Tapandegan

The Tapandegan (Palpitaters in Persian ) is an Iranian hacker group known for hacking twice the arrival and departure monitors at two major international airports in Iran (Mashhad and Tabriz) on May 24, 2018 and June 6, 2018 respectively, posting anti-government messages and images, forcing the airports’ authorities to turn off manually those monitors one-by-one.

The Tapandegan refers to its acts as an act of protest demanding from the Iranian leadership to improve the economy and to stop ignoring the demands of the Iranian people. News agencies categorized this group's acts as “a new form of protest in Iran.”

History
The Tapandegan first appeared publicly on May 24, 2018 when they hacked the arrival and departure monitors at Mashhad International Airport  and  on June 6, 2018 when they also hacked the arrival and departure monitors at Tabriz International Airport. The group posted anti-government messages and images, forcing the airports’ authorities to turn off manually those monitors one-by-one. Airport officials in both cities turned off the sign boards for several hours after the hacking and made apologetic public statements.

The Iranian authorities confirmed both cyber-attacks shortly after they took place and they were widely reported by the Iranian official press and the international news wires and agencies.

Name and alias
The group's name is in the Persian language meaning Palpitaters. Based on the messages they posted on those hacked monitors, the news sources noted that the group supports the national protests of the people in Iran demanding economic improvements.

Iran had seen frequent nationwide protests in 2018 by demonstrators angered by local and national officials and business leaders who they accuse of corruption and oppression. The two anti-government hacks at Iranian airports are the only incidents of their kind since the protests began in late December.

Hacking history
Hacking attacks in Iran have been on the rise recently. In August 2016, Internet security experts warned that hackers have found access to banking and contact details of millions of Iranians by hacking into their Telegram accounts. However, it is not yet clear whether this was a genuine warning or an attempt by hardliners in the Iranian government to convince people to leave Telegram and migrate to home-grown messaging services, where the government has easy access to users’ private information and can intercept their communications.

First hack: The Mashhad International Airport
According to The Associated Press’ report from Tehran, Iran’s official IRNA news agency reported that The Tapandegan “managed to interrupt routine broadcasts on monitors” at the Mashhad International Airport on Thursday evening, May 24, 2018, “replacing them with images of anti-government protests from January [2018]”“for several hours.”

Sources report that according to a statement posted by the hackers on the monitors, the group protested to “wasting Iranians lives and financial resources in Gaza, Lebanon and Syria by the Islamic Revolution Guards Corps (IRGC).” The message posted on sign boards also protested against the IRGC's presence in Syria, Iraq, and elsewhere in the region. The group also hacked the email of Mashhad airport civil aviation head, Mohsen Eidizadeh and sent the news of its hack from his account.

Mashhad is the city where massive anti-government demonstrations started on December 28 and spread to over 100 other Iranians cities. It is a religious city where the holy shrine of the 8th Shiite Imam is located. Local authorities and clerics in the city are among the staunchest hardliners. The group expressed support for the people of Kazeroon, a city in Fars Province, where people have been demonstrating against the state of months.

Second hack: The Tabriz International Airport
According to The Associated Press’ report from Tehran, Iran's official IRNA news agency reported that on June 6, 2018, the hackers “have disrupted the arrival and departure monitors in the Tabriz international airport in the country’s northwest.” The hackers defaced sign boards in the evening, showing a protest message against “wasting Iranians’ resources" and expressing support for Iranian truckers who have been on strike across Iran for several weeks.

Iranian truck drivers went on strike for more than a week beginning May 22 in several parts of Iran, using social media to mobilize and share images of themselves protesting low wages and rising business costs.

The Iranian state-run site, Young Journalists’ Club (YJC), “quoted Tabriz Governor Aliyar Rastgoo as saying the incident happened Wednesday at 9:30 p.m. local time.” A Tabriz airport official Mostafa Safaei confirmed the day after the cyber-attack that the monitors turned off following the hack and engineers quickly restored the system, and the incident was under investigation.

