Cyber Incident Victim: Iran
Date:
Jan 2023
Location:
Iran
Summary
Pro-Ukraine hacktivists conducted distributed denial-of-service attacks against Iranian government and energy sector websites, including those of the Supreme Leader and the National Iranian Oil Company, in retaliation for supplying drones to Russia during the Ukraine conflict. The attackers threatened continued cyber operations against critical infrastructure unless drone shipments ceased, while Iranian officials claimed to repel similar assaults targeting financial institutions and domestic messaging platforms. These incidents occurred amid broader hacktivist campaigns against the country following anti-government protests, with groups like Anonymous previously targeting state agencies and affiliated companies in response to domestic repression.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2022 and early January 2023, pro-Ukraine hacktivist groups launched distributed denial-of-service (DDoS) attacks against Iranian digital infrastructure following Russia's use of Iranian-supplied drones in missile strikes against Ukrainian cities. The attacks commenced after Ukrainian air defenses intercepted 45 Iranian-origin drones on December 31, 2022, with subsequent missile strikes occurring during New Year's celebrations. Hacktivists targeted multiple high-profile Iranian websites, including the official site of Supreme Leader Ali Khamenei and the National Iranian Oil Company (NIOC), flooding them with traffic to cause temporary outages. The groups publicly claimed responsibility through Telegram channels, explicitly linking their actions to Iran's military support for Russia and warning of continued cyber retaliation for each bombardment. They threatened further attacks on critical infrastructure while asserting collaboration with international partners to exploit Iranian vulnerabilities. Neither NIOC nor Iranian leadership officially acknowledged these specific attacks, though the groups maintained their offensive would persist until drone shipments ceased.
On January 6, 2023, Iranian authorities reported thwarting a separate wave of DDoS attacks targeting the central bank and domestic messaging platforms Rubika and Bale. Amir Mohammadzadeh Lajevardi of Iran’s Infrastructure Communications Company stated that financial institutions, internet providers, and communications infrastructure had repelled significant foreign attacks, though no attribution was provided. These incidents occurred amid broader hacktivist operations against Iran following nationwide protests over Mahsa Amini's death, with groups like Anonymous claiming September 2022 attacks on Iran’s central bank and Ministry of Culture. Additional cyber operations targeted entities perceived as supporting the regime, including an attack disrupting Iran Airlines' online services in late December. While Iranian officials asserted successful defense against multiple cyber campaigns, the relationship between the anti-government operations and the Ukraine-related attacks remained unconfirmed. The hacktivists maintained their dual focus on punishing Iranian military cooperation with Russia and undermining domestic infrastructure tied to the government.