Menu
Browse

Cyber Threat Actor: Tortoiseshell

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Activist
Iran
4 incidents
Profile

Islamic Cyber Resistance, also referred to as the Islamic Cyber Resistance Group (ICRG) and occasionally styling itself as Anonymous, describes its members as Iranian hackers who act in support of Palestinian causes and the Syrian Electronic Army. The group has publicly claimed responsibility for several intrusions that it frames as acts of political solidarity rather than financial gain. Its self‑identification as Iranian hackers is taken directly from its own statements in which it links its operations to regional conflicts. The actor does not present itself as a criminal enterprise seeking profit, but rather as an ideologically motivated collective that aligns with specific geopolitical narratives.

Targeting patterns evident from the group’s public claims focus on Israeli online services and open‑source technology platforms. In one operation the group asserted that it breached the Israeli job site zerem.co.il and exfiltrated personal details of roughly seventy thousand registered users, which it said was undertaken in support of Palestine and in response to Israeli actions in Gaza. In a separate incident the group claimed to have compromised the official Perl blogs, obtaining and publishing credentials for 2,924 author accounts, and stated that the intrusion was intended to show solidarity with the Syrian Electronic Army. Both incidents were presented as demonstrations of political allegiance rather than attempts to monetize the stolen data.

The tactics, techniques and procedures described by the group are limited to website intrusion and data exfiltration; the source material does not reference any specific malware families, exploit kits, or particular initial access vectors. The group’s public statements emphasize the act of gaining unauthorized access to web applications and copying user data, which they then publish on leak sites or paste services to publicize their political message. No details are provided about the use of custom tools, command‑and‑control infrastructure, or post‑exploitation frameworks.

The two campaigns most frequently cited in open‑source reporting are the 2014 breach of the Israeli job site that exposed approximately seventy thousand user records and the 2014 hack of the Perl blogs that leaked nearly three thousand author credentials. In each case the group issued a statement linking the activity to its stated support for Palestine and the Syrian Electronic Army. These incidents remain the primary publicly attributed operations associated with Islamic Cyber Resistance, and they illustrate the group’s focus on data leakage as a means of conveying its ideological stance.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
5 sources