The potent cyber adversary threatening to further inflame Iranian politics

Just before 2 a.m. Eastern Standard Time on May 29, someone posted a simple message to a Farsi-language Telegram channel called “GhyamSarnegouni,” which roughly translates to Uprising until Overthrow. “The entire highly protected internal network of the executioner’s presidential institution in Tehran was captured and out of reach,” it read, according to a Google translation.

Within minutes, images of top Mujahedeen-e-Khalq leaders appeared on the channel, along with the message of “Death to Khameni Raisi,” the supreme leader of Iran. The Iranian exile group commonly known as MEK has long opposed the Iranian government and advocated for its overthrow. Within a half hour of the original message, a screenshot of an internal presidential document was also posted on Telegram, the first of what has grown to more than 100 related to the office of the president of Iran and other major government agencies.

The documents include diplomatic correspondence, floor plans Iranian president’s office and other officials’ offices and detailed network topology diagrams of various government networks along with associated IP addresses. The leak also included documents that appeared to be related to the country’s nuclear program and reportedly details of officials routing money through Chinese banks and other apparent sanctions-evasions activities. In addition to defacing multiple government websites, the hackers claimed to have gained control over 120 servers and databases, the government’s server management networks and access to more than 1,300 computers connected to the presidency’s internal network, according to a post on the MEK website in the hours after the attack went public.

The group claimed to have stolen “tens of thousands of classified, top secret and secret documents,” according to the post from the MEK, which has not officially claimed any connection to the GhyamSarnegouni. Likewise, the hackers have not claimed to have ties to MEK or any other political group or organization.

The Iranian government called the hack “fake,” and said website updates and maintenance — caused as the defaced sites were returned to the previous content — was the reason for any site outages. But outside experts agreed the documents, and the hack, were likely legitimate.

The scale of intrusion and leak would present a major national security dilemma for any country and send officials and politicians scrambling to find the culprits, identify the vulnerabilities and prosecute the hackers. But, so far, the Iranian government’s reaction — other than saying the leaked documents are fake — isn’t public.

Over the past several years in Iran, a patchwork of hacking groups have sprung up with various aims, political motives and ambitions — and it’s nearly impossible to know for certain who is behind each one of them. Some operations appear to be designed to expose Iranian government secrets or support opposition groups, while others target Israel and the U.S. While Iran has long been an active participant in the cyber domain, in the past few years its internal and external attacks have gained new potency and become more public visible since 2020, such as when hackers with suspected links to the Iranian government targeted water treatment systems in Israel.

Looking to stir up trouble inside Iran, a growing number of groups have taken aim at the current government. These include groups such as Black Reward, Tapandegan and Lab Dookhtegan. Another group known as Predatory Sparrow, which has possible ties to Israel, targeted steel mills with alleged ties to the Islamic Revolutionary Guard Corps (IRGC), posting a video after an apparent breach that showed what appeared to be the inside of an industrial facility.

The U.S. government and American tech companies have long accused the Iranian government of hiding behind hacktivist personas to carry out hack and leak operations and destructive attacks on targets around the world. A May 2023 report from Microsoft details more than a dozen hacktivist personas with links to either the IRGC or the Iranian Ministry of Intelligence, many thought operated by Emennet Pasargad, a U.S. government-sanctioned Iranian cyber group. That same organization is thought to have been involved with a sprawling plan to interfere with the 2020 U.S. election, according to the U.S. Department of Justice.

Homeland Justice, an Iranian front group according to researchers with Mandiant and also multiple western governments, hacked multiple Albanian government systems in July 2022, stealing data and wiping systems with faux ransomware, in response to Albania’s hosting of the MEK. Albania, a NATO member, cut diplomatic ties with Iran over the attack. The U.S. government sanctioned Iran’s Ministry of Intelligence over the attacks, and the U.S. Cyber National Mission Force deployed what it said was its first-ever defensive cyber operation in response to the Iranian-linked attacks.

