Cyber Incident Victim: Ministry of Foreign Affairs of Iran
Date:
Dec 2015
Location:
Iran
Summary
A Turkish hacker group known as Turk Hack Team conducted a series of cyberattacks targeting Iranian and Russian government websites, motivated by geopolitical tensions and opposition to leadership policies. The attacks included defacing sites with political messages, leaking personal data of Russian citizens from online platforms, and executing distributed denial-of-service (DDoS) operations that disrupted multiple high-profile government domains. Iranian government websites impacted included the Ministry of Foreign Affairs, Ministry of Energy, and the official presidential site, alongside several Russian federal agencies. The group publicly justified its actions as retaliation against perceived offenses to Turkish interests and leadership.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2015 and early January 2016, the Turk Hack Team (THT) conducted a series of cyber attacks against Russian and Iranian government entities. The group initiated operations on December 25, 2015, by defacing over 2,000 Russian and Iranian websites with anti-Putin messages during the Christmas holiday period. The defacements featured political statements accusing Putin of treachery and warning of future consequences from the Russian people. The following day, THT escalated activities under "Operation OpRussia," leaking personal data of hundreds of Russian citizens obtained from online shopping sites. The leaked information included names, cities, phone numbers, email addresses, and encrypted passwords, which the group published on Pastebin alongside threats to continue targeting Russian commercial websites. These initial attacks coincided with heightened geopolitical tensions following Turkey's downing of a Russian fighter jet near the Syrian border in November 2015.
On January 2, 2016, THT shifted tactics to large-scale distributed denial-of-service (DDoS) attacks against critical government infrastructure. The attackers targeted multiple Russian federal ministries including the Ministry of the Russian Far East Development, Ministry of Construction, State Atomic Energy Corporation ROSATOM, and Ministry of Customs. Simultaneously, Iranian government systems suffered disruptions affecting the Ministry of Information, Ministry of Energy, official presidential website, and Ministry of Foreign Affairs. THT publicly claimed responsibility via Twitter and provided screenshots documenting website downtime through an external link. The attacks represented retaliation against nations opposing Turkish government policies and Prime Minister Recep Tayyip Erdoğan, continuing THT's pattern of politically motivated operations demonstrated earlier in 2015 when they disabled Vatican City's website following Pope Francis' remarks on Armenian history. No technical details about mitigation efforts or restoration timelines from affected governments were disclosed in available reporting.