Full Report
The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
Analysis Summary
# Incident Report: Near-Total National Internet Shutdown in Iran
## Executive Summary
In response to escalating cyberattacks from adversaries, the Iranian government implemented a near-total national internet blackout, severely restricting global connectivity. The government cited protection of critical infrastructure, including banking systems and military drone operations, as the primary motivation. This incident highlights the use of cyber operations as a significant component of geopolitical conflict.
## Incident Details
- **Discovery Date:** Shortly before the government confirmation, coinciding with a "near-total national internet blackout" earlier in the week.
- **Incident Date:** On or around June 18-20, 2025 (based on article publication date).
- **Affected Organization:** The entire nation of Iran (national infrastructure).
- **Sector:** Government, Critical Infrastructure (Banking, Telecommunications).
- **Geography:** Iran.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specifically detailed, but occurred prior to the shutdown announcement.
- **Vector:** Cyberattacks targeting critical infrastructure, specifically **Bank Sepah** and **Nobitex** (a cryptocurrency exchange), attributed to the group **Predatory Sparrow** (Gonjeshke Darande).
### Lateral Movement
- *Information about lateral movement across victim systems (banks/exchanges) is not detailed, but intrusions facilitated the disruptive impact.*
### Data Exfiltration/Impact
- **Details:** Attacks resulted in hacks on Bank Sepah and the theft/destruction of millions from the Nobitex cryptocurrency exchange. The government also cited concerns over adversaries managing and controlling drones via the internet.
### Detection & Response
- **How it was discovered:** The collapse of internet service was first noted by web monitoring firms, followed by official confirmation from the government spokesperson, Fatemeh Mohajerani.
- **Response actions taken:** The government proactively ordered a **restriction of global internet access** and threatened to switch to a national intranet ("national internet") as a defensive measure against perceived ongoing cyberattacks.
## Attack Methodology
- **Initial Access:** Exploitation targeting specific high-value Iranian organizations (bank, crypto exchange).
- **Persistence:** N/A (Incident focuses on pre-emptive defensive response, not attacker persistence mechanisms within the network).
- **Privilege Escalation:** N/A (Not detailed, though implied for successful bank/exchange disruption).
- **Defense Evasion:** N/A (Not detailed).
- **Credential Access:** N/A (Not detailed).
- **Discovery:** N/A (Not detailed).
- **Lateral Movement:** N/A (Not detailed).
- **Collection:** Theft and destruction of assets reported at the cryptocurrency exchange.
- **Exfiltration:** Not explicitly stated, but financial theft occurred.
- **Impact:** Disruption of critical national infrastructure (banking, financial systems) and denial of global internet access to the population.
## Impact Assessment
- **Financial:** Millions stolen/destroyed from the Nobitex cryptocurrency exchange. Disruption likely impacted banking operations.
- **Data Breach:** Specific data compromised is not elaborated, though financial data and internal systems were targeted.
- **Operational:** Severe operational limitations for the public due to the *near-total national internet blackout*, limiting internal and external communication and information access regarding the ongoing regional war.
- **Reputational:** Significant visibility globally due to the dramatic scale of the communication shutdown.
## Indicators of Compromise
* **Network Indicators:** (None provided, as the response was a nationwide shutdown by the government, not a typical forensic investigation of an intrusion).
* **File Indicators:** (None provided).
* **Behavioral Indicators:** Disruptive hacking activities targeting financial institutions attributed to the **Predatