{ "id": "bcd88222-5def-40db-8609-21c82c15e731", "created_at": "2026-04-06T00:14:36.594064Z", "updated_at": "2026-04-10T03:31:48.772839Z", "deleted_at": null, "sha1_hash": "326f346394f757e82dfae3783318a48a3755ca8a", "title": "ALTOUFAN TEAM Hits Middle East Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2027189, "plain_text": "ALTOUFAN TEAM Hits Middle East Targets\r\nPublished: 2023-02-16 · Archived: 2026-04-05 18:24:04 UTC\r\nCyble analyzes recent Threat Actor activity targeting Bahraini \u0026 Israeli sites, protesting normalization of\r\ndiplomatic relations.\r\nThreat Actors target Bahraini \u0026 Israeli websites to protest normalization of\r\nrelations\r\nOn February 13, 2023, the Threat Actor (TA) group ALTOUFAN TEAM on Telegram announced a campaign\r\nagainst Bahraini and Israeli websites to protest the normalization of relations between the two countries. The\r\nattacks coincided with events from February 14, 2011, attempted by the opposition to overthrow Bahrain’s\r\nmonarchy.\r\nWorld's Best AI-Native Threat Intelligence\r\nOn February 14, 2023, the ALTOUFAN TEAM claimed to compromise Social Insurance Organization (SIO),\r\nBahrain, on their Twitter account and Telegram channel.\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 1 of 9\n\nFigure 1: One site defaced by the group\r\nThe alleged attack was succeeded by a poll created by the hacktivist group that received maximum votes on the\r\npoll option – “to increase the base pay for pensions” – designating SIO as their next target organization.\r\nALTOUFAN has since posted a video showcasing the use of stolen credentials to log into Bahrain’s Social\r\nInsurance employer portal and modify base wages.\r\nTimeline of Events\r\nAt approximately 11:49 PM Bahrain time, the TAs announced to target the SIO (the Social Insurance\r\nOrganization), which was allegedly chosen through a Twitter poll.\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 2 of 9\n\nFigure 2: TAs claim to increase the pay of pensioners\r\nThe TAs claimed they would carry out a hack to modify the pension wages of Bahrainis registered on the Social\r\nInsurance Organization “before dawn”.\r\nFigure 3: TAs receive an error message on site indicating the amount of the raise is over 40% of\r\nbase pay\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 3 of 9\n\nAt approximately 11:54 PM, The group shared a video as proof of compromise, claiming to have fully\r\ncompromised the systems and servers of the Social Insurance Organization of Bahrain to raise the base wages of\r\n4,000 insured and registered Bahraini citizens.\r\nFigure 4: TAs claim to have modified 4,000 records of pensioners and insurees\r\nWhile the TAs obtained access and modified records, the POC they shared displayed inputting credentials on the\r\nportal. The access to the portal was likely obtained through info-stealer malware logs (compromised endpoints)\r\nrather than a full server compromise.\r\nWe also found over 700 compromised credentials for the SIO employer portal domain on the Vision platform,\r\nsupporting this conclusion.\r\nFigure 5: Stealer logs found on Vision platform for SIO employer portal (left), TAs’ compromise\r\nvideo (right)\r\nAttack on Other Israeli and Bahraini Entities\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 4 of 9\n\nThe series of attacks began on February 13, 2022, with the news website “Akhbar Al Khaleej”. The TAs defaced\r\nthe site’s landing page and claimed to have destroyed the site’s data.\r\nFigure 6: Defacement of Akhbar AlKhaleej website\r\nThe defacement replaced the headlines with incendiary comments on the royal family and normalization with\r\nIsrael and changed articles’ images to photos of opposition figures.\r\nThe TAs also included the keyword “Toufan” in the editor’s column title as their calling card. The group posted\r\npropaganda videos with political chants and a collage of exiled or jailed political figures from the opposition (e.g.,\r\nAli Salman, Abduljalil AlSingace, Hassan Mushaima, and others) next to the Pearl Monument.\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 5 of 9\n\nFigure 7: Video with political chants and pearl monument symbol\r\nThe TAs also targeted the Bahrain Airport site. The website returned 504 and 404 errors at the time of this\r\nanalysis, but it is currently up and running.\r\nFigure 8: Wayback machine site capture and TA’s screenshot\r\nFurthermore, the group singled out the National Financial and Exchange Co website WLL, referencing public\r\nrecord information from Bahrain’s commercial record registry to name and shame the owners.\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 6 of 9\n\nFigure 9: DDoS attack against nafexbh.com\r\nFigure 10: TAs learning how to use public lookup sites\r\nThe TA group also performed DDoS attacks on the Bahrain News Agency website and the Bahrain Chamber of\r\nCommerce website, both of which are up at the time of this analysis.