ICNA

Iranian Cyber News Agency

    • لب دوختگان

    Lab Dookhtegan

    ICNA Posted on
    لب دوختگان

    List of names used by the industry:

    • “Read My Lips”
    • “Sewn Lips”

    Date founded:

    Early 2019

    Affiliation:

    Lab Dookhtegan members are hacktivists that are in opposition to Iranian state-sponsored cyber actors. The group is known for exposing Iranian cyber operatives and their activities.

    Social media handles/websites:

    Telegram – t.me/LabDookhtegan_Channel

    X – @Labdookhtegan2 – they use this channel to ask people to send them information on parties they are interested in doxxing

    Instagram – labdookhtegan_

    Previous operations:

    March 2019 – Systematically posting secrets of Iranian hacker group APT34. This group have been linked to the Iranian government. Published a collection of the hacker’s tools, evidence of their intrusion points, IP addresses of servers used by Iranian intelligence and ID and photos of alleged Iranian Ministry of Intelligence officials who are hackers working with OilRig group. The leak exposed tools of Iranian hackers and compromises APT34 members’ security.

    September 6 2019 – Posted photos and personal details to Telegram of Mojtaba Mostafavi one of the Ravin co-founders sanctioned by the US. At the time, Mostafavi was identified as part of MOIS and associated with APT34.

    2021 – Group Sayyed Project targeted the ariport of Tirana, Albania. Lab Dookhtegan revealed the identity of the person directing the cyber attack as Mohammad Bagher Shirinkar.

    March – April 2021 – 3 documents leaked via Telegram relating to Iranian cyber firm, Emennet Pasagard.

    August 2025 – Group claims it disrupted the communications of a merchant fleet. They carried out a similar attack in March 2025 claiming to disrupt the capabilities of 116 NITC and IRISL vessels. The group claimed that these tankers were involved in operations violating international sanctions.

    August 2024 – Posted on Telegram about the assassination of US citizen Stephen Edward Troll. Stated that information was passed to the group confirming that Troll was killed by IRGC Mohammad Reza Nouri, who was used in the 4000 terror operations in Iraq.

    Tactics/Techniques/Tradecraft/Procedures (TTP’s):

    • Dumping tools/names/photos/personal information of hackers and naming and shaming members of Iranian intelligence authorities and wiping servers clean leaving behind messages.

    Resources:

    Telegram – t.me/LabDookhtegan_Channel

    maritimeexecutive.com/hackers-disable-iranian-merchant-shipping-communications

    iranintl.com/en/202503182119

    industrialcyber.co/transport/cydome-analyzes-lab-dookhtegan-cyber-attack-on-iranian-oil-tankers-provides-mitigation-action

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts