List of names used by industry:

• Haghjoyaan

Date founded:

• The group created their Telegram channel and announced the start of their activities on 7 October 2023. The start of the group’s activities coincided with the act on Israel by Hamas.

Affiliation:

• The group describes themselves as Iranian Hackers. In their initial manifesto they described themselves as the “Hacker Team of the Right Seekers”. They also directed much of their activities against Israel, describing them as a “child-killing regime.” A significant portion of their messaging used hashtags such as #free_palestine. The group aligned themselves and used imagery relating to the Anonymous worldwide hacking collective.

Social media handles/websites:

Telegram: @Haghjoyann (Allegedly seized)

Previous operations:

The group’s first activity was to target and deface 50 websites, they provided a Hack-DB link to prove their activities. These attacks were announced on 8 October 2023. The same day, the group claimed an attack that took over Israel’s early warning system (The Red Color – tzevaadom.co.il). The group allegedly used the system to send alerts to Israeli citizens highlighting their attack.

On 11 October, the group defaced the website of Emara AI (emara.ai) with a message highlighting that “Israel will not see its 25th anniversary” and renaming the tab to “Sardar Soleimani”. The group once again provided a Hack-DB link as proof.

On 13 October, the group continued with their attacks with several major announcements:

• The defacement of two more “premium domains” (aascon.net and mmredc.com).
• A successful Denial of Service attack against the website of the Bank of Israel (bankisrael.gov.il).
• An alleged breach of Israeli critical infrastructure including systems related to water, electricity, gas, and indicator lights.
• A broad cyber-attack against unspecified Israeli targets, allegedly infecting more than 5000 people and extracting 2TB of data.
• They shared a compressed folder of data allegedly from 25 systems to “prove Israel is a cancer that must be eradicated.”

The information shared in the latter folder was analysed by the organization Hudson Rock and proved to be from an older breach of computers rather than by the Haghjoyan group. This highlighted the group using disinformation as a method to skew public opinion. As a result, it’s important to consider whether most of the group’s activities are authentic/true.

On 15 October, the group provided proof of the defacement of security-hafoz.co.il, dafor2000.co.il, mail.ilesotho.com, and wp.landing.mbk.co.il. Overall they claimed that 300 Israeli.com domain websites were hacked and had their information stolen. The group again provided Hack-DB links for proof.

The group claimed to have hacked 4,150 of Israel’s CCTV cameras; they leaked credentials and screenshots from the cameras. The group also doxed 120 Israeli people (unspecified if these were specifically linked to the government or the military) and shared screenshots of passports and birth certificates.

On 17 October, the group targeted the websites of 4 Israeli hospitals with Denial of Service attacks in response to an Israeli attack on a hospital in Palestine. They also shared graphic imagery of Israeli attacks against Palestine to their Telegram channel. The following day, the group defaced domains belonging to rosecaremedical.com.

On 18 October, the group shared a compressed folder of data allegedly from 500 Israeli systems. After allegedly infecting 1000 computers from Israel. The group shared screenshots from the computers.

On 22 October, the group announced that they were selling information related to US military and personnel from the FBI and CIA. The group listed the price as 0.06636401BTC for almost 400k identities. The group stated that it was a “simple warning from our team and our Russian brothers.”

That same day the group targeted and defaced the website and subdomains of humaninospireorganisation.org, landofricetales.com, internationalschoolsafety.com, getbossq.com, spoutauto.com, and mukhtargroup.co.in.

On 23 October, the group doxed an Israeli politician and defaced the website and subdomains of premierhealthcare.co.in, canopus63.com, and greenviewconsult.org.

On 24 October, the group leaked personal information relating to 7000 Israelis. The database included name, surname, national number, phone number, email, educational background, and military activity.

On 25 October, the group allegedly leaked 36GB of data relating to Mossad, Israel’s foreign intelligence agency. They also conducted a DOS attack against their website (mossad.gov.il). The following day the group defaced over 20 websites on an “American server”.

On 27 October, the group leaked 28GB of data from the organization Epsilor, a manufacturer and supplier for the Israeli defense industry.

After threatening the Israeli-linked hacking group Red Evils, the group doxed details relating to their channel and admin on 28 October.

On 10 November, the group announced a second wave of attacks on Israeli critical infrastructure. They claimed they hacked water plants, treatment plants, CCTV, heating systems, and more. They shared screenshots and captures of their attacks. The following day, the group defaced the websites etibakina.co.uil and cbarc.co.il.