\r\nHistoric Exaggeration of Claims\r\nThe techniques allegedly leveraged by the group to gain access to SIO accounts were found improbable. The TAs\r\ndid access the SIO employer portal, indicating a lack of protective measures such as OTP (One-Time Password).\r\nThe Tactics, Techniques, and Procedures (TTPs) used in this campaign were basic.\r\nHowever, the TAs utilized their exaggerated narratives to push a grand image of their campaign to influence\r\namass. The group deliberately carried out the alleged SIO “hack” past midnight to prevent a quick response by\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 7 of 9\n\nBahrain CERT.\r\nIn November 2022, the same TA group attempted a disinformation campaign to dissuade citizens from voting in\r\nBahrain’s municipal elections. The TAs defaced and took down the House of Representatives website (nuwab.bh)\r\nand the Legislation and Legal Opinion Commission website (lloc.gov.bh) and sent fraudulent SMS messages\r\nclaiming that the elections had been postponed due to the attacks.\r\nFigure 11: Altoufan’s first defacement\r\nAt the time, the TAs had posted a propaganda video claiming to attack 16 prominent websites of government\r\nentities and stating that the leaks would be shared soon. The video showed a normal level of access to each site\r\navailable to a logged-in user, indicating another instance of exaggeration using stealer logs.\r\nOverview of the TA Group’s Activities\r\nALTOUFAN isa group of politically motivated hacktivists with anti-Zionism, anti-monarchy, and pro-14-\r\nFebruary movement sentiments.\r\nTable 1 below lists the targeted websites and types of attacks.\r\nWebsite URL Type of Attack\r\nAlKhaleej-news.com Defacement, Data Deletion\r\nBahrainAirport.bh Denial of Service\r\nBna.bh Denial of Service\r\nNafexbh.com Denial of Service\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 8 of 9\n\nBahrainchamber.bh Denial of Service\r\nSio.gov.bh Use of stolen credentials from  stealer logs to modify records\r\nAbc-bahrain.com Defacement\r\nBtea.bh Defacement\r\nMikapirsum.co.il Defacement\r\nHawkshaifa.com/angos Defacement\r\nZerpri.co.il Defacement\r\nRotter.net Defacement\r\nTable 1: List of Cyberattacks on February 13 and February 14\r\nThe TA group uses a fist logo and iconography similar to the Iranian hacktivist groups “Moses’ Staff” and\r\n“Abraham’s Ax”. As with those groups, ALTOUFAN maintains a presence on the popular social media platforms\r\nInstagram, YouTube, Twitter, and Telegram and shares detailed montages and designs to spread their message.\r\nThe methodology of the attacks (DDoS, defacement), the promotion of the attacks, and clenched fist symbolism\r\ntie into Iranian hacktivist groups. Additionally, state-aligned Iranian Telegram channels picked up and promoted\r\nthe then-unknown group after their first attack, indicating a possible connection.\r\nImpact \u0026 Mitigation\r\nDefacement and DDoS attacks result in lost revenue, reputational damage, misinformation campaigns, and\r\npromotion of TAs’ political agendas.\r\nMitigations for DDoS attacks include:\r\nUtilizing a WAF (Web Application Firewall) or DDoS (Distributed Denial of Service) protection service,\r\nEnsuring that production servers are not publicly accessible through the internet,\r\nRedirecting all traffic to go through the WAF,\r\nRate-limiting traffic, for example, simultaneous SYN attacks by hosts which initiate a connection but never\r\ncomplete it, should receive a timeout past a certain period,\r\nGeo-blocking IP ranges that legitimate users would not have,\r\nConsidering high-availability designs in development, such as utilizing a CDN and/or backup servers,\r\nEnsuring site data is backed up.\r\nSource: https://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nhttps://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.cyble.com/2023/02/16/altoufan-team-targets-the-middle-east/" ], "report_names": [ "altoufan-team-targets-the-middle-east" ], "threat_actors": [ { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "1359248c-351d-4e32-ac17-449907bd96ad", "created_at": "2024-12-21T02:00:02.859769Z", "updated_at": "2026-04-10T02:00:03.794895Z", "deleted_at": null, "main_name": "Altoufan Team", "aliases": [], "source_name": "MISPGALAXY:Altoufan Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434476, "ts_updated_at": 1775791908, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/326f346394f757e82dfae3783318a48a3755ca8a.pdf", "text": "https://archive.orkl.eu/326f346394f757e82dfae3783318a48a3755ca8a.txt", "img": "https://archive.orkl.eu/326f346394f757e82dfae3783318a48a3755ca8a.jpg" } }