Cyber Incident Victim: Iran Airlines
Date:
Dec 2022
Location:
Iran
Summary
Pro-Ukraine hacktivist groups conducted distributed denial-of-service (DDoS) attacks against Iranian entities, including Iran Airlines' online services, in retaliation for the country's provision of drones to Russia during the Ukraine conflict. The attacks disrupted the airline's operations, causing service interruptions, while hacktivists threatened further cyber actions against critical infrastructure unless Iran ceased military support to Russia. Anonymous and other groups also targeted Iranian government services and regime-aligned companies amid broader anti-government protests, though Iranian officials claimed to repel some attacks on financial and communications infrastructure without confirming specific incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Pro-Ukraine hacktivists initiated distributed denial-of-service (DDoS) attacks against multiple Iranian entities between late December 2022 and early January 2023, including Iran Airlines, in retaliation for Iran's provision of military drones to Russia during the Ukraine conflict. The attacks began following December 30, 2022, when Ukrainian air defenses intercepted numerous Iranian-supplied drones during Russian strikes. A hacking collective identifying as rootkitsecurity publicly claimed responsibility for disrupting Iran Airlines' online services via a December 30 Twitter post featuring the hashtags #OpIran and #TangoDown, accompanied by a screenshot suggesting service degradation. This action was framed as retaliation against both Iran's military support for Russia and the Iranian government's suppression of domestic protests following Mahsa Amini's death. Concurrently, other pro-Ukraine groups targeted Iran's Supreme Leader website and the National Iranian Oil Company, though Iranian authorities did not confirm these specific incidents.
The attacks against Iran Airlines formed part of a broader wave of hacktivist operations against Iranian infrastructure. Iranian officials acknowledged repelling DDoS attacks on January 6, 2023, targeting financial institutions and domestic messaging platforms Rubika and Bale, though they did not specifically address the Iran Airlines incident. Amir Mohammadzadeh Lajevardi of Iran’s Infrastructure Communications Company reported these attacks focused on banks, internet providers, and communications systems. While hacktivists threatened sustained cyber campaigns until Iran ceased drone exports to Russia, the precise duration and operational impact on Iran Airlines' systems remained unverified by official sources. The incident occurred amidst parallel cyber operations by groups like Anonymous against Iranian government targets, including September 2022 attacks on the central bank and Ministry of Culture, motivated by both geopolitical tensions and internal political repression. No evidence of data compromise or long-term service disruption at Iran Airlines was documented in available reports.