ICNA

Iranian Cyber News Agency

    • Hooshyarane Vatan

    Hooshyarane Vatan

    ICNA Posted on
    Hooshyarane Vatan

    Date founded:

    June 2021

    Affiliation:

    The group’s initial post (on 18 June 2021) was a manifesto where they stated they were from Ahvaz, the capital of the Khuzestan province in Iran. The group’s initial post (on 18 June 2021) was a manifesto where they stated they were from Ahvaz, the capital of the Khuzestan Province in Iran. The group highlighted various ideological reasons for operating and targeting the Iranian regime in their activities. They declared their intention to “do something that [the regime] will be unable to keep secret.”

    The group are part of the hacking collective PRANA Network.

    Social media handles/websites:

    Telegram: @Hooshyaran-e Vatan (Posting primarily in Persian with some English translations)
    Twitter: @hooshyaran1 and @hooshyaran2

    Previous operations:

    • On 21 November 2021, the group announced a successful attack against Mahan Air. They breached Mahan Air’s internal network gaining access to internal documents, emails, reports, unencrypted data and other information. The group highlighted that Mahan Air’s IT department had detected the intrusion but was unable to remove them from the network.
    • The group conducted detailed analysis of the data from the server and shared their conclusions on social media as a long-form report. They exposed the “deep co-operation” between Mahan Air and the IRGC Quds Force (the latter operating through a front company called Hamrah). The group’s leak tradecraft was unusual in that they posted the stolen data as supporting evidence for the conclusions of their analysis/report. It is likely this was to help everyday readers better understand exactly what was exposed by their cyber activities. The exposure lasted until 16 January 2022, with new updates and data shared every few days.
    • Their next operation was announced on 17 June 2023. Over 2 days, the group released data following a cyberattack against the Safiran Airport Services Company. The data exposed IRGC arms shipments to Russia. Following similar tradecraft to their previous data leaks, the group shared some analysis of the stolen data though also requested support from OSINTers to help analyse the 1.27GB dataset.
    • In February 2024, the group shared an announcement, as a member of the Prana Network, that they had breached the email servers of the organization Sahara Thunder. They shared both a link to the full dataset hosted on simorgh.io as well as a set of zipped folders containing parts of the leaked data. The group also shared some screenshots from the attacks and the dataset highlighting the Iranian production and supply of the Shahed-136 attack drones to Russia.
    • On 5 April 2024, the group shared the results of an investigation they conducted into the organization Yazd Air. It is unclear whether this investigation was conducted using open source data or supported by a further cyber-attack.
    • On 14 May 2024, the group shared a plea for support from individuals to bring them information that might help them in their fight against the IRGC.
    • Throughout 2024, the group shared sensitive information passed to them by “friends” where relevant to the data exposed in their previous operations. This data included a dataset of emails from Caspian Airlines, pictures of Mahan Air tickets, and other details. The releases exposed activities such as sanctions evasion and the transport of military personnel.
    • On 30 April 2025, the group shared several posts detailing Crescent Of Anon’s cyber-attack against the Sepehr Energy Jahan company. The group said they were “happy to have played a role” in the attack suggesting that they may have potentially shared tradecraft or expertise to enable the activity. The group also shared the second Crescent of Anon attack against Sepehr Energy Jahan in November 2025.
    • On 13 May 2025, the group announced that 2GB of leaked data from Jey Oil Refining Company was available on the data hosting site simorgh.io. It is unlikely that this group conducted the attack as they did not perform the analysis typical of previous operations.

    No further operational activities have been identified.

    Tactics/techniques/Tradecraft/Procedures (TTPs):

    • The group primarily conducts network exploitation, to infiltrate servers and exfiltrate data that is being leaked.
    • An unusual characteristic of the group is their method of leaking data involves conducting detailed analysis of their stolen data and sharing these conclusions. Exposures are traditionally prolonged with data releases being spread over at least multiple days.
    • The group frequently work with and share data provided to them by other groups or individuals. This has also involved sharing tradecraft with another hacktivist group.
    • The group primarily targets industries relating to the Iranian aviation and logistics sectors.

    Sources:

    Their social media.
    Filter.watch/english/wp-content/uploads/sites/2/2023/09/Hackerwatch-Jan-June-2023.pdf

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts