Full Report
It’s unclear what is causing a “near-total” internet blackout in Iran.
Analysis Summary
# Incident Report: Near-Total National Internet Blackout in Iran
## Executive Summary
On Wednesday, June 18, 2025, Iran experienced a near-total national internet blackout, with connectivity dropping by approximately 97%. This event occurred amidst escalating military conflict between Iran and Israel, following reports of significant cyberattacks against Iranian financial entities. The cause of the severe internet degradation remains officially unclear, though it coincided with Iranian officials reportedly restricting internet access.
## Incident Details
- **Discovery Date:** June 18, 2025 (Wednesday)
- **Incident Date:** Commencing sometime before June 18, 2025, rapidly escalating on that day.
- **Affected Organization:** National internet infrastructure of Iran.
- **Sector:** Telecommunications/Critical Infrastructure.
- **Geography:** Iran.
## Timeline of Events
### Initial Access
The article does not detail a specific initial access point for the *cause* of the national blackout, but notes preceding events:
- **Date/Time:** Preceding days/weeks (leading up to June 18, 2025).
- **Vector:** Alleged cyberattacks on local targets (bank, crypto exchange).
- **Details:** An alleged "massive cyber war" was claimed by Iranian news sources, following hacks against a major Iranian bank and the largest Iranian crypto exchange.
### Lateral Movement
Not applicable/Not detailed. The event describes a national infrastructure failure or intentional shutdown rather than internal network compromise.
### Data Exfiltration/Impact
- **Impact:** Near-total collapse of national internet connectivity, measured at ~97% below normal levels by Cloudflare data.
- **Scope:** National level.
### Detection & Response
- **Detection:** Detected by global web monitoring firms (NetBlocks, IODA) showing sudden collapse in connectivity. Cloudflare confirmed traffic drops.
- **Response actions taken:** Iranian officials reportedly began restricting access to the country's internet following preceding cyber incidents.
## Attack Methodology
### Initial Access
Caused by service degradation or purposeful throttling/shutdown of national infrastructure—the specific method remains unclear.
### Persistence
Not applicable, as this appears to be an event impacting national gateways or core infrastructure rather than persistent malware presence on specific endpoints.
### Privilege Escalation
Not applicable.
### Defense Evasion
Not applicable.
### Credential Access
Not applicable to the core incident, though preceding cyberattacks against the bank and exchange likely involved credential access.
### Discovery
Not applicable.
### Lateral Movement
Not applicable.
### Collection
Not applicable to the core incident, though preceding cyber incidents involved data theft/destruction from financial entities.
### Exfiltration
Not applicable to the core incident.
### Impact
Widespread loss of national internet connectivity.
## Impact Assessment
- **Financial:** Not quantified, but likely significant due to national disruption and preceding high-value theft from financial entities.
- **Data Breach:** Specific data breach details related to the *blackout* are unknown. Preceding incidents involved theft/destruction from a bank and crypto exchange.
- **Operational:** Near-total disruption of national internet services.
- **Reputational:** High international scrutiny due to the timing amidst military conflict.
## Indicators of Compromise
*This incident appears infrastructural/state-level; specific IOCs for endpoints were not reported in the provided context.*
- **Network indicators (Defanged):** Massive reduction (approx. 97%) in national BGP/traffic volume originating from Iran, as measured by NetBlocks and Cloudflare Radar.
- **File indicators:** None reported directly related to the internet shutdown.
- **Behavioral indicators:** Sudden, synchronized collapse of connectivity across multiple international monitoring points.
## Response Actions
- **Containment measures:** Reports suggest Iranian officials began **restricting access** to the internet, which could be interpreted as an attempt at state-level control or containment of external threats.
- **Eradication steps:** Not reported.
- **Recovery actions:** Not reported at the time of the article.
## Lessons Learned
- National infrastructure is highly vulnerable to large-scale connectivity disruptions, whether through external attack or internal directive.
- Reliance on international monitoring firms (Cloudflare, NetBlocks) is crucial for independent verification of national infrastructure status during geopolitical crises.
- Preceding localized cyberattacks may serve as precursors or justification for wider infrastructure interference.
## Recommendations
- Implement robust, diversified national internet routing and failover capabilities to mitigate single points of failure.
- Develop contingency plans for communication outside of standard internet channels during periods of potential state-controlled throttling or external attack.
- Enhance monitoring and defense capabilities specifically targeting critical national infrastructure (CNI) components against sophisticated, state-sponsored cyber warfare tactics.