until 2012<\/a>, deemed a terrorist organization by the U.S. government \u2014 and calls for the murder of Iran\u2019s supreme leader, as well as destructive malware to damage equipment.<\/p>\n<p>Subsequent attacks tied to the group include the June 2022 hack of more than <a href=\"https:\/\/apnews.com\/article\/politics-iran-middle-east-dubai-united-arab-emirates-f9b79784cba77adcf8c88dafde11ee84\" target=\"_blank\" rel=\"noreferrer noopener\">5,000 municipal CCTV cameras in Tehran<\/a>, and the early <a href=\"https:\/\/english.mojahedin.org\/news\/iranian-dissidents-disrupt-over-210-regime-foreign-ministry-websites-and-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">May 2023 hack of the Iranian Ministry of Foreign Affairs<\/a>, which included more than 200 defaced websites and the publication of a trove of sensitive internal government files.<\/p>\n<p>Shahin Gobadi, the spokesperson for the MEK, did not provide a statement on behalf of MEK in time for publication. GhyamSarnegouni did not respond to a message sent via Instagram, where it also posts images of documents and other messages.<\/p>\n<p>The recently leaked government documents are appearing against the backdrop of the U.S. and Iran getting closer to an agreement that the <a href=\"http:\/\/%5B10%5D%20https:\/\/www.nytimes.com\/2023\/06\/14\/us\/politics\/biden-iran-nuclear-program.html\" target=\"_blank\" rel=\"noreferrer noopener\">New York Times reported<\/a> would ease sanctions on the country, release some imprisoned Americans, cease attacks on American contractors in Syria and Iraq and cap uranium refinement at 60% purity. After the presidential office hack first became public, an expert in Iranian cybersecurity told CyberScoop that embarrassing breaches of this nature seem to mirror major geopolitical developments, including progress on the nuclear deal.<\/p>\n<p>\u201cAny time we are at the middle of the conversation that this nuclear negotiation might lead somewhere, might end somewhere, you will see somehow, either by Israeli or by some hacking group or something like that, some kind of information being publicized regarding Iran nuclear program,\u201d said Amir Rashidi, the director of internet security and digital rights at the Miaan Group, an Iranian digital and human rights organization.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Kashfi said whoever is behind the hack has \u201cdemonstrated access to communications [letters] between different government agencies and the presidential office.\u201d The purpose of the system that the posted materials are coming from, he said, is to have secure, encrypted communications between disparate agencies and offices for a particular purpose, not mundane communications.<\/p>\n<p>\u201cIf they have access and dumped one classified letter from that system, it means that they have had access to dump all of it,\u201d he said.<\/p>\n<p>He doesn\u2019t expect whoever is behind the attack to post everything they have, given the immense intelligence and operational value at stake. Although the attackers are so far displaying technical abilities beyond the reach of any \u201crandom activist group,\u201d it\u2019s not clear whether it\u2019s a state intelligence service, a hired mercenary group, or unaffiliated individuals are behind the attack.<\/p>\n<p>Kashfi noted that it\u2019s far too early to tell who is behind the group. But one data point, he said, supports the idea that it is not MEK. Some of the file names, and even some of the way certain words are used in the messaging \u201cis not in a way that a native [Farsi] speaker would use.\u201d<\/p>\n<p>\u201cNon-native speakers would easily overlook this,\u201d he said. \u201cBut if you look at the context of it, you would notice that if it\u2019s actually someone from MEK that\u2019s supposed to be Iranian or a native speaker, they wouldn\u2019t name files like this. It more looks like someone is receiving and processing this information and then doing the PR for the group through this Telegram channel.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Simin Kargar, a doctoral researcher at Johns Hopkins University who tracks human rights and cybersecurity matters related to Iran, views the group\u2019s activity in the context of the <a href=\"http:\/\/%5B11%5D%20https:\/\/cyberscoop.com\/hack-and-leak-group-black-shadow-keeps-targeting-israeli-victims\/\" target=\"_blank\" rel=\"noreferrer noopener\">larger cyber tit-for-tat<\/a> involving Iran and its adversaries, whether Israel, the U.S. or others in the region. The group has aggressively promoted MEK symbols and messaging from its inception, she said, and over time, the MEK \u201chas come to own this, whether or not there is an actual relation between the MEK as an organization and this hacktivist group.\u201d<\/p>\n<p>MEK has a history of exposing highly sensitive Iranian secrets, she added, most notably <a href=\"http:\/\/%5B12%5D%20https:\/\/www.pbs.org\/frontlineworld\/stories\/iran403\/background.html\" target=\"_blank\" rel=\"noreferrer noopener\">revealing Iran\u2019s nuclear program<\/a> in a press conference in 2002. While not directly cyber related, the revelations foreshadowed a scenario whereby MEK gained supporters among hawkish American policy makers looking to find ways to undermine the Iranian government, most <a href=\"http:\/\/%5B13%5D%20https:\/\/www.theguardian.com\/world\/2019\/jul\/15\/trump-allies-visit-throws-light-on-secretive-iranian-opposition-group-mek\" target=\"_blank\" rel=\"noreferrer noopener\">notably during the Trump years<\/a> when several officials interacted directly with MEK.