ICNA

Iranian Cyber News Agency

    • هکر

    Ghyam ta Sarnegouni

    ICNA Posted on

    Ghyam ta Sarnegouni, meaning ‘uprising until overthrow’, is a hacking group that has been active since 2022. They have carried out a number of high-profile hack and leak operations against the Iranian state. They often deface websites, steal data and publish information online highlighting perceived corruption by the Iranian state.

    Ghyam ta Sarnegouni is a politically motivated hacking group that seeks to expose the Iranian state. It is clear that the group have evolved over time, with more recent hacks taking out a larger number of servers. They have published thousands of files online and last uploaded documentation to their telegram channel in June 2025.

    List of names used by the industry:

    • Ghiam ta Sarnegouni
    • قیام تا سرنگونی

    Date founded: They first came to public attention in 2022.


    Affiliation: The group post pro-MKO/ MEK content but are not officially affiliated.


    Social Media & Websites:
    Telegram: @ghyamsarnegouni
    • Instagram: @ghyamsarnagouni
    • X: GhiamSarnegouni (no longer available)

    Previous operations:
    July 2022 – took over the website and servers of the Islamic Culture and Communications Office. The group claimed to have taken over 6 sites and defaced 15 others as well as compromising computers and servers.
    May 2023 – The MEK website stated that the group seized control of 210 websites, apps servers and databases belonging to Iran’s Ministry of Foreign affairs, obtaining documents and “destroying servers and main data banks”
    Also in May 2023, the group claimed to have breached 120 servers and 1,300 computers in the presidential office.
    September 2023 – the group claim to have hacked the Ministry of Science gaining control of 500 servers. They stated that they acquired access to 20,000 documents, including a “very confidential” document from the Supreme Council of the Cultural Revolution that contained demographic data relating to the 2022 anti-government protests. This was alongside a letter from the Higher Education minister to the President’s office which stated that some university chancellors were reluctant to co-operate with security forces in supressing the students.
    November 2023 – the grouped leaked an audio file on their telegram channel which proports to be a recording of Hamidreza Haddapour, an official within the Supreme Leader’s university representatives’ network. This speaker discloses that under Khamenei’s directive, international students were hired on a contract bases as “cultural secretaries” to advance the Islamic Republic’s cause in other nations. The speaker states that these students are the offspring of “influential individuals in their countries who may inherit their fathers’ positions”. Ghyam ta Sarnegouni released this file and other documents on their Telegram channel after taking control of the website of Khamenei representatives’ network in universities – nahad.ir
    February 2024 – hacked the Iranian parliament (Majlis) website, replacing pages with images of MEK/MKO leaders and pro-MEK/MKO messages. The group highlighted leaked documentation showing Supreme Leader Ali Khamenei’s chief of staff requesting higher budgets from organizations affiliated with his office and one document pertaining to methods of circumventing sanctions. Ghyam ta Sarnegouni claimed to have done this by breaching the main servers through the Khaneh Mellat News Agency and going on to take control of 600 servers of the Majlis. The Iranian parliament public relations rejected the authenticity of these documents stating “hackers probably manipulated real documents with limited access to some documents”.


    Tactics/Techniques/Tradecraft/Procedures (TTP’s):

    • Website defacement: a common tactic used to demonstrate capability. Ghyam ta Sarnegouni have replaced website pages with their own images, often of MEK/MKO leaders.
    • Data Exfiltration: extracting documents and data from systems. Ghyam ta Sarnegouni then share these on their Telegram and Instagram pages.
    • Destruction of data: reports about Ghyam ta Sarnegouni activities state that they have deleted information from systems and disabled servers.


    Sources:
    ncr-iran.org/en/news/iran-protests/websites-of-tehrans-arm-of-global-extremism-taken-down
    English.mojahendin.org/article/documents-reveal-details-of-tehrans-campaign-to-discredit-mek
    English.mojahendin.org/news/iranian-dissidents-disrupt-over-210-regime-foreign-ministry-websites-and-servers
    Csidb.net/csidb/actors/dca65503-7505-4f2b-9f13-0b99e50d1347/
    Iranintl.com/en/202309244311
    Iranintl.com/en/202311201032
    Iranfocus.com/general/50759-internal-documents-reveal-damning-information-abour-irans-parliament

    LEAVE A RESPONSE

    Your email address will not be published. Required fields are marked *

    ICNA
    View all posts