MEI A.I CyberSecurity Scoring
MEI
Company Information
Website:http://www.moe.gov.ir/
Employees number:187
Number of followers:1,115
NAICS:211
Industry Type:Oil and Gas
Homepage:moe.gov.ir
MEI Risk Score (AI oriented)
Between 650 and 699
MEIOil and Gas
Updated:
06/05/2026
06/05/2026
696/1000
Weak
B
MEI Global Score (TPRM)
xxxx
MEIOil and Gas
Score locked

MEIWeak
Current Score
696B (WEAK)
01000
3 incidents
-24.5 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
700
JUNE 2026
700
MAY 2026
696
APRIL 2026
696
MARCH 2026
714
Cyber Attack
01 Mar 2026 • MEI
BadeSaba: Hackers hit Iranian apps, websites after US-Israeli strikes
Cyber Retaliation Likely as U.S.-Israeli Strikes Trigger Iranian Digital Disruptions
693
CRITICAL-21
BAD1772389516
Cyber Retaliation Likely as U.S.-Israeli Strikes Trigger Iranian Digital Disruptions
On March 1, 2026, a series of cyber operations unfolded alongside joint U.S.-Israeli airstrikes targeting Iran, signaling potential escalation in digital warfare. Cybersecurity experts reported multiple breaches, including the hack of BadeSaba, a widely used Iranian religious app with over 5 million downloads. The app displayed messages urging armed forces to disarm and join civilians, while other compromised news websites broadcast similar calls for accountability.
Internet connectivity in Iran experienced sharp drops at 0706 GMT and 1147 GMT, according to Doug Madory of Kentik, with only minimal service remaining. The Jerusalem Post reported cyberattacks on Iranian government and military systems, though Reuters could not independently verify these claims. Security researchers noted the strategic targeting of BadeSaba, as its user base primarily religious and pro-government made it a high-impact platform for psychological operations.
Cybersecurity firms warned of impending retaliation, with Sophos’ Rafe Pilling highlighting potential tactics, including amplified data breaches, unsophisticated industrial system compromises, and direct offensive cyber operations. Pro-Iranian hacktivist groups, known for past hack-and-leak campaigns, ransomware, and DDoS attacks, have already issued calls to action, per Halcyon’s Cynthia Kaiser. CrowdStrike observed reconnaissance and DDoS activity from Iranian-aligned actors, while Anomali reported state-backed Iranian groups deploying "wiper" attacks against Israeli targets ahead of the strikes.
Despite Iran’s reputation as a cyber threat alongside Russia and China, its past responses to physical attacks have been limited. Following U.S. strikes on Iranian nuclear sites in June, cyber retaliation was minimal, with only a brief disruption in Albania’s capital, Tirana. However, the current escalation suggests a shift toward more aggressive digital countermeasures.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
FEBRUARY 2026
714
JANUARY 2026
739
Cyber Attack
01 Jan 2026 • MEI
Ministry of Justice: MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Iranian State-Backed Hackers Masquerade as Ransomware Group in False Flag Attack
711
CRITICAL-28
IRA1778078883
Iranian State-Backed Hackers Masquerade as Ransomware Group in False Flag Attack
In early 2026, cybersecurity firm Rapid7 uncovered a sophisticated ransomware attack attributed to MuddyWater an Iranian state-sponsored hacking group also known as Mango Sandstorm, Seedworm, and Static Kitten. The operation, however, was a false flag, designed to mimic the tactics of the Chaos ransomware-as-a-service (RaaS) group while serving Iranian strategic objectives.
The attack began with high-touch social engineering via Microsoft Teams, where threat actors used interactive screen-sharing to harvest credentials and bypass multi-factor authentication (MFA). Unlike typical ransomware campaigns, the group forwent file encryption, instead focusing on data exfiltration and long-term persistence through remote management tools like DWAgent and AnyDesk.
MuddyWater’s shift toward off-the-shelf cybercrime tools including CastleRAT and Tsundokere has been documented by multiple security firms, complicating attribution. This tactic aligns with past behavior: in 2020, the group deployed Thanos ransomware via the PowGoop loader in attacks on Israeli organizations, and in 2023, it collaborated with DEV-1084 (linked to the DarkBit persona) to conduct destructive attacks under the guise of ransomware. By October 2025, MuddyWater was observed using Qilin ransomware against an Israeli government hospital, further blurring the line between state-sponsored and criminal activity.
The Chaos RaaS group, which emerged in early 2025, employs a double extortion model, combining data theft with threats of DDoS attacks and customer/competitor leaks to pressure victims. As of March 2026, Chaos had claimed 36 victims, primarily in the U.S., targeting sectors like construction, manufacturing, and business services. The group’s tactics include vishing via Teams, impersonating IT support to trick victims into installing Microsoft Quick Assist or other remote access tools.
In the attack analyzed by Rapid7, MuddyWater initiated external Teams chat requests, luring employees into screen-sharing sessions. Once inside, the threat actors conducted reconnaissance, accessed VPN configurations, and deployed AnyDesk for persistence. They also used RDP to download a malicious executable (ms_upd.exe) from a command-and-control (C2) server, triggering a multi-stage infection chain that delivered a custom remote access trojan (RAT) disguised as a Microsoft WebView2 application.
