Cyber Incident Victim: Offices of Iranian President Ebrahim Raisi

On May 29, 2023, a group identifying itself as GhyamSarnegouni, which translates to “Rise to Overthrow,” posted a significant volume of data allegedly exfiltrated from the offices of Iranian President Ebrahim Raisi onto its Telegram channel. The group announced the compromise with a message stating, “The entire highly protected internal network of the executioner president’s institution in Tehran was captured and out of reach.” This announcement was followed by a three-hour period during which the group posted new files, images, and videos every few minutes. The materials published included a wide array of sensitive information, such as alleged diplomatic correspondence, detailed floor plans for the president’s offices and sleeping quarters, network topologies for sensitive government networks, and internal information pertaining to nuclear expansion within Iran. Concurrent with the data leak, multiple websites linked to President Raisi were defaced. The defacements altered these websites to display images of two leaders from the opposition group Mojahedin-e Khalq (MEK), Massoud Rajavi and his wife Maryam.

The claim of the hack was promptly echoed in a post on the official website of the MEK, titled “Iranian dissidents take over high-security servers of regime presidency.” This post attributed the cyber operation solely to GhyamSarnegouni and provided additional details on the claimed scope of the intrusion. According to the MEK’s account, the attackers asserted they had gained control of 120 servers connected to the president’s internal network and central databases. They further claimed to have obtained access to and control of more than 1,300 computers on the network, captured security footage showing the network’s communication hardware, and achieved access to systems handling classified internal communications for the presidency and the broader government. The allegedly exfiltrated data was described as including classified and encrypted internal messages, tens of thousands of documents marked as classified, top secret, and secret, along with detailed technical information such as internet network diagrams, equipment lists, and IP addresses for facilities associated with the president and other high-level government institutions, including the interior and intelligence ministries and the Basij militia.

Cybersecurity experts analyzing the leaked trove of information subsequently assessed it as likely authentic. Amin Sabeti, the founder of the Computer Emergency Response Team in Farsi, stated definitively that “The hack is legit.” Amir Rashidi, the director of internet security and digital rights at the Miaan Group, also reviewed the files and told reporters that they “seem legitimate,” suggesting the data may have been obtained by an individual with insider access to the systems. The experts noted that while the sheer volume of data was significant, much of the information concerning the Iranian government's known activities was already public knowledge. The impact was characterized more as an embarrassment to the regime rather than a revelation of entirely unknown critical secrets, though the exposure of specific technical details like floor plans and network topologies was acknowledged as sensitive.

The Iranian government's response to the incident was to publicly deny that a hack had occurred. A government spokesperson cited by the state-backed Iranian Students’ News Agency stated that several presidential sites had experienced temporary downtime due to technical issues related to a website update and dismissed the reports as “rumors” about hacking. Separately, the Islamic Republic News Agency reported that the president’s office itself issued a statement declaring the leaked documents to be “fake.” This official denial stood in contrast to the assessment of external cybersecurity experts who found the data to be credible.

This incident was not the first action attributed to the GhyamSarnegouni group. The group had emerged on Telegram in January 2022 and is one of several anti-government groups online that purport to hack Iranian systems as a form of protest. Earlier in May 2023, the same group had claimed responsibility for hacking the Iranian foreign ministry servers, which also involved website defacements displaying images of MEK leaders and a subsequent news story on the MEK website. Observers noted that the messaging of GhyamSarnegouni has, since its inception, echoed that of the MEK, suggesting a possible affiliation between the two. The timing of the May 29th incident was also noted as curious, as it occurred shortly before news emerged that Iran had resolved two outstanding issues with the International Atomic Energy Agency regarding enriched uranium, a development that was seen as slightly easing pressure on Tehran. An expert commented on a pattern of major leaks occurring in proximity to progress on nuclear issues, though no firm connection was established for this specific event.

The consequences of the incident were framed within a broader context of repeated compromises of Iranian government systems. One expert characterized the regime as becoming "open source" due to the immense quantity of data that has been leaked from its various agencies over time. The primary impact was assessed as a serious embarrassment to the Iranian leadership, demonstrating a vulnerability within highly protected presidential offices and resulting in the public exposure of internal operational details. The leak provided external observers with confirmed insights into the layout and technical infrastructure of sensitive government facilities, even if the overarching governmental processes described were already generally understood. The event served to undermine the perception of security within Iran's highest levels of government and provided propaganda material for its opposition groups.