Iran’s Intelligence and Military Services Linked to Cyber-Attacks
A recent report by cyber threat intelligence provider Recorded Future has revealed new evidence that Iran’s intelligence and military services are associated with cyber activities targeting Western countries through their network of contracting companies. The report, published on January 25, 2024, sheds light on a web of entities connected to the Islamic Revolutionary Guard Corps (IRGC) involved in cyber-attacks and information manipulation campaigns.
According to Recorded Future, at least four intelligence and military organizations linked to the IRGC are primarily engaged with a network of cyber contracting parties. These organizations include IRGC’s Electronic Warfare and Cyber Defense Organization (IRGC-EWCD), IRGC’s Intelligence Organization (IRGC-IO), IRGC’s Intelligence Protection Organization (IRGC-IPO), and the IRGC’s foreign operations group, also known as the Quds Force (IRGC-QF).
The report also details specific advanced persistent threat (APT) groups closely associated with these bodies. In 2022, the Nemesis Kitten APT Cobalt Mirage, UNC2448, TunnelVision, and Mint Sandstorm were linked to the IRGC-IO by the anti-government group Lab Dookhtegan. Additionally, public records indicate an ever-growing web of front companies connected through individuals known to serve various branches of the IRGC.
Recorded Future analyzed leaks that show the long-standing relationship between these agencies and Iran-based cyber contractors. Some of the cyber operators involved in offensive cyber activities include “Ayandeh Sazan Sepehr Aria Company,” “Sabrin Kish,” “Soroush Saman Company,” as well as other sanctioned entities like “Najee Technology Hooshmand Fater LLC” and “Emen Net Pasargad.”
However, researchers have observed constant movement within the web of Iran-based cyber contractors, with companies frequently disbanding and rebranding in an attempt to obfuscate their activities. There are also overlaps between personnel members of these contracting companies, who share roles and are known to serve various branches of the IRGC. Some of the data reveals names of high-ranking IRGC officials purportedly responsible for leading and coordinating Iran’s offensive cyber ecosystem.
Through their links with these cyber contractors, the Iranian government agencies are associated with, if not directly complicit in, targeting major US financial institutions, industrial control systems (ICS) in the US and around the world, and ransomware attacks against various industries, including healthcare providers such as children’s hospitals. They also combine information operations with cyber intrusions to foment instability in target countries, as evidenced by their involvement in targeting the 2020 US presidential election.
The leaks also show that IRGC-related cyber offensive infrastructure has been used to deploy financially motivated attacks. Additionally, Iranian contractors export their technologies abroad, both for surveillance and offensive purposes. However, the report concludes that US government sanctions are proving to be an effective legal and diplomatic tool, making it harder for cyber companies under the IRGC umbrella to evade detection and adversely affecting their abilities to openly recruit new skilled labor.
This revelation further emphasizes the ongoing threat posed by Iran’s intelligence and military services, highlighting their involvement in cyber activities targeting Western countries. The information provided by Recorded Future underlines the need for increased vigilance and action to counter these malicious cyber activities associated with the Islamic Revolutionary Guard Corps.