Cyber Incident Victim: Tehran municipality
Date:
Jun 2022
Location:
Iran
Summary
An exiled Iranian opposition group claimed responsibility for a cyberattack targeting Tehran's municipality, temporarily disrupting its internal computer systems and taking control of dozens of websites and over 5,000 surveillance cameras across the capital. The attackers defaced websites with images of their leaders and anti-regime slogans, sent similar messages via SMS to hundreds of thousands of residents, and compromised cameras near sensitive locations, including areas associated with the supreme leader. Municipal services, including the main website and a citizen-facing application, remained inaccessible during investigations. The group framed the attack as part of ongoing offensive measures against Iranian authorities, leveraging the incident amid domestic unrest over economic issues and recent protests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 2, 2022, an exiled Iranian opposition group known as the People’s Mujahedin of Iran (MEK) claimed responsibility for a cyberattack targeting Tehran’s municipal infrastructure. The group stated its operatives executed a preplanned operation that temporarily disrupted dozens of municipality websites and seized control of over 5,000 surveillance cameras across the capital. Iranian state media confirmed the incident, reporting a "deliberate" shutdown of the municipality’s internal computer system. MEK’s statement detailed that hacked websites displayed images of its leaders, Massoud and Maryam Rajavi, alongside anti-regime slogans directed at Supreme Leader Ayatollah Ali Khamenei. Concurrently, SMS messages containing similar content were disseminated to nearly 600,000 Tehran residents. The group emphasized its takeover of cameras near sensitive locations, including the supreme leader’s office and the tomb of revolutionary founder Ruhollah Khomeini, asserting these devices were tools of state surveillance used to identify protesters.
Iran’s state news agency IRNA cited the Tehran Municipality Information and Communications Technology Organization, confirming the main municipal website was compromised at midday, with an "insulting image" briefly replacing its content. The internal municipal system experienced a minutes-long outage, rendering it inaccessible to employees. Throughout the day, critical services—including the primary portal (tehran.ir) and the "My Tehran" app for citizen services—remained offline as experts investigated. The attack occurred amid nationwide protests over economic grievances exacerbated by a recent building collapse in Abadan. MEK framed the operation as part of a broader campaign against Iranian authorities, referencing its January 2022 hack of state TV channels. While the group released social media images purportedly captured from compromised cameras during the incident, independent verification of these claims was unavailable. This event followed Iran’s October 2021 fuel distribution cyberattack, which authorities attributed to foreign actors, underscoring a pattern of digital disruptions amid domestic unrest.