On 14 November, the group took the website illuminatielites666.site offline.

On 16 November, the group hacked an American server and defaced 28 websites and subdomains. The group also allegedly took offline the website for American car manufacture Tesla (tesla.com).

On 17 November, the group defaced the website dev-crime-news.pantheonsite.io. The group also claimed to take offline the social media site instagram.com.

On 19 November, the group leaked 644MB of data relating to various Israeli targets. The following day they leaked a dataset of Israeli Citizens consisting of over 6 million records. The data included, name, surname, address, phone number, ID, blood type, parents names.

On 20 November, the group defaced wobi.co.il, the website of WOBI insurance, one of Israel’s largest insurance companies. The group leaked a backup of the website and claimed to have information on more than 856k Israelis.

On 21 November, the group conducted a DOS attack against Microsoft’s website (microsoft.com).

On 27 November, the group conducted a DOS attack against Cloudflare’s website (cloudflare.com).

On 28 November, the group announced the hacking of another American server and the defacement of a furth 17 websites/subdomains. The same day, the group announced the third wave of their attacks against Israeli critical infrastructure. The group targeted water plants, treatment plants, CCTV, etc. They shared screenshots of their activities.

On 1 December, the group leaked a database relating to Apple.

On 2 December, the group defaced the website of beastmode.co.il, i-bank.us and 300 other sites. Allegedly the attack only took 2 hours. Later that day the group claimed they had hacked a website linked to the CIA (no evidence of this) and leaked credentials for 5000 websites and 500 cPanels. They also leaked files allegedly belonging to a CIA agent.

On 4 December, the group conducted a DOS attack against Pornhub (pornhub.com) and allegedly leaked a database of information relating to Pornhub users.

On 7 December, the group announced their first wave of attacks against American industrial infrastructure. They claimed to have hacked water and treatment plants and industrial control systems. The group shared screenshots from allegedly compromised systems.

On 8 December, the group defaced 3 American websites and provided proof.

On 10 December, the group claimed to have infected more than 12,000 Americans with malware and had access to 6TB of data including IP addresses, files, Zip codes, phone numbers, credentials, etc. The group shared “proof” with a folder allegedly containing data from 200 systems.

On 11 December, the group defaced the website and subdomains of an American gambling website (bbincentives.org) and provided proof. The group also shared a backup of their server.

On 12 December, the group defaced the Nepalese website (pdnepal.org).

On 13 December, the group announced the defacement of over 60 websites hosted on a US server and provided Hack-DB links for proof.

On 15 December, the group defaced the website of the Beyond the Headlines news agency (beyondtheheadlines.news).

On 17 December, the group took down the Shas Al-Adl website (shabakeadl.org) and also allegedly got their Twitter accounts suspended.

On 18 December, the group announced a further wave of attacks against American and Israeli infrastructure. This attack was allegedly in response to the activities of the group Predatory Sparrow. The group claimed to have infiltrated industrial control systems, human-machine interfaces, SCADA systems, and PLCs. They shared screen recordings of their activities as evidence.

On 25 December, the group released a list of numbers of Israeli military, intelligence and important people. They also announced the defacement of over 20 more American websites and subdomains.

On 26 December, the group announced the defacement of the Saint Lucia’s parliament website (parliament.govt.lc).

On 27 December, the group hacked an American server and defaced a list of websites. They once again, provided Hack-DB links for proof.

On 31 December, the group hacked a further American server and defaced websites hosted on it. The group also announced a DOS attack against the Israeli Ministry of Economy (ecom.gov.il) and allegedly leaked a database of information from the ministry on the Haghjoyan server (195.248.242.17).

On 2 January 2024, the group targeted another American server and defaced over 60 websites.

On 5 January, the group hacked another American server and defaced 5 websites.

On 6 January, the group targeted some Turkish websites with defacements encouraging them to “join the resistance front and defend Palestine and attack Israel, or stop exporting to the Zionists.”

On 11 January, the group doxxed an Israeli cyber army (UNIT8200) officer and published their CV.

On 12 January, the group claimed to be offering free WebHost Manager access to 50 American and Indian websites.

