List of names used by industry:

• Cyber Avengers
• Bauxite (Dragos)

Date founded:

• Around 2020

Affiliation:

• IRGC

Cyber Avengers (CA) is an Iranian hacking group affiliated to the Islamic Revolutionary Guard Corps (IRGC) and Shahid Kaveh. It is reportedly the Iranian Regime’s most prolific hacking group focussing on critical infrastructure such as industrial control systems utilising malware known as IOCONTROL ¹to target industrial control systems/supervisory control and data acquisition (ICS/SCADA) devices including routers, PLCs, human machine interfaces (HMI), firewalls, IP cameras, and Linux-based Internet of Things.

Although the group has been active since 2020, it has been the most prolific since 2023, in a campaign against anti-regime hacking group “Predatory Sparrow.”

The group has predominantly attacked Israeli targets or Israeli-linked targets.

Social media handles and websites:

• X: x.com/CyberAveng3rs
• Telegram: @cyberaveng3rs
  

Previous operations:

• July 2020 – CIA claimed to have targeted more than 150 industrial servers of Israel’s railways which affected operations at 28 train and subway stations. The start of the “major cyber operation” started on July 14 at 0120 (the time Gen. Soleimani was killed in an airstrike earlier that year) and lasted 10 days. 28 stations were reported to have been targeted in these attacks. A few months later the group advertised on X that they were selling the data taken in the attack for 4 BTC. They claimed date included approximately 3000 employees and 10 million journeys, including passenger details.²
• July 2023 – CA claimed it had conducted a Distributed Denial of Service (DDoS) attack against Israel’s largest oil refinery, The Bazan Group’s website, making it inaccessible. The hacking group also claimed it had breached BAZAN’s network via an exploit targeting the company’s firewall. BAZAN claimed this attack was fabricated.³
• September 2023 – Falsely claimed to have conducted successful cyber-attacks against Israel’s railway network. CA made further false claims of successful cyber-attacks against Israeli power grids.
• October 2023 – CA conducted a DDoS against Israel’s Dorad website and claimed to have hacked a Dorad power station. The group posted images to support this claim on social media, however, these claims were proven false and reused from a previous attack by another pro-regime hacking group known as Moses Staff.⁴
• November 2023 – CA successfully compromised OT assets within a municipal water authority is the US. They accessed one of the water company’s programmable logic controller (PLC) devices and altered the menu page with anti-Israeli commentary – defacement message “You have been hacked, down with Israel. Every equipment ‘made in Israel’ in CyberAv3ngers legal target.” ⁵ Although not attributed to CA, 2023, Unitronic devices associated with the E-Post parcel distribution centers in Israel were compromised in a similar way.⁶

Tactics/techniques/tradecraft/procedures (TTP’s):

• Brute force attacks
• Credential based attacks
• Crucio ransomware
• Defacement
• DDoS attacks

Associated individuals:

• Hamid Homayunfal
• Hamid Reza Lashgarian
• Mahdi Lashgarian
• Milad Mansuri
• Mohammad Amin Saberian
• Mohammad Bagher Shirinkar

1. claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol ↩︎
2. middleeastmonitor.com/20200731-iran-group=claim-attacks-on-28-israeli-railway-stations/ ↩︎
3. sophos.com/en-us/blog/iranian-cyber-av3ngers-compromise-unitronics-systems ↩︎
4. bleepingcomputer.com/news/security/israels-largest-oil-refinery-website-offline-after-attack ↩︎
5. dti.domaintools.com/cyberav3ngers-from-infrastructure-hacks-to-propaganda-machines-in-the-iran-israel-cyber-war
   ↩︎
6. secureworks.com/blog/iranian-cyber-avng3rs-compromise-unitronics-systems ↩︎