Translation of the message posted by the hackers on the monitors in Persian reads:

''Attention, attention. We, Tapandegan, in another protest action, are currently taking control of the computer systems of this airport. Two weeks ago, in protest against the wastage of the Iranian people’s money and lives by (Iran’s) Islamic Revolutionary Guard Corps, we took control of the computer systems in Mashhad airport. Today, by voicing our support for Iranian strikers, we are doing the same thing. Until when will this regime deprive people of their rights to have a better livelihood and economic situation?! Until when?! We will not choke off our voices. We will continue these actions. If you support us, take a photo of this and share it''

The Tapandegan assumed responsibility for the hacking in a tweet on June 7. News of the hacking broke almost immediately on social media as Iranians posted tweets and pictures of the incident. However, the posts came under pseudonyms as users inside Iran fear a heavy-handed clampdown by the government.

Sources report that The Tapandegan sent an email to Iranian journalists saying, “Two weeks ago, we took over the computer systems of Mashhad Airport in support of the national protests. We protested against wasting Iranian lives and assets by IRGC [The Islamic Revolutionary Guard Corps]. And, today, we support the truck drivers, the bazar, and the strikers”.

Third Attack: Hacking into the Islamic Republic International Broadcasting (IRIB) and the Iranian Embassy in Berlin
Chief of Iran's cyber police, Seyed Kamal Hadianfar, claimed that the hackers who attacked Mashhad and Tabriz airports have been identified and arrested. According to a report by AsiaOnline, on January 17, 2019, the Tapandegan hacked allegedly into IRIB's computer systems, including IRIB's director Mr. Asgari, his deputy Mr. Abutalebi, and IRIB's political news director Mr. Seyyed Mehdi, and the email of the Iranian counselor in Berlin Mr. Zamani, and sent out emails and SMS through them to IRIB's employees, the Majlis speaker Ali Larijani and other Majlis members, as well as journalists. This email, according to this report, claims that top secret information is leaked regarding the transfer of two Trillion Touman each year in USD, double to Iran's Foreign Ministry annual budget, by Iran's Foreign Minister Javad Zarif to the Lebanese Hizballah, via his advisor Shirkhodaei, his special team, and the Iranian ambassador to Lebanon. The group claims that they got hold of documents related to this information while hacking into IRIB's computer systems and the email of the Iranian counselor in Berlin. Tapandegan blamed Zarif for money laundering while he himself had been accusing other offices in Iran of money laundering. AsiaOnline.ir published the entire email allegedly sent by The Tapandegan.

Documents Exposed
This group hacked the emails of the Islamic Republic's authorities. They hacked Tehran Municipality's Gmail account, and this way entered the Municipality's Twitter and Instagram accounts, and sent an email through the municipality's email system to the members of the Iranian Parliament Majlis including the Speaker Ali Larijani, Ali Motahari, Mahmoud-Sadeghi and ten other Majlis members, complained concerning the economic mismanagement and absence of social justice, and asked for the trial of the corrupt individuals and for putting an end to the rampant corruption in the country. The Tapandegan calls to stop corruption by the Iranian leadership through exposing allegedly top-secret related information received from insiders and whistleblowers. August 2, 2018, the Tapadengan exposed a letter received from a whistleblower, which claimed that ministries and IRGC have been ignoring the direct order, by Iran's Supreme Leader Khamenei to limit and downsize IRGC's involvement and control over the private sector and the economy. The leaked information included names of IRGC's subsidiaries, which operated as private companies. August 20, 2018: The Tapandegan exposed a top secret document, which was leaked to the group, regarding the purchase of a 5-star-hotel in the city of Mashhad for a price of US$28 million for the vacation of IRGC officers. The purchase was taking place in 2018 as the national protests broke out throughout Iran protesting the deteriorating economic conditions.

In a video posted on YouTube, The Tapandegan released information concerning its claimed infiltration to Iran's computer systems and claimed that it has hacked the email accounts of senior managers and employees of all the airports in the country. Documents released by the group show that Iranian authorities are concerned about Tapandegan's ability to hack the computer systems of the government agencies, financial institutions, and the military and "called upon the relevant responsible personnel to check them out quickly.