Cyber Incident Victim: Mahan Air
Date:
Nov 2021
Location:
Iran
Summary
A cyberattack targeted an Iranian airline, causing website disruption and claims of confidential data theft. The company stated flight operations remained unaffected and the attack was swiftly mitigated, characterizing such incidents as routine. A group named 'Hooshyarane Vatan' claimed responsibility, alleging theft of documents exposing collaboration with Iran's Islamic Revolutionary Guard Corps (IRGC) and threatening to release evidence of criminal activities, including resource looting in specific regions. The hackers framed the attack as opposition to IRGC's influence. The incident occurred amid heightened regional cyber tensions, though the perpetrators were not linked to U.S. entities despite the airline's prior sanctions for supporting IRGC operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 21, 2021, Mahan Air, one of Iran’s largest privately-owned airlines, suffered a cybersecurity incident that forced its website offline and resulted in unauthorized access to confidential data. The airline confirmed the attack via a Twitter statement, acknowledging that such incidents were routine due to its prominence in Iran’s aviation sector. While the hackers caused some operational disruption—primarily impacting website accessibility—Mahan Air emphasized that all international and domestic flights continued without delays or schedule changes. The company’s cybersecurity team claimed to have swiftly contained the breach, characterizing the attack as unsuccessful and minimizing its significance. Despite this public dismissal, the threat actor 'Hooshyarane Vatan' claimed responsibility, alleging theft of sensitive documents exposing Mahan Air’s collaboration with Iran’s Islamic Revolutionary Guard Corps (IRGC). The group threatened to release evidence detailing the airline’s involvement in transporting IRGC-Quds Force operatives, weapons, and funds, as well as its support for Hezbollah.
Mahan Air’s operational history contributed to its targeting: The U.S. sanctioned the airline in 2011 for aiding IRGC activities, and in 2019, the U.S. Treasury documented its role in moving military personnel and equipment. 'Hooshyarane Vatan' framed the attack as retaliation against IRGC’s alleged exploitation of resources in Ahvaz and Khuzestan, declaring it the first step in a broader campaign. The group asserted possession of data proving criminal conduct by Mahan Air and the IRGC’s financial looting. The incident occurred amid heightened Iranian cyber activity, with Microsoft reporting six state-linked Iranian hacking groups targeting Western entities weeks prior. Despite the breach, Mahan Air maintained no critical systems affecting flight operations were compromised, reiterating confidence in its cybersecurity protocols while avoiding detailed disclosures about data loss or remediation steps.