The malware game.exe (Darkcomp) connected to a C2 server every 60 seconds, enabling command execution, file operations, and PowerShell script deployment. The attack’s link to MuddyWater was confirmed through a code-signing certificate attributed to "Donald Gay", previously used to sign other malware, including the CastleLoader downloader (Fakeset).
The incident underscores the growing convergence of state-sponsored and cybercriminal tactics, with threat actors leveraging RaaS frameworks to obscure attribution and delay defensive responses. The absence of file encryption despite Chaos ransomware artifacts suggests the ransomware component was used primarily for obfuscation, not financial gain.
Meanwhile, Iranian-linked cyber operations continue to escalate. Security firm Hunt.io revealed an Omani government breach, where attackers exfiltrated 26,000 Ministry of Justice records, judicial case data, and registry hives from an open directory on a UAE-based VPS. Pro-Iran hacktivist group Handala Hack also claimed attacks on U.S. Navy personnel and the Port of Fujairah, leaking 11,000 sensitive documents including shipping records and customs data potentially enabling physical targeting by Iranian forces.
Check Point Research noted that these campaigns reflect a shift from intelligence gathering to kinetic impact, with cyber operations now directly supporting military objectives. The pattern suggests that periods of relative quiet in physical conflicts are followed by intensified cyber activity, marking the most serious escalation to date.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
739
NOVEMBER 2025
738
OCTOBER 2025
738
SEPTEMBER 2025
737
AUGUST 2025
737
JUNE 2025
746
Cyber Attack
18 Jun 2025 • MEI
Ministry of Economic Affairs and Finance: Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware
Cyber Conflict Escalation in Middle East: Israel-Iran Hacktivism Surge
735
CRITICAL-11
IRA1767601584
Escalating Cyber Conflict in the Middle East as Israel-Iran Tensions Fuel Hacktivist Surge
The June 13 Israeli strikes on Iranian nuclear and military targets have triggered a sharp escalation in cyber warfare across the Middle East, with hacktivist groups launching a wave of attacks targeting Israel and regional allies. Between June 13 and 17, threat intelligence firm Cyble documented cyber operations by 74 hacktivist groups, over 90% of which are pro-Iran, focusing primarily on Israeli infrastructure while also striking entities in Egypt, Jordan, the UAE, Pakistan, and Saudi Arabia.
### Targets and Tactics
Israel bore the brunt of the attacks, with government, defense, media, telecom, finance, education, and emergency services sectors hit by DDoS attacks, website defacements, unauthorized access, data breaches, and ransomware/wiper malware campaigns. Notable incidents included:
- Five ransomware/extortion attacks by Handala Group against Israeli media, telecom, construction, education, and chemical/energy organizations, with data samples leaked in two cases.
- A ransomware/wiper executable ("encryption.exe") attributed to the previously unknown Anon-g Fox, which checks for Israel Standard Time (IST) and Hebrew language settings before executing—terminating if conditions aren’t met.
- A banking malware campaign (IRATA) targeting 50+ Iranian financial and crypto apps, impersonating government entities like the Judicial System of Iran and the Ministry of Economic Affairs. The malware steals credentials, account balances, and card data while remotely controlling infected devices.
Other documented attacks included 34 DDoS incidents, five defacements, two data breaches, and four credential leaks, with groups like Anonymous Guys, Arabian Ghosts, and GhostSec actively participating. Hashtags such as #OpIsrael, #FreePalestine, and #SupportIran dominated the campaigns, reflecting ideological alignment with pro-Palestinian and pro-Iranian narratives.
### Information Warfare and Psychological Tactics
Beyond technical attacks, hacktivist groups leveraged Telegram channels to amplify geopolitical messaging, reposting claims from allied collectives to project decentralized coordination. Content streams featured pro-Iranian and pro-Palestinian propaganda, including missile strike footage and graphic images of Iranian casualties, blurring the line between cyber operations and psychological warfare.
### Regional Spillover and Broader Implications
The conflict’s cyber dimension has extended beyond Israel and Iran, with Egypt, Jordan, Saudi Arabia, and the UAE facing collateral attacks. The U.S. had previously linked CyberAv3ngers (Mr. Soul), an IRGC-affiliated threat actor, to critical infrastructure attacks, underscoring the global reach of state-aligned hacktivism.
As hacktivist groups exploit geopolitical tensions to advance ideological agendas, the surge in ransomware, wipers, and banking malware signals a shift toward more disruptive and financially motivated tactics in the region’s cyber landscape.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for MEI ??
What was MEI's A.I Rankiteo Cyber Score in June 2026 ??
What was MEI's A.I Rankiteo Cyber Score in May 2026 ??
What was MEI's A.I Rankiteo Cyber Score in April 2026 ??
What was MEI's A.I Rankiteo Cyber Score in March 2026 ??
What was MEI's A.I Rankiteo Cyber Score in February 2026 ??
What was MEI's A.I Rankiteo Cyber Score in January 2026 ??
What was MEI's A.I Rankiteo Cyber Score in December 2025 ??
What was MEI's A.I Rankiteo Cyber Score in November 2025 ??
What was MEI's A.I Rankiteo Cyber Score in October 2025 ??
What was MEI's A.I Rankiteo Cyber Score in September 2025 ??
What was MEI's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on MEI's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with MEI ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view MEI's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?