On 13 January, the group defaced the Liberal World News Agency’s website (theliberalworld.com), the DTW News site (dtwnews.com), and the Muster TV organization’s website (muster.tv). The group claimed these were amongst the most visited American news agencies. The group also hacked some additional American servers and defaced the contained websites.

On 14 January, the group hacked another American server and defaced allegedly 100 websites. The group provided a Hack-DB link for proof.

On 15 January, the group defaced the website of State of Hockey News (stateofhockeynews.com). The group claimed this was the most visited American news agency.

On 16 January, the group defaced allegedly 100 websites, including water-damage.us, and alpha9.co.uk.

On 17 January, the group defaced a few more Turkish websites including polisbariyeri.com.tr. The group also conducted a DOS attack against the website abdolhamid.net.

On 19 January, the group claimed to leak information on 4 million American citizens after hacking the US State bank. The group also defaced the website of the Papua New Guinea Centre for Judicial Excellence (pngcje.gov.pg). The group also claimed to have “accidentally” hacked a serve belonging to the Mossad. They claimed to have a list of 46,000 individuals. The group also announced the defacement of a further set of American websites following the compromise of a server.

The group also announced that they were offering VIP access, for a payment of $50 in BTC. The upgrade claimed to offer, daily accesses to websites, secret information, private source code and exploits, hacking tutorials and more.

On 21 January, the group leaked information relating to Israelis who work with the Mossad organization. The database included information such as name, surname, national ID, phone number, email address and more.

On 23 January, the group defaced the website of the Kazakhstan news agency (agnews.kz). The group provided a Hack-DB link for proof.

On 24 January, the group leaked what they claimed to be the personal phone numbers of Israeli government ministers and members of the Knesset.

On 28 January, the group hacked another American server and defaced over 50 websites.

On 29 January, the group shared credentials to allegedly 500 cPanel dashboards.

On 2 February, the group hacked an American server and defaced its websites.

On 7 February, the group announced the defacement of websites belonging to an Israeli security organization and some news agencies.

On 9 February, the group defaced over 20 more international websites and provided Hack-DB links for proof.

On 12 February, the group once again targeted the pornhub website (pornhub.com) with a DOS attack.

On 13 February, the group threatened Albania and then leaked a database of Albanian car number plates including details of the owners of the cars.

On 16 February, the group hacked an American server and defaced its websites.

On 19 February, the group hacked another American server and defaced its websites.

On 21 February, the group breached another American server and defaced a range of websites. The group also claimed to leak information (organograms) showing a connection between ISIS and Israel.

On 22 February 2024, the Telegram channel was renamed to “It was seized by the FBI and the European Cyber police force.” and their profile picture updated to be the FBI logo. A message was also shared with a link to the FBI website and a screenshot of a website seizure notice. The notice was from the 2021 FBI Operation Power OFF targeting DDOS-for-hire services. The manner of this change is unusual and has not been seen before. It seems likely that the group pretended that their Telegram channel was seized as a simple way to cease their activities.

Tactics/techniques/Tradecraft/Procedures (TTPs):

• The group primarily conducted cyber-attacks against Israeli and American targets as a form of retaliation. Over their several months of operations they expanded their target set to also include Turkey and Albania.
• The group primarily operate by infiltrating servers in order to deface website and subdomains to display messages and propaganda. Likely where the group is unable to infiltrate the corresponding server they instead conduct Denial of Service (DOS) attacks. The group provided proof of these activities using
• The group also claim to infiltrate and compromise industrial control systems. These attacks were not verifiable from the screenshots they provided as evidence.
• The group focus on creating a visible high-profile impact rather than achieving more specific strategic goals. The aim appeared to be to cause significant disruption and attention through their activities and spreading of misinformation and intimidation.
• Notably, the group’s claims and “proof” are not verifiable as all of their check-host and HackDB links have expired. Some of their activities have also been discredited through other analysis. This suggests that potentially the majority of their activities may be exaggerated to encourage attention.

• The most unusual technique was to rebrand their Telegram to create the illusion of being seized by law enforcement. This seems to have been a low sophistication method of bringing anend to their activities without having to provide justification.

Sources:

Malware.news/t/dark-web-profile-haghjoyan/77105
Infostealers.com/article/the-rise-of-infostealer-data-in-propaganda-and-fraud
Radar.certfa.com/en/insights/actor/db85d462
Cyble.com/blog/israel-palestine-conflict-and-looming-threat-on-critical-infrastructure