<\/p>\n<p>During that period Kargar\u2019s research showed a \u201csurge of MEK activities\u201d on social media promoting some of the Trump administration\u2019s most hawkish anti-Iran messaging. Fast forward to the current era with a plethora of hacktivist groups sharing Iranian data, some of whom also promote MEK messaging, and it\u2019s clear that something is going on, she said.<\/p>\n<p>\u201cSpeculations in the background about who these groups might be, and who they might be connected to, has always involved some sort of connection with the MEK,\u201d she said. \u201cBecause they definitely have the motivation and interest to either pull something like this off independently, or being fed with intelligence in this domain, and then kind of using that, packaging that in a way that serves their purposes.\u201d<\/p>\n<p>Whether the group is connected to the MEK or not, its activities are having consequences for the exiled group. Albanian police <a href=\"https:\/\/apnews.com\/article\/albania-mek-iranian-opposition-police-raid-851dcb5fc32cd6bc60206e342eea7b16\" target=\"_blank\" rel=\"noreferrer noopener\">raided MEK camp Ashraf-3 June 20<\/a> in an action that left dozens injured and one man dead. The police seized 150 \u201ccomputer devices allegedly linked to prohibited political activities,\u201d the Associated Press reported.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Authorities raided the camp as part of an Albanian government investigation into alleged provocation of war, illegal interception of computer data, interference in data and computer systems, equipment misuse, and for the MEK being a \u201cstructured criminal group,\u201d the <a href=\"http:\/\/%5B15%5D%20https:\/\/politiko.al\/english\/e-tjera\/hakerat-vodhen-dokumentet-e-zyrtareve-iraniane-birn-si-nisi-spak-te-gjur-i485737\" target=\"_blank\" rel=\"noreferrer noopener\">Albanian news outlet Politiko reported the next day<\/a>. The investigation began May 18 based on news articles reporting on the early May hack of the Iranian Ministry of Foreign Affairs, according to the story. Albanian authorities also cited the June 2022 hack on the Tehran municipal CCTV system in the search warrant.<\/p>\n<p>\u201cIn July 2022, Albania was subjected to the most serious cyber-attack sponsored by the Islamic Republic of Iran, which caused massive damage to Albania\u2019s digital infrastructure and interrupted the provision of public services and documents \u2014 95% of which are offered only online \u2014 for months,\u201d the Albanian embassy wrote in an email to CyberScoop. \u201cIn response, the Albanian Government severed diplomatic relations with the Islamic Republic of Iran and since then, we have received numerous threats, always related to the MEK presence in Albania.\u201d<\/p>\n<p>Albania \u201ccannot tolerate that our territory be used to engage in illegal, subversive and political activity against other countries, as has allegedly been the case with the MEK,\u201d the email read. \u201cHumanitarian protection does not provide the MEK with special immunity before the law. MEK members are just as liable to be investigated and prosecuted for crimes committed in the territory of the Republic of Albania as any other individual, be they citizens, residents, refugees, or \u2014 as is the case with the MEK \u2014 individuals enjoying humanitarian protection from the Government of Albania.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p> <!-- .popular-stories__stories --> <\/div>\n<p><!-- .popular-stories__inner -->\n<\/div>\n<p><!-- .popular-stories --> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/iran-government-hack-leak-documents-hacktivist\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The potent cyber adversary threatening to further inflame Iranian politics<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[302,512,513,514,515],"tags":[306,516,517,518,519],"class_list":["post-1448","post","type-post","status-publish","format-standard","hentry","category-geopolitics","category-ghyamsarnegouni","category-iran","category-israel","category-lab-dookhtegan","tag-geopolitics","tag-ghyamsarnegouni","tag-iran","tag-israel","tag-lab-dookhtegan"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ghyamsarnegouni\/\" rel=\"category tag\">GhyamSarnegouni<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/iran\/\" rel=\"category tag\">Iran<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/israel\/\" rel=\"category tag\">Israel<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lab-dookhtegan\/\" rel=\"category tag\">Lab Dookhtegan<\/a>","tag_info":"Lab Dookhtegan","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=1448"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/1448\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=1448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=1448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=1448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}