“We’ve observed multiple cyber groups in action,” said Nariman Gharib, a U.K.-based Iranian opposition activist and independent cyber espionage investigator. “One focuses on human rights, unmasking the darker side of the regime, while another specializes in cyber operations, exposing the regime’s cyber tactics. There’s also a group dedicated to sabotage. They execute their task with efficiency in executing disruptive attacks and [GhyamSarnegouni] is that group.”

Indeed, the latest hack claimed by GhyamSarnegouni involving highly sensitive government documents takes the role that hackers and hacktivists are playing in Iran’s internal politics to a new level, experts say, given the depth of information accessed, which touches on aspects of not only the office of Iranian President Ebrahim Raisi, and correspondence related to multiple sensitive agencies.

The hack is “one of the worst cases that has been publicly discussed and people are aware of about the compromise of classified documents and information from a government network,” said Hamid Kashfi, an independent security consultant originally from Iran, formerly a consultant for Trail of Bits and Immunity, who has uncovered multiple malicious Iranian government cyber activities over the years.

“What’s scary, if I was an Iranian government entity, or someone in charge of [assessing the situation] is what they’re not releasing and what they’re not exposing,” he said. “Because that’s a huge pile of A-plus grade intel and very interesting and very useful information for any government to be able to access.”

The attack is the fourth major hack and leak operation claimed by GhyamSarnegouni, a group that seemed to come out of nowhere in January 2022 when it claimed to have been behind the hacking and disruption of Iran’s national broadcast service. The attack included the broadcast of the faces of the long-missing Massoud Rajavi, and his wife Maryam Rajavi — the leaders of the MEK, which has been variously characterized by detractors as a cult and was, until 2012, deemed a terrorist organization by the U.S. government — and calls for the murder of Iran’s supreme leader, as well as destructive malware to damage equipment.

The MEK sharply disputes that it’s anything other than an opposition political movement, and has said the Iranian government is taking active steps to discredit the group, including by, in some cases, fabricating stories about members’ treatment.

Subsequent attacks tied to the group include the June 2022 hack of more than 5,000 municipal CCTV cameras in Tehran, and the early May 2023 hack of the Iranian Ministry of Foreign Affairs, which included more than 200 defaced websites and the publication of a trove of sensitive internal government files.

GhyamSarnegouni did not respond to a message sent via Instagram, where it also posts images of documents and other messages.

The recently leaked government documents are appearing against the backdrop of the U.S. and Iran getting closer to an agreement that the New York Times reported would ease sanctions on the country, release some imprisoned Americans, cease attacks on American contractors in Syria and Iraq and cap uranium refinement at 60% purity. After the presidential office hack first became public, an expert in Iranian cybersecurity told CyberScoop that embarrassing breaches of this nature seem to mirror major geopolitical developments, including progress on the nuclear deal.

“Any time we are at the middle of the conversation that this nuclear negotiation might lead somewhere, might end somewhere, you will see somehow, either by Israeli or by some hacking group or something like that, some kind of information being publicized regarding Iran nuclear program,” said Amir Rashidi, the director of internet security and digital rights at the Miaan Group, an Iranian digital and human rights organization.

Kashfi said whoever is behind the hack has “demonstrated access to communications [letters] between different government agencies and the presidential office.” The purpose of the system that the posted materials are coming from, he said, is to have secure, encrypted communications between disparate agencies and offices for a particular purpose, not mundane communications.

“If they have access and dumped one classified letter from that system, it means that they have had access to dump all of it,” he said.

He doesn’t expect whoever is behind the attack to post everything they have, given the immense intelligence and operational value at stake. Although the attackers are so far displaying technical abilities beyond the reach of any “random activist group,” it’s not clear whether it’s a state intelligence service, a hired mercenary group, or unaffiliated individuals are behind the attack.

Kashfi noted that it’s far too early to tell who is behind the group. But one data point, he said, supports the idea that it is not MEK. Some of the file names, and even some of the way certain words are used in the messaging “is not in a way that a native [Farsi] speaker would use.”

“Non-native speakers would easily overlook this,” he said. “But if you look at the context of it, you would notice that if it’s actually someone from MEK that’s supposed to be Iranian or a native speaker, they wouldn’t name files like this. It more looks like someone is receiving and processing this information and then doing the PR for the group through this Telegram channel.”

