Full Report
Iran has throttled internet access in the country in a purported attempt to hamper Israel's ability to conduct covert cyber operations, days after the latter launched an unprecedented attack on the country, escalating geopolitical tensions in the region. Fatemeh Mohajerani, the spokesperson of the Iranian Government, and the Iranian Cyber Police, FATA, said the internet slowdown was designed to
Analysis Summary
Since the provided article describes **governmental defensive actions (internet slowdown) taken in response to perceived threats/attacks** rather than a specific, contained enterprise security incident, the report structure will be adapted to reflect this geopolitical cyber conflict context.
# Incident Report: Defensive Internet Throttling by Iran Amid Escalating Cyber Conflict
## Executive Summary
In response to escalating regional conflict and alleged cyber operations by Israel, the Iranian government implemented a deliberate, temporary slowdown of national internet connectivity. This defensive measure was announced by government spokespersons, aimed at maintaining system stability and thwarting potential covert cyber attacks. The action occurred amidst observed retaliatory cyber activity impacting Iranian financial infrastructure by hacktivist groups.
## Incident Details
- Discovery Date: June 18, 2025 (Date of public reporting on the slowdown)
- Incident Date: Slowdown began around 5:30 p.m. local time, June 17/18, 2025 Window.
- Affected Organization: The national internet infrastructure of Iran.
- Sector: National/Governmental infrastructure, Communications.
- Geography: Iran.
## Timeline of Events
### Initial Access (Attacks against Iran)
- Date/Time: Preceding the slowdown (since Friday, days before June 18).
- Vector: Cyber attack operations attributed to Israeli state actors and pro-Israeli hacktivists.
- Details: Israel and Iran traded missile strikes, which spilled over into cyberspace. Pro-Israeli group Predatory Sparrow claimed responsibility for attacking Bank Sepah, crippling its website and ATMs.
### Lateral Movement (Attacks against Iran)
- Specific details on internal lateral movement related to the Israeli attacks are not provided, but state-affiliated actors (Mysterious Team Bangladesh, Arabian Ghost) demonstrated offensive capability by warning neighbors and claiming to shut down Israeli radio stations.
### Data Exfiltration/Impact (Attacks against Iran)
- Impact: Denial of service and disruption to Bank Sepah services, including websites and ATMs.
### Detection & Response (Iranian Defensive Action)
- How it was discovered: Iranian government officials (Fatemeh Mohajerani, FATA) publicly acknowledged the action and provided justification. NetBlocks observed a significant reduction in traffic.
- Response actions taken: Implementation of a "temporary, targeted, and controlled" throttling of national internet access.
## Attack Methodology (Observed on the Iranian side)
*Note: This section details the attacks *against* Iran, as Iran's action was defensive.*
- Initial Access: Cyber operations attributed to foreign state actors and hacktivist groups (e.g., Predatory Sparrow).
- Persistence: Not explicitly detailed for the adversary campaigns.
- Privilege Escalation: Not explicitly detailed for the adversary campaigns.
- Defense Evasion: Not explicitly detailed.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed.
- Lateral Movement: Related to the Bank Sepah compromise.
- Collection: Not explicitly detailed.
- Exfiltration: Not explicitly detailed.
- Impact: Infrastructure disruption (Bank Sepah website/ATMs) and warning campaigns targeting regional neighbors.
## Impact Assessment
- Financial: Disruption to customers and operations of Bank Sepah. Potential economic impact from national internet slowdown.
- Data Breach: No specific data breach volume reported, but an attack targeting a financial institution occurred.
- Operational: Temporary disruption to national internet stability (by design, but impacting general users). Operational disruption reported at Bank Sepah.
- Reputational: Heightened regional geopolitical tension amplified via cyber engagements.
## Indicators of Compromise
- **Network indicators (Defanged):** N/A (Reporting focused on national traffic patterns, not specific malicious IPs).
- **File indicators:** N/A
- **Behavioral indicators:** Significant, country-wide reduction in internet traffic observed approximately 5:30 p.m. local time on June 17/18, 2025 (NetBlocks data).
## Response Actions (By Iran)
- Containment measures: Throttle internet traffic globally/nationally to reduce external attack surface.
- Eradication steps: N/A (Focus was preventative defensive throttling).
- Recovery actions: The slowdown was described as temporary and controlled, implying a return to normal service once perceived threat levels decreased.
## Lessons Learned
- Geopolitical military conflict rapidly escalates into state-level and hacktivist-driven cyber conflict.
- Critical infrastructure, such as state-affiliated banks (Bank Sepah), is a primary target for retaliatory cyber actions.
- Governments are willing to implement national-level control over connectivity as a direct, drastic defensive measure against perceived foreign cyber aggression.
## Recommendations
- Develop and pre-approve national communication continuity plans that account for the potential need to degrade or shut down internet access rapidly under duress.
- Enhance monitoring and segmentation around critical financial institutions (e.g., Bank Sepah) to isolate and mitigate immediate DoS/disruption attacks originating from external actors.
- Increase diplomatic and digital intelligence sharing regarding escalating cyber threats from state-sponsored and hacktivist groups operating in the region.