A trove of documents, images and videos from the offices of Iranian President Ebrahim Raisi posted online Monday appear to be authentic, cybersecurity experts familiar with the matter told CyberScoop on Wednesday.
The materials posted to a Telegram channel Monday by a group called “GhyamSarnegouni” (“Rise to Overthrow”) include alleged diplomatic correspondence, floor plans for the offices and sleeping quarters of the Iranian president and other top government offices, detailed network topologies for sensitive Iranian government networks and more.
“The hack is legit,” said Amin Sabeti, the founder of the Computer Emergency Response Team in Farsi, which focuses on Iranian cybersecurity issues. Amir Rashidi, the director of internet security and digital rights at the Miaan Group, an Iranian digital and human rights organization, also told CyberScoop that the files “seem legitimate,” perhaps obtained by someone with insider access.
While the documents could reveal previously non-public details, Rashidi said many of the Iranian government’s activities exposed in the documents are already well known and discussed.
“None of this information is really crazy critical,” Rashidi said, other than perhaps the floor plans and some of the other more technical details. It’s more that it’s “embarrassing,” he added, noting that the information seems to confirm what was largely known about how the Iranian government operates. The material also reportedly includes internal information about nuclear expansion within the country, according to Iran International news.
The embarrassing hack landed days before news emerged that Iran had resolved two outstanding issues with the International Atomic Energy Agency related to enriched uranium, which the Associated Press characterized as “[easing] pressure slightly on Tehran.” Rashidi said that although there’s no firm connection to this specific hack, it’s curious how often major leaks occur in conjunction with any progress on nuclear issues.
“Any time we are at the middle of the conversation that this nuclear negotiation might lead somewhere, might end somewhere, you will see somehow, either by Israeli or by some hacking group or something like that, some kind of information being publicized regarding Iran nuclear program,” Rashidi said.
Iran’s permanent mission to the United Nations did not return a request for comment from CyberScoop sent Wednesday.
A government spokesperson told an Iranian news outlet Monday that several presidential sites were temporarily down due to technical issues related to a new version of the website, and denied “rumors” about the hacking, the state-backed Iranian Students’ News Agency reported. The Islamic Republic News Agency reported that the president’s office called the documents “fake.”
GhyamSarnegouni emerged on Telegram on Jan. 26, 2022, and is one of many anti-Iranian government groups online purporting to hack Iranian government systems as a form of protest. From its early days, its messaging has echoed the prominent Iranian opposition group Mojahedin-e Khalq (MEK), Rashidi said, suggesting an affiliation of some kind.
On May 29, GhyamSarnegouni posted a simple message: “The entire highly protected internal network of the executioner president’s institution in Tehran was captured and out of reach,” according to a Google translation.
Over the next three hours the group posted new files, images and videos every few minutes. Around the same time, a post appeared on the MEK website titled “Iranian dissidents take over high-security servers of regime presidency.” The post attributed the hack to GhyamSarnegouni and said that multiple websites linked to President Raisi were defaced along with the exfiltration of what would be highly sensitive documents and materials, according to the MEK’s post.
Multiple websites were altered to include the image of two MEK leaders — Massoud Rajavi and his wife Maryam — the Times of Israel reported Monday.
The group responsible for the attack claimed it gained control of 120 servers connected to the president’s internal network and central databases, access to and control of more than 1,300 computers on the network, security footage of the network’s communication hardware and “access to systems of the classified internal communications to the presidency and the government,” according to the post on the MEK website.
Additional materials allegedly obtained by the hackers, according to the MEK, included: Classified and encrypted internal messages, “tens of thousands of classified, top secret, and secret documents,” floor plans and building designs of the president’s office and sleeping quarters and detailed information on the internet network diagrams and equipment, including IP addresses, for facilities associated with the president as well as other top government leaders and institutions, including the interior and intelligence ministries and the Basij, a militia under the Iranian Revolutionary Guard.
Earlier in May, GhyamSarnegouni claimed to have hacked the Iranian foreign ministry servers and defaced multiple websites. In that case as well, websites were defaced and pictures posted of MEK leaders, and a news story about the hack appeared on the MEK website. In October, a separate group called Black Reward claimed credit for the hack-and-leak of emails related to the country’s nuclear program, which the group said was in response to the Iranian government’s murder of Mahsa Amini and the subsequent crackdown on protesters there.
“The islamic republic has become the first dictatorship to become open source,” said Sabeti, the Computer Emergency Response Team founder. “The amount of leaked data literally has opened source the regime.”