Full Report
After more than 15 years of draconian measures, culminating in an ongoing internet shutdown, the Iranian regime seems to be staggering toward its digital surveillance endgame.
Analysis Summary
# Threat Actor: Iranian Regime Intelligence/Security Apparatus
## Attribution & Identity
The primary entity is the **Iranian Regime**, specifically its security agencies and associated entities such as the **Islamic Revolutionary Guard Corps (IRGC)**. The article focuses on state-level, nationwide control mechanisms rather than clandestine hacking groups, attributing control over surveillance infrastructure directly to the state.
**Known Aliases and Associated Groups:**
* Islamic Revolutionary Guard Corps (IRGC)
* Entities involved in building and maintaining the National Information Network (NIN).
* State-affiliated hackers supporting surveillance measures.
## Activity Summary
The core activity described is the implementation and refinement of a vast, state-controlled digital surveillance ecosystem, culminating in recent extreme measures:
* **Recent Internet Shutdowns (Ongoing as of article date):** The regime initiated a complete shutdown of global internet connectivity, partially ongoing, following widespread anti-regime protests starting in January 2026.
* **Information Control Playbook:** Years of refinement (since 2019) aimed at limiting connectivity and influencing information flow, ideally using the NIN domestically while selectively cutting off the outside world.
* **Recent Operational Failure:** The January 2026 shutdown was unexpectedly crude, reportedly crippling the domestic National Information Network (NIN) itself for several days, suggesting "panic" rather than a refined execution based on their existing playbook.
* **Mass Surveillance System Consolidation:** Systematically gathering data into a massive ecosystem to achieve "broad and precise monitoring of the population."
## Tactics, Techniques & Procedures
The TTPs described relate to infrastructure control, data access, and systemic suppression:
- **Infrastructure Control:** Asserting ownership or significant shareholding (IRGC) in almost all telecommunications systems to guarantee control over data processing and gathering.
- **Mandated Data Centralization:** Systematically consolidating data from various systems into a centralized surveillance ecosystem.
- **Legal and Regulatory Enforcement:** Utilizing Iranian laws and regulations to mandate surveillance capabilities across technical infrastructure.
- **Physical Surveillance Integration:** Integrating digital monitoring with physical systems like CCTV networks and facial-recognition systems.
- **Behavioral Profiling:** Employing systems to assess citizens’ lifestyle patterns and behavioral profiles.
- **Application Monitoring:** Using applications designed specifically to capture or log private user messages.
- **Connectivity Manipulation:** Employing **connectivity filtering**, **total blackouts**, and maintenance of a parallel national intranet (NIN) for controlled access.
- **Blunt Force Disruption:** Employing sudden, sweeping blackouts to eliminate digital activity that is otherwise surveilled (though this can backfire, as seen in January 2026).
- **MITRE ATT&CK IDs:** Not explicitly mentioned, but the tactics align broadly with **Collection (T1560)** and **Command and Control (T1105)** via infrastructure control.
## Targeting
- **Sectors:** Not specific to corporate sectors; the primary target is the **general Iranian population** and **anti-regime protesters**.
- **Geography:** **Iran** (nationwide).
- **Victims:** Citizens utilizing telecommunication systems, individuals participating in protests, and data subjects whose communications are logged within the NIN.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the analysis references the use of "applications designed to capture or log private user messages."
- **Infrastructure (C2, domains, IPs):**
* **National Information Network (NIN):** The state-controlled internal intranet serving as the primary surveillance backbone.
* **Telecommunication Systems:** Telecom infrastructure controlled wholly or partially by the IRGC.
* **Facial-Recognition Systems & CCTV Networks.**
## Implications
The Iranian regime is nearing the completion of a comprehensive, top-to-bottom digital surveillance and control mechanism. The goal is to achieve unprecedented mass monitoring capabilities, allowing the state to monitor nearly all domestic data flows, communications, and physical movements, ensuring long-term state control regardless of access to the global internet. The recent impulsive shutdown suggests instability or high organizational stress within the command structure controlling this infrastructure.
## Mitigations
Mitigation is framed more around the regime's *objectives* for external actors:
- **External Organizations/Researchers:** Monitor the stability and refinement of the National Information Network (NIN) (projectainita, Holistic Resilience).
- **Defense Strategy (Implied):** Since the actor controls all infrastructure, defenses must focus on avoiding reliance on domestic Iranian providers hosting data or communications, though this is extremely difficult for citizens operating within the country.
- **General Security Practice (Inferred):** Recognizing that state-level laws and infrastructure mandate deep surveillance means all communications within the country are presumed compromised by security agencies.