Simin Kargar, a doctoral researcher at Johns Hopkins University who tracks human rights and cybersecurity matters related to Iran, views the group’s activity in the context of the larger cyber tit-for-tat involving Iran and its adversaries, whether Israel, the U.S. or others in the region. The group has aggressively promoted MEK symbols and messaging from its inception, she said, and over time, the MEK “has come to own this, whether or not there is an actual relation between the MEK as an organization and this hacktivist group.”

MEK has a history of exposing highly sensitive Iranian secrets, she added, most notably revealing Iran’s nuclear program in a press conference in 2002. While not directly cyber related, the revelations foreshadowed a scenario whereby MEK gained supporters among hawkish American policy makers looking to find ways to undermine the Iranian government, most notably during the Trump years when several officials interacted directly with MEK.

During that period Kargar’s research showed a “surge of MEK activities” on social media promoting some of the Trump administration’s most hawkish anti-Iran messaging. Fast forward to the current era with a plethora of hacktivist groups sharing Iranian data, some of whom also promote MEK messaging, and it’s clear that something is going on, she said.

“Speculations in the background about who these groups might be, and who they might be connected to, has always involved some sort of connection with the MEK,” she said. “Because they definitely have the motivation and interest to either pull something like this off independently, or being fed with intelligence in this domain, and then kind of using that, packaging that in a way that serves their purposes.”

In a statement provided to CyberScoop, the MEK said there’s no proof any hack occurred from its camp in Albania, “let alone that it is naive to hack from a known center.” 

Additionally, the materials seem to be the work of insiders in Iran, the statement said, with access to them “possible only with direct access to the regime’s devices inside the country. Many documents revealed are way outside the Internet domain.”

Whether the group is connected to the MEK or not, its activities are having consequences for the exiled group. Albanian police raided MEK camp Ashraf-3 June 20 in an action that left dozens injured and one man dead. The police seized 150 “computer devices allegedly linked to prohibited political activities,” the Associated Press reported.

Authorities raided the camp as part of an Albanian government investigation into alleged provocation of war, illegal interception of computer data, interference in data and computer systems, equipment misuse, and for the MEK being a “structured criminal group,” the Albanian news outlet Politiko reported the next day. The investigation began May 18 based on news articles reporting on the early May hack of the Iranian Ministry of Foreign Affairs, according to the story. Albanian authorities also cited the June 2022 hack on the Tehran municipal CCTV system in the search warrant.

“In July 2022, Albania was subjected to the most serious cyber-attack sponsored by the Islamic Republic of Iran, which caused massive damage to Albania’s digital infrastructure and interrupted the provision of public services and documents — 95% of which are offered only online — for months,” the Albanian embassy wrote in an email to CyberScoop. “In response, the Albanian Government severed diplomatic relations with the Islamic Republic of Iran and since then, we have received numerous threats, always related to the MEK presence in Albania.”

Albania “cannot tolerate that our territory be used to engage in illegal, subversive and political activity against other countries, as has allegedly been the case with the MEK,” the email read. “Humanitarian protection does not provide the MEK with special immunity before the law. MEK members are just as liable to be investigated and prosecuted for crimes committed in the territory of the Republic of Albania as any other individual, be they citizens, residents, refugees, or — as is the case with the MEK — individuals enjoying humanitarian protection from the Government of Albania.”

According to the MEK’s statement, roughly 1,200 Albanian police arrived at the camp the morning of June 20, and the majority of the people at the camp were unaware of the court order related to the hack investigation. Aggressive police actions caused “residents to protest,” the statement read, resulting in Albanian police injuring more than 100 people and leading to the death of one man after he was pepper sprayed, according to the statement. 

Albanian authorities seized 200 computers, the statement added. “There is nothing illegal in them; we are apprehensive that the information contained in these computers fall into the hands of the Iranian regime, with families and relatives of the residents in Iran put in danger.”

Updated June 27, 2023: This story has been updated to include comment provided to CyberScoop by the MEK after publication, and to reflect that the MEK disputes any characterization implying it is a “cult.”