Cyber Incident Victim: Atomic Energy Organization of Iran
Date:
Oct 2022
Location:
Iran
Summary
The Iranian Atomic Energy Organization confirmed a breach of a subsidiary’s email server by the 'Black Reward' hacking group, which leaked 27GB of stolen data including technical memos, contracts, passports, visas, and operational reports. The attackers claimed to have filtered out spam, retaining only sensitive correspondence, and dedicated the leak to Mahsa Amini amid nationwide protests. The agency attributed the incident to an unnamed foreign entity, characterizing it as a psychological operation aimed at media manipulation and reputational damage. Preventive measures were implemented following the breach, with officials alerted to potential exploitation attempts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 24, 2022, the Iranian Atomic Energy Organization (AEOI) confirmed a cyberattack targeting one of its subsidiaries’ email servers. The hacker group ‘Black Reward’ claimed responsibility for the breach and subsequently leaked approximately 27GB of stolen data through their Telegram channel, packaged as 14 RAR archives containing around 85,000 email messages. According to AEOI’s official statement, an unauthorized actor from an unspecified foreign country accessed the server and exfiltrated daily correspondence and technical memos. The organization stated it implemented immediate preventive measures following the breach and alerted relevant parties to prepare for potential follow-on exploitation attempts. AEOI characterized the attack as a deliberate effort to attract public attention, create media narratives, and conduct psychological operations rather than achieve substantive technical or strategic objectives.
The leaked data, which Black Reward claimed to have curated by removing spam and marketing content, included passports and visas of Iranian and Russian personnel affiliated with AEOI, operational reports on power plant status and performance, contractual documents, and technical assessments. The hackers publicly linked the breach to nationwide protests following the death of Mahsa Amini, dedicating the leak to her memory in their communications. AEOI asserted the incident lacked operational value beyond its psychological and reputational impact, though the exposure of internal communications and partner documentation introduced risks of further analysis and exploitation by external entities. The agency did not disclose technical details regarding the intrusion vector, initial detection timeline, or specific containment actions beyond general references to mitigation measures and stakeholder notifications. Black Reward’s publication of the data archive positioned it as a resource for researchers, amplifying the potential for prolonged scrutiny of AEOI’s internal operations.