Edalaat-e-Ali is a highly capable probably Israeli affiliated hacking group that has carried out a number of high profile attacks against Iranian state targets in the last 6 years. The name refers to the Emam Ali, and the group claims to be made up of Iranians living in Iran who are intent on exposing human rights abuses and freeing political prisoners.

List of names used by the industry:

• EEA

• Justice for Ali

Date founded:

• EEA first came to public attention with their high profile hack of the Evin Prison network in early 2020.

Affiliation:

EEA is a politically motivated Iranian hacktivist group exposing human rights abuses and security vulnerabilities within the Islamic Republic. They utilise darknet tools and IoT exploitation and they have successfully leaked compromising footage and documents from multiple prisons, notably Evin, driving public accountability. Although EEA state that they are a group of activists organized to punish the Iranian regime for human rights abuses, most analysts agree that the group are likely linked to the Israeli intelligence services.

Social media handles/websites:

X – @edalaateali1400

Telegram – EdaalateAli1400 (the channel has been blocked for doxxing individuals)

Previous operations:

Evin Prison CCT Hack – EEA compromised the CCTV footage at Evin Prison, exposing widespread abuse and inhumane prison conditions. Videos showed guards beating prisoners and dragging an inmate on the floor.

Early 2020 – Evin Prison document leak – Leaked documents from the Prison revealed concerns among officials about a potential foreign military attack. This suggests they accessed internal data storage systems.

Ghezal Heassar Prison Hack – EEA successfully hacked the computers of Ghezal Heassar Prison located in Karaj, Northwest of Tehran, proving the hack by showing security guards’ reactions as their camera feeds were cut off.

November 2019 – Protest Arrestee List – Received a list of hundreds of prisoners arrested during the November 2019 protests and their charges.

Islamic Republic of Iran TV and Radio Hack – Claimed responsibility for hacking Iranian state TV and radio transmission.

Rape Investigation Leak – Leaked internal documents showing that two Iranian security officers were being investigated for the alleged rape of two young women detained during protests.

Tactics/Techniques/Tradecraft/Procedures (TTP’s):

• IOT Exploitation – Specifically targeting vulnerabilities in CCTV systems, indicating a focus on physical security infrastructure.
• Exploit Delivery – Employing methods like malicious PDFs and Python scripts to deliver exploits.
• Data Exfiltration – Successfully exfiltrating video footage, documents, and records from targeted systems.
• Public Shaming – Using leaks to publicly expose abuses and injusticies, aiming to generate public pressure.
• Doxxing Two Security Officers during a rape investigation – The leaked documents showed that two Iranian security officers under investigation for the alleged rape of two young women detained during protests.
• Politically Motivated – Their operations are consistently driven by political grievances and a desire to challenge the Iranian regime.
• Exploiting System Vulnerabilities – Iranian authorities admitted “unacceptable behavior” in Evin Prison after the videos were released, suggesting the hackers exploited real vulnerabilities.

Sources:

rferl.org/a-iran-judiciary-hack-targeting-journalists/32831893.html

iranint.com/en-202402201687

iranwire.com/en/news/125642-leaked-documents-give-glimpse-of-repression-in-iran/

voanews.com/a/middle-east-voa-news-iran-prsion-chief-apologises-after-leaked-abuse-videos/

securityaffairs.com/142172