Menu
Browse

Cyber Threat Actor: Hooshyarane Vatan

Actor Type Location Known Incidents
 Icon
Activist
Iran
1 incident
Profile

Hooshyarane Vatan is the alias used by a threat actor that has been publicly identified in connection with a cyber operation against an Iranian airline. The actor’s known location, as indicated in open sources, is Iran. In the incident attributed to this group, the target was a commercial aviation entity operating within Iran, specifically Mahan Airline, which represents the aviation sector within the country’s critical infrastructure. The actors claimed responsibility for the attack and asserted that they had obtained confidential documents that allegedly reveal collaboration between the airline and Iran’s Islamic Revolutionary Guard Corps. They further stated that they possessed evidence of criminal activities, including resource looting in particular regions, and threatened to release this material unless their demands were met. The group framed the intrusion as an act of opposition to the influence of the Islamic Revolutionary Guard Corps, positioning the operation as a response to perceived governmental misconduct. These statements constitute the publicly articulated strategic objectives behind the activity, which center on exposing alleged wrongdoing rather than financial gain or traditional espionage.

The operation reportedly caused disruption to the airline’s website while the company maintained that flight operations were unaffected and that the incident was swiftly mitigated, characterizing such events as routine. No specific malware families, initial access vectors, or tooling styles were detailed in the available reporting, so the described tactics are limited to website interference and claims of data exfiltration. Attribution analyses presented in the source material did not establish a clear state nexus or criminal consortium affiliation for Hooshyarane Vatan, and the report explicitly notes that the perpetrators were not linked to United States entities despite the airline’s prior sanctions history for supporting Islamic Revolutionary Guard Corps operations. The incident occurred amid a period of heightened regional cyber tensions, providing a contextual backdrop for the activity. The November 21 2021 attack on Mahan Airline stands as the sole publicly documented campaign associated with this alias, serving as the primary example of the actor’s operational behavior in the open‑source record.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources