Cyber Threat Actor: Uprising until Overthrow

Uprising until Overthrow, also known by its alias, is an anti‑government group that is publicly linked to the MEK and operates from Iran. The actor’s known alias appears in statements and reports that associate it with cyber actions against Iranian state entities. Public attribution places the group within the broader MEK‑affiliated milieu, indicating an ideological opposition to the Iranian government rather than a criminal or financially motivated enterprise. Its activity has been observed targeting governmental institutions within Iran, specifically the municipal administration of Tehran. The strategic purpose demonstrated in the observed incident was to disrupt municipal operations and to convey a political message by defacing official online platforms with imagery that denounced the leadership. This focus on service interruption and symbolic messaging distinguishes the actor’s objectives from those typically associated with financial gain or traditional espionage. Municipal officials noted that the attack coincided with the anniversary of a significant national event, which amplified its symbolic impact according to their statements.

In the June 3 2022 operation against Tehran’s municipality, the group compromised the city’s security‑camera network, gained access to internal systems, and disrupted communication networks and service infrastructure. The attackers also defaced the municipality’s website, replacing its content with images critical of the Iranian leadership. No specific malware families or initial‑access vectors were disclosed in the public reporting, so the described tactics are limited to website defacement, IoT device compromise, and broad network disruption. The intrusion caused temporary operational interruptions, although services were restored promptly after the incident. Municipal authorities acknowledged cybersecurity shortcomings and emphasized the need for enhanced defensive capabilities to mitigate future incidents. The attack was attributed by officials to Mossad and anti‑government groups including the MEK‑affiliated "Uprising until Overthrow." This event represents the only publicly documented campaign attributed to Uprising until Overthrow, providing a concrete example of its operational style and targeting preferences.