Cyber Incident Victim: Islamic Republic of Iran Broadcasting
Date:
Feb 2023
Location:
Iran
Summary
A hacktivist group disrupted live transmissions of a state-run TV broadcast during the Iranian president's public address, replacing the feed with anti-government slogans including calls for the supreme leader's ouster. The attackers urged citizens to withdraw funds from state banks and join upcoming protests, aligning with broader unrest linked to recent nationwide demonstrations. The group, known for prior breaches of Iranian government systems and exposing abuses at detention facilities, claimed responsibility via Telegram, framing the incident as support for ongoing civil opposition. The cyber intrusion marked another operation targeting Iranian infrastructure amid heightened tensions between authorities and protest movements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 11, 2023, during Iran’s Revolution Day ceremonies commemorating the 44th anniversary of the Islamic Revolution, a live state television and radio broadcast of President Ebrahim Raisi’s speech at Azadi Square in Tehran was disrupted by the hacktivist group Edalat-e Ali (also referred to as Ali’s Justice or Adalat Ali). The group executed a cyber intrusion into the Islamic Republic of Iran Broadcasting (IRIB) transmission systems, cutting the president’s address to replace it with anti-government messages. The hacked broadcast displayed the slogan "Death to Khamenei," a direct reference to Supreme Leader Ali Khamenei, alongside calls for citizens to withdraw their money from state-backed banks. The transmission also urged public participation in anti-government protests scheduled for February 16, 2023. German-based Iranian journalist Bamdad Esmaili confirmed the incident via Twitter, while Edalat-e Ali publicly claimed responsibility through a statement on its Telegram channel. The group framed the attack as an act of solidarity with Iran’s “freedom-loving nation” and criticized the legacy of Ayatollah Khomeini. The hack occurred amid a large, government-organized gathering intended to showcase public support, directly undermining the state’s narrative of stability.
Edalat-e Ali, a known adversary of the Iranian government, had previously targeted IRIB in October 2022 by interrupting live TV transmissions and breached a Tehran prison’s security systems in August 2021, exposing human rights abuses. This incident aligned with broader hacktivist campaigns against Iran following the death of Mahsa Amini in September 2022, which had triggered nationwide protests and operations like "OpIran" by Anonymous. The Iranian government, which had vowed to suppress protests, did not publicly detail its technical response to the February 11 breach. However, the hack demonstrated persistent vulnerabilities in state media infrastructure and amplified dissent during a high-profile event. Impacts included the temporary loss of broadcast control, dissemination of protest mobilizations, and symbolic defiance of state authority during a nationally televised occasion. The incident underscored the ongoing cyber conflict between Iranian hacktivists and state institutions amid domestic political unrest.