Menu
Browse

Cyber Threat Actor: WINDSHIFT

Actor Type Location Known Incidents
 Icon
Nation State
Iran
2 incidents
Profile

WINDSHIFT is an Iranian‑based threat actor also known by its alias WINDSHIFT. Public reporting locates the group’s operational base in Iran and links its activities to the Iranian government through the disclosure of secret state documents in 2019 that detailed surveillance of citizens both inside and outside the country. The actor’s known targeting spans governmental meteorological services, aviation‑related entities and travel‑booking platforms, with observed objectives that include disruption of public services, collection of intelligence for espionage purposes and the theft of payment data for financial gain. These objectives are directly illustrated by the two incidents that have been attributed to WINDSHIFT in open sources.

In May 2023 WINDSHIFT was credited with a cyberattack against Spain’s state meteorological agency, Aemet, which forced the temporary suspension of the SINOBAS public science project and disrupted the agency’s meteoglossary and Antarctic weather station operations. The attack demonstrated a capability to infiltrate and impair critical infrastructure services, indicating a disruptive intent. A year earlier, in May 2019, a series of leaks attributed to WINDSHIFT exposed Iranian cyber‑espionage operations, including material associated with the MuddyWater group and a previously undisclosed entity called the Rana Institute. The leaked documents revealed activities such as tracking individuals domestically and abroad, compromising airline systems to obtain passenger manifests and infiltrating travel‑booking networks to harvest payment card information. While the leaks provided screenshots of command‑and‑control infrastructure and unredacted victim IP addresses, they did not specify particular malware families or initial‑access vectors, so no detailed TTPs can be asserted from the available material.

The combination of these operations shows WINDSHIFT functioning as a state‑linked actor that pursues both espionage and disruptive outcomes, leveraging access to governmental data sets and targeting sectors that support both intelligence collection and financial exploitation. The group’s activity reflects a pattern of using compromised systems to gather strategic information while also demonstrating the ability to cause service interruptions when deemed advantageous. This profile reflects only the facts explicitly presented in the source material, without extrapolation or speculation.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources