Menu
Browse

Cyber Threat Actor: Team Faceless Men

Actor Type Location Known Incidents
 Icon
Sensationalist
Turkey
1 incident
Profile

Team Faceless Men is an alias used by a group that carried out a website defacement against a Kaiser Permanente‑related health innovations subdomain in July 2018. The actors identified themselves with the name “Dohaeragon,” a term derived from the fictional High Valyrian language of Game of Thrones, and credited the attack to the collective “Team Faceless Men,” referencing the assassin guild from the same series. Open‑source information indicates that at least two of the individuals involved are Turkish gamers, and one member, Morghon, was identified as a 17‑year‑old male from Kusadasi, Turkey. The group’s activity in this incident was limited to replacing the site’s content with a message, a musical track titled “Hear Me Roar,” and references to Game of Thrones, without any reported exfiltration of data or alteration of core Kaiser Permanente systems.

The defacement targeted an externally hosted subdomain that provided information on an internal health innovations program, placing the activity within the healthcare‑related information sector, albeit on a site not integrated with the organization’s core network. Evidence from the reporting notes that the site had not received routine security updates or patches for an extended period, allowing the attackers to exploit outdated software to gain access and modify the web page. The attackers’ tactics consisted of web‑defacement techniques, the use of a culturally themed message and audio file, and the posting of proof of the compromise on a Turkish website (golgeler.net). No malware families, specific initial‑access vectors beyond the unpatched web application, or distinctive tooling styles were described in the available sources.

Public attribution does not link Team Faceless Men to any state sponsor, criminal consortium, or broader ideological movement; the incident remains an isolated act of website vandalism. The only publicly reported operation associated with the alias is the July 2018 defacement of the Kaiser Permanente health innovations site, which was subsequently remediated by relocating the subdomain and redirecting traffic, with Kaiser Permanente confirming that no protected health information or internal systems were compromised. No further campaigns or activities involving this group have been documented in the provided material.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source