Cyber Incident Victim: Ministry of Defense (Iran)
Date:
May 2015
Location:
Iran
Summary
A Saudi hacker compromised and defaced the Iranian Ministry of Defense's recruitment website, replacing its content with a political message criticizing Iran's leadership and displaying an image of Saudi Arabia's king. The attacker accused Iran of interfering in Yemen and asserted Saudi influence in the region, referencing the ongoing conflict. The defacement mirrored previous cyber operations against Iranian digital assets linked to regional tensions, with the targeted site restored shortly after the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On May 7, 2015, the official website of Iran's Ministry of Defense was compromised by a Saudi hacker using the alias RxR HaCker. The attack targeted the Gozinesh recruitment department subdomain (gozinesh.mod.ir), which managed job placements for religious and ethnic minorities within Iran's defense sector. The hacker replaced the site's content with a defacement page containing an image of Saudi King Salman bin Abdulaziz Al Saud and an Arabic-language message insulting Iranian Supreme Leader Ali Khamenei. Translated portions denounced Iran's alleged support for Houthi forces in Yemen, declaring Saudi Arabia would "cut any finger that’s pointed at Yemen" and referring to Iranians as "filthy fire worshippers." The defacement included the hacker’s signature ("Hacked by Rexer Hacker") and boasted of his reputation within hacker communities. Evidence of the compromise was archived on Zone-H (mirror ID 24254771), confirming the domain's temporary unavailability. The attack occurred against the backdrop of ongoing military conflicts in Yemen, where Saudi Arabia and Iran supported opposing factions.
This incident followed a pattern of digital hostilities between the two nations, as Saudi hackers had previously breached Iranian state television social media accounts on April 13, 2015, to express pro-Saudi sentiments regarding Yemen. The Ministry of Defense website restoration was completed before Hackread.com published its report on the incident later the same day. No technical details regarding intrusion methods, data exfiltration, or defensive measures were disclosed in available reporting. The defacement’s primary impact was reputational, publicly challenging Iran’s narrative of regional influence while highlighting vulnerabilities in government web infrastructure. Historical context indicates these attacks represented early examples of hacktivism aligned with the Saudi-Iranian geopolitical rivalry, though no group formally claimed responsibility beyond the individual hacker’s alias.