Cyber Threat Actor: Black Reward

Black Reward, also knownas Black Reward Team, is a hacktivist group whose location has been identified as Russia in open sources. The actor has focused its operations on Iranian governmental entities, specifically targeting media organizations and nuclear energy infrastructure. Public statements and victim disclosures indicate that the group’s objectives include attracting public attention, conducting psychological operations, damaging reputations, and expressing support for social justice causes linked to the Mahsa Amini protests. There is no indication in the available material that the group pursues financial gain or traditional espionage for state sponsors.

Observed tactics involve compromising servers to exfiltrate and delete large volumes of data, leaking the stolen information through Telegram channels in the form of compressed RAR archives, and hijacking official social media accounts to disseminate compromising video content. The group claims to filter out spam and marketing messages before publication, retaining only what it describes as valuable correspondence and technical documents. No specific malware families or exploit kits are referenced in the reported incidents.

Notable operations include the November 2022 attack on Iran’s Fars News Agency, during which Black Reward asserted deletion of nearly 250 terabytes of data, acquisition of confidential communications with the Supreme Leader’s office, and distribution of a security‑camera video showing alleged employee misconduct. A month earlier, in October 2022, the group breached an email server belonging to a subsidiary of the Iranian Atomic Energy Organization, releasing a 27 GB collection of emails, passports, visas, contracts, and power‑plant reports while dedicating the leak to Mahsa Amini. Victim organizations have acknowledged the breaches but disputed the scale of data destruction, and Iranian officials have characterized the incidents as foreign‑driven psychological operations aimed at media manipulation. No public attribution to a state sponsor or criminal consortium has been established beyond the group’s known Russian location.