Cyber Incident Victim: Port of London Authority
Date:
May 2022
Location:
United Kingdom
Summary
The Port of London Authority suffered a distributed denial of service (DDoS) attack attributed to the Altahrea Team, a group suspected of ties to Iran or Iraqi supporters of Iran, which disrupted its website but left operational systems unaffected. The politically motivated attack, claimed via the group’s Telegram channel as retaliation against perceived global oppressors and U.S. policies impacting Middle Eastern populations, aligns with the gang’s pattern of targeting public sector and media entities to generate disruptive visibility rather than inflict severe damage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 23, 2022, the Port of London Authority (PLA) experienced a distributed denial of service (DDoS) cyberattack that disrupted its website and portions of its online infrastructure. The attack rendered the PLA’s public-facing website inaccessible for an extended period, with the platform remaining offline at the time of reporting. Security researchers attributed the incident to the Altahrea Team, a hacking collective suspected of operating with ties to Iran or Iraqi entities supporting Iranian interests. The group publicly claimed responsibility for the attack through a Telegram post published around 8:00 PM on the day of the incident. The PLA confirmed it was investigating the DDoS attack but emphasized that core operational systems governing port activities remained unaffected. As a public trust managing commercial and leisure vessel traffic along the Thames Tideway into Kent and Essex—overseeing more than 200,000 vessels annually—the PLA maintained continuity of physical port operations despite the digital disruption.
The Altahrea Team’s attack aligned with its established pattern of politically motivated operations targeting government entities and media organizations. Prior incidents included DDoS strikes against Turkey’s Anadolu Agency, President Erdogan’s website, Israeli media outlets like the Jerusalem Post, and Israel’s port authority. Check Point researchers characterized the group’s activities as “loud” attacks designed for visibility and symbolic impact rather than covert data theft or infrastructure destruction. The collective justified its actions on Telegram as retaliation against global “oppressors,” citing U.S. economic sanctions’ effects on Iraqi children and Iranian families, alongside oil-related civilian casualties in Syria and Yemen. While the PLA website disruption caused reputational and service accessibility challenges, the attackers’ use of DDoS—a transient but high-visibility method—limited the incident’s operational consequences compared to more intrusive cyberattack vectors. No data breaches, financial theft, or physical port disruptions were reported in connection with the event.