3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
ALTOUFAN TEAM

ALTOUFAN TEAM

ID: 93659cff231652cdbbe776794b143742
Hacktivist Group Defacement Crew
Threat types: Defacement
Bahrain BHR, ISR, ARE, USA
Updated: 2026-04-02
Created: 2025-10-25
Progress: 94% Completeness: 96% Freshness: 90%
Operation zone: Bahrain, Israel, United Arab Emirates, United States
Aliases Limited alias preview
Al Toufan Al-Toufan al****** AL**********
Ba******************* Fl******** Th************ فر**********
Showing 2 of 8 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

ALTOUFAN TEAM (Al-Toufan, "The Flood") is a politically motivated hacktivist group with anti-Zionist, anti-monarchy, and pro-14-February movement sentiments. The group has conducted defacements, DDoS attacks, credential-enabled intrusions, and data manipulation campaigns against Bahraini and Israeli targets, and more recently claims a data breach against the US Navy’s Fifth Fleet in Bahrain. Public reporting highlights use of stolen credentials (likely from info-stealer logs) to access Bahrain’s Social Insurance Organization (SIO) portal and modify pension records, widespread defacement/DDoS activity against government and financial sites, and hack-and-leak style operations promoted via X and Telegram. Ref: Malpedia, Cyble, Al Mayadeen, Cyber Shafarat, Associated Press/SecurityWeek.


Technique Technique name Tactics Evidence
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2023-02-14 — Valid Accounts – ALTOUFAN TEAM used valid employer-portal credentials to log into Bahrain’s Social Insurance Organization (SIO) web portal and modify pension records; Cyble’s analysis notes that the group’s proof-of-compromise video shows interactive login to the SIO employer portal using already-compromised credentials rather than exploiting a software vulnerability. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2023-02-14 — Data Manipulation: Stored Data – During the SIO incident, ALTOUFAN TEAM announced and then demonstrated changes to stored pension wage values for thousands of Bahraini citizens, including attempts to increase base pay and edits that triggered business-rule validation errors in the portal, indicating direct manipulation of records at the data layer via the application. · ref
  • 2023-04-28 — Data Manipulation: Stored Data – Follow-on reporting described ALTOUFAN’s tampering with pension wages of Bahrainis in the SIO system as a politically framed operation to alter social-insurance data at scale, reinforcing a pattern of deliberate modification of stored financial/registry data. · ref
T1491.002 External Defacement TA0040
  • 2023-02-13 — Defacement: External-Facing Website – ALTOUFAN TEAM defaced the Bahraini news site Akhbar Al Khaleej, replacing headlines and imagery with opposition messaging and political iconography; Cyble documents the changed landing page and hostile content placement as part of the February 2023 campaign. · ref
  • 2023-02-13 — Defacement: External-Facing Website – Cyber Shafarat/Treadstone 71 report that ALTOUFAN TEAM took control of the Israeli website Rotter.net and changed its interface, framing the operation as a cross-border action linked to opposition to normalization with Israel. · ref
T1498.001 Direct Network Flood TA0040
  • 2023-02-14 — Network Denial of Service: Direct Network Flood – ALTOUFAN TEAM conducted DDoS attacks against Bahrain International Airport, Bahrain News Agency, Bahrain Chamber of Commerce, and NAFEX, causing 504/404 errors and prolonged unavailability of sites; Cyble’s table of February 13–14 attacks and contemporary news reporting both characterize these as denial-of-service events. · ref
  • 2023-02-14 — Network Denial of Service: Direct Network Flood – Associated Press/SecurityWeek reporting attributes disruption of Bahrain’s international airport website and state news agency to a group calling itself Al-Toufan, describing outages lasting at least half an hour and referencing posted images of 504 Gateway Timeout errors. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • 2024-02-12 — Exfiltration Over Web Service: Exfiltration to Cloud Storage/Online Services – INFERENCE (confidence: medium): In its claimed breach of the US Navy’s Fifth Fleet in Bahrain, ALTOUFAN TEAM states it accessed confidential documents and then selectively released a subset via social platforms (X and others) while asserting that “what we have is greater”; this pattern is consistent with exfiltration of documents to attacker-controlled repositories before staged disclosure. · ref
T1555.003 Credentials from Web Browsers TA0006
  • 2023-02-16 — Credentials from Password Stores: Credentials from Web Browsers – INFERENCE (confidence: medium): Cyble’s investigation of the SIO incident concludes that ALTOUFAN’s access was likely enabled by info-stealer malware logs containing saved browser credentials to the SIO employer portal, rather than a direct server exploit; the presence of more than 700 compromised SIO portal credentials on a stealer-log marketplace supports this assessment. · ref
T1585.001 Social Media Accounts TA0042
  • 2022-11-01 — Establish Accounts: Social Media Accounts – Malpedia and multiple OSINT sources describe ALTOUFAN maintaining branded presences on X (Twitter), Telegram, Instagram, and YouTube, where the group posts operation claims, videos of intrusions, polls on desired attack effects, and propaganda content to amplify impact. · ref
  • 2023-02-16 — Establish Accounts: Social Media Accounts – Cyble notes that ALTOUFAN coordinated its February 2023 campaign via Telegram and Twitter (including a Twitter poll selecting SIO as a target and subsequent proof-of-compromise videos), illustrating systematic use of social media accounts as operational infrastructure. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-01-20T18:23:20+00:00

ALTOUFAN TEAM — Preliminary Intelligence

Classification: TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — ALTOUFAN TEAM (Al-Toufan / “Flood” Team)


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunt 1 — Stealer-log credential abuse against business/benefits portals

Goal: Detect use of compromised credentials (from info-stealer logs) against production portals (pensions, HR, benefits, citizen/self-service).

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-01-20T00:48:38+00:00

IOC Appendix — ALTOUFAN TEAM (TLP:WHITE)

1.1 Primary actor handle

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-01-20T00:50:00+00:00

OSINT Library — ALTOUFAN TEAM


2023-04-28 — The Cyber Express — “AlToufan Group Tampers with Pension Wages of Bahrainis”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/5
Address Verification SOCMINT
twitter.com/alt********* Restricted Not integrated
x.com/alt********* Restricted Not integrated
Address Verification SOCMINT
t.me/ALT********* Restricted Not integrated
Address Verification SOCMINT
www.instagram.com/alt******** Restricted Not integrated
www.instagram.com/alt********** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
Propaganda. Altoufan team have hacked the parliament website. November 10, 2022 Free Preview
Propaganda. Altoufan team have hacked the parliament website. November 10, 2022
Propaganda. Altoufan team have hacked the parliament website. November 10, 2022 Free Preview
Propaganda. Altoufan team have hacked the parliament website. November 10, 2022
Propaganda Free Preview
Propaganda