Cyber Incident Victim: Iran
Date:
Dec 2015
Location:
Russia
Summary
A Turkish hacker group known as Turk Hack Team conducted a series of cyber attacks against Iranian government websites and those of another nation, motivated by political opposition to policies perceived as adversarial to Turkey. The attacks included distributed denial-of-service (DDoS) operations disrupting access to key Iranian ministries and the presidential site, alongside website defacements and data breaches targeting entities in both countries. The group leaked personal information from compromised sites and displayed politically charged messages, asserting continued retaliation against perceived threats to Turkish interests. These operations caused service outages and unauthorized access to sensitive data across multiple critical infrastructure targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Turk Hack Team (THT), a Turkish hacker group, initiated a series of cyber attacks against Iranian and Russian entities between December 2015 and January 2016. On December 25, 2015, THT defaced over 2,000 Russian and Iranian websites, replacing content with an anti-Putin message accusing the Russian president of treachery and warning of future consequences. The defacements occurred while many were celebrating Christmas, demonstrating deliberate timing for disruptive impact. The following day, December 26, THT escalated operations under "OpRussia," leaking personal data of hundreds of Russian citizens on Pastebin. The compromised information included names, cities, phone numbers, email addresses, and encrypted passwords allegedly stolen from Russian online shopping platforms. The group explicitly threatened continued attacks against commercial websites, indicating an expansion beyond government targets.
On January 2, 2016, THT shifted tactics to large-scale DDoS attacks, successfully disrupting access to critical Iranian and Russian government infrastructure. Iranian targets included the Ministry of Information, Ministry of Foreign Affairs, Ministry of Energy, and the official website of the Iranian President. Russian victims encompassed multiple federal agencies: the Ministry of the Russian Far East Development, Ministry of Construction, State Atomic Energy Corporation ROSATOM, and Ministry of Customs. The attacks caused measurable downtime across these platforms, with THT publicly documenting affected sites through screenshots and a comprehensive list hosted externally. These operations represented retaliation against geopolitical tensions, particularly referencing Turkey's downing of a Russian fighter jet near Syria in November 2015 and broader opposition to policies of Turkish Prime Minister Erdoğan. The group had previously reemerged in 2015 by targeting Vatican websites following Pope Francis' comments on Armenian genocide, establishing a pattern of politically motivated cyber aggression. No mitigation efforts or responses from Iranian or Russian authorities were detailed in available reporting regarding these incidents.