Cyber Incident Victim: blog.imam-khomeini.ir
Date:
Jan 2016
Location:
Iran
Summary
The official blog associated with Iran's Supreme Leader Ruhollah Khomeini was compromised and defaced by a Saudi hacker known as Crazy-3r3r, who replaced the site's content with an image depicting a Saudi fighter jet carrying an Iranian leader with an eagle beak. This cyberattack occurred amid heightened regional tensions following the execution of a prominent Shiite cleric, reflecting ongoing digital conflicts between Iranian and Saudi actors. The compromised site, managed by the Institute for Compilation and Publication of Imam Khomeini’s Works, remained defaced at the time of reporting. The hacker had previously targeted UAE police websites, and the incident aligns with a pattern of reciprocal cyber operations between groups linked to both nations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 22, 2016, the official blog of Iran's Supreme Leader Ruhollah Khomeini (blog.imam-khomeini.ir) was defaced by a Saudi hacker using the alias Crazy-3r3r. The attacker replaced the website's content with an image depicting a Saudi fighter jet carrying Khomeini with an eagle beak, originally published in a 2015 Saudi newspaper. The defacement occurred amid heightened tensions between Iran and Saudi Arabia following Saudi Arabia's execution of prominent Shia cleric Sheikh Nimr Baqir al-Nimr on terrorism charges. The compromised site remained inaccessible with the defacement message still visible at the time of initial reporting. The hacker provided proof through Zone-H mirror links (ID 25504002), confirming the intrusion. The targeted blog operated under the supervision of the Institute for Compilation and Publication of Imam Khomeini’s Works. Crazy-3r3r had previously demonstrated capability by hacking multiple Abu Dhabi police websites in 2013, including the Police General Head Quarter and Civil Defense General Directorate portals. No immediate remediation efforts or technical details about the attack vector were reported in available sources.
This incident occurred within a broader pattern of reciprocal cyber operations between Iranian and Saudi-aligned actors. Prior to this defacement, Iranian hackers had targeted the Saudi Royal Airforce website, while the Yemen Cyber Army leaked confidential data from Saudi Arabia's Ministry of Foreign Affairs servers. Concurrently, hacktivist group Anonymous conducted operations against Saudi government websites to protest the planned execution of Mohammed al-Nimr, Sheikh Nimr's nephew. The geopolitical context involved diplomatic ruptures following Sheikh Nimr's execution among 47 prisoners, which included al-Qaeda operative Faris al-Zahrani. Saudi Arabia's judicial proceedings against Mohammed al-Nimr – arrested at age 17 for alleged anti-government activities – further escalated tensions. The blog defacement represented a symbolic digital retaliation during this period of strained bilateral relations, though no data breach or secondary impacts beyond the temporary website disruption were documented in available reports. The Institute overseeing Khomeini's digital properties did not issue public statements regarding incident response or restoration timelines according to the evidence.