Cyber Incident Victim: Iranian Civil Defense Agency
Date:
Jan 2022
Location:
Iran
Summary
Iranian state television and radio broadcasts were disrupted by a cyber intrusion displaying images of exiled dissident leaders and anti-government messages, including calls for the supreme leader's death. The incident, attributed by an MEK spokesperson to supporters of the opposition group, involved superimposed graphics and audio during live programming, marking a significant breach of the tightly controlled media apparatus. Authorities acknowledged the hack and launched an investigation, suggesting potential foreign involvement while highlighting systemic vulnerabilities from outdated software and reliance on pirated systems. This event follows prior cyberattacks targeting critical infrastructure like fuel distribution and railways, underscoring persistent security challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 27, 2022, multiple Iranian state television channels and two state radio stations experienced a broadcast intrusion during regular programming. Between approximately 3:00 PM and 3:30 PM local time, hackers interrupted news broadcasts on state TV with superimposed images of Massoud and Maryam Rajavi—leaders of the exiled opposition group Mujahedeen-e-Khalq (MEK). The intrusion included a graphic calling for the death of Supreme Leader Ali Khamenei and displayed a social media account name associated with the perpetrators. Audio accompanying the hack featured a male voice chanting "Salute to Rajavi, death to Khamenei," followed by a brief speech from Massoud Rajavi praising opposition to Iran's leadership. The disruption lasted several seconds per incident but affected multiple channels simultaneously. State media programming resumed normal operations shortly after the interruptions concluded.
Iranian authorities confirmed the incident as a cyberattack and initiated an investigation. Reza Alidadi, a senior state TV official, characterized the breach as a "complicated job" potentially involving foreign technological assistance, though no specific nation or group was formally blamed. The Iranian Civil Defense Agency later stated they had repelled the attack and attributed it to a "foreign country," without providing forensic evidence. Technical vulnerabilities were noted in state media infrastructure, including reliance on outdated Windows 7 systems lacking security patches and widespread use of pirated software. The hack caused no physical damage but represented a significant propaganda embarrassment, marking the first major broadcast intrusion in years. Historical precedents included a 1986 hijacking of state TV by exiled royalty, later revealed to have CIA involvement. This incident occurred amid a series of disruptive cyberattacks on Iranian infrastructure since 2020, including assaults on fuel distribution systems, railways, and prison surveillance networks. MEK representatives in Paris acknowledged awareness of the incident but did not claim direct responsibility, suggesting instead that internal supporters within state media facilitated the breach.