Menu
Browse

Cyber Threat Actor: Altahrea Team

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Activist
Iraq
9 incidents
Profile

The threat actor known as Altahrea Team, also referred to as Altahrea or al‑Tahera, is a hacking group that originates from Iraq and has been publicly described as a pro‑Iranian hacking collective. The group has been linked to Iraq's Popular Mobilization Units and has been associated with the pro‑Iranian Telegram channel Sabareen. Aliases used in reporting include Altahrea Team, Altahrea, and al‑Tahera, and the group has claimed responsibility for a series of politically motivated cyber incidents targeting Israeli and international entities. Public attributions consistently describe the actors as acting in retaliation for perceived Iranian or Iraqi grievances.

The group’s publicly stated targets have included Israeli government and public‑sector websites such as the Health Ministry, the Airports Authority, the Tel Aviv Municipality, the Aviation Authority, the Kan broadcasting corporation, Channel 9, and the Port of London Authority. They have also claimed responsibility for disrupting the Tel Aviv Metro construction contractor’s systems and for allegedly compromising the remote energy measurement system of the Orot Yosef power plant in southern Israel. In their statements the actors have cited retaliation for Israeli military actions in Gaza, for support of sanctions against Iran, for the assassination of Iranian commander Qasem Soleimani, and for the killings of Iranian and Iraqi military figures as their motivation. Additionally, they have framed their actions as retaliation against perceived global oppressors and U.S. policies affecting Middle‑Eastern populations.

The group’s observed tactics rely primarily on distributed denial‑of‑service (DDoS) attacks that render websites inaccessible while leaving underlying operational systems untouched. They routinely announce and claim responsibility for their operations through Telegram channels, notably the pro‑Iranian Sabareen channel, where they post threats, propaganda imagery, and sometimes share IP addresses of compromised systems. In several incidents they have claimed to have compromised remote measurement or energy‑management systems and subsequently posted the associated IP addresses online as proof of intrusion. Notable campaigns referenced in open sources include the July 2022 DDoS against the Israeli Health Ministry’s overseas access, the April 2022 wave of DDoS attacks on Channel 9, the Aviation Authority and Kan broadcasting, the April 2022 attack on the Israel Airports Authority website, and the July 2022 claim of responsibility for the Port of London Authority DDoS.

Incidents
Attributed incidents available to members
9 incidents
Sources
Sources available to members
6 sources