Iranian State-Linked Actors (IRGC/MOIS)
Iran — Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS)
Mission Type
Destructive signalling, political coercion, regional espionage, retaliatory operations
Primary Sectors
Operational Period
2012 – present
Attributed Cases
2
Attributed Cases
TTP Pattern Summary
Iranian actors deploy wiper malware for strategic signalling (Shamoon, Albania attacks), use hacktivist fronts for deniability, and conduct espionage through custom RATs. Operations frequently employ initial access through public-facing web applications followed by data destruction or exfiltration. Recent campaigns show improved operational security and diversification of tooling.
Behavioural Signature
Iranian operations are characteristically retaliatory and politically motivated — responding to perceived threats or grievances through destructive cyber demonstrations. The use of hacktivist fronts (Cutting Sword of Justice, Homeland Justice) provides deniability while ensuring the coercive message is received. Target selection reflects geopolitical relationships: Gulf states, Israel, and states hosting Iranian opposition groups.
Governance Footprint
Albania's diplomatic severance following the 2022 attack was the first rupture of diplomatic relations over a cyber operation. US sanctions imposed on MOIS and affiliated entities. Iranian operations have been central to debates on cyber deterrence and the effectiveness of diplomatic consequences for state-sponsored destructive operations.