Cyber Threat Actor: Iran Cyber Security Group Hackers

The threat actor is known by multiple aliases including Iran Cyber Security Group Hackers, Iran Cyber Security Organization, Iranian Cyber Security Group, Iranian hackers, Iranian Cyber Army, and Iran Hack Security Team, with its base of operations identified as Iran in open sources. Observed targeting spans critical infrastructure such as water utilities, government websites, financial institutions, defense sector sites, and military servers, with geographic focus on Israel, the United States, Sierra Leone, Bahrain, Saudi Arabia, and Sweden. Strategic objectives described in the cited incidents include disrupting essential services, conveying political or ideological messages, and protesting specific military actions, rather than pursuing financial gain or espionage.

Reported tactics, techniques, and procedures involve exploiting security flaws in externally accessible systems, as seen when a Swedish military server was compromised due to a vulnerability and then used to launch a distributed denial‑of‑service attack against U.S. financial institutions. Defacement operations have relied on bypassing website security controls to alter homepages with textual or visual statements, without evidence of deploying malware families or persistent tooling. Initial access vectors referenced in the sources are limited to the exploitation of known flaws and the use of compromised third‑party infrastructure, with no mention of phishing, credential theft, or custom malware deployment.

Attribution assessments vary across incidents; foreign intelligence officials linked the attempted Israeli water utility attack to Iran, while U.S. officials could not verify the existence or state affiliation of the group claiming responsibility for the U.S. Federal Depository Library defacement, characterizing the actors as likely Iranian sympathizers rather than state‑sponsored. In contrast, U.S. intelligence assessments supported Iranian involvement in the Bahrain government and critical infrastructure breach, and the Royal Saudi Air Force intrusion was explicitly claimed by an individual identifying with the Iran Hack Security Team. The DDoS campaign leveraging the Swedish server was attributed by U.S. authorities to Iranian actors citing retaliatory motives, indicating a pattern of mixed confidence in state linkage across operations.

Significant publicly reported operations include the thwarted 2020 attempt to disrupt Israeli water supplies during the COVID‑19 response, the January 2020 pro‑Iranian defacement of the U.S. Federal Depository Library Program website accompanied by an image of violence against then‑President Trump, the simultaneous January 2020 defacement of a Sierra Leone Commercial Bank site featuring imagery of Qasem Soleimani and messages of regional solidarity, the June 2019 cyberattack on Bahraini government entities and its Electricity and Water Authority that caused system shutdowns, the August 2015 hack of the Royal Saudi Air Force website where a protest message opposed Saudi‑led actions in Yemen, and the 2012 compromise of a Swedish military server that facilitated a large‑scale DDoS assault on major U.S. financial institutions. These episodes collectively illustrate the actor’s focus on disruption, symbolic messaging, and politically motivated actions across multiple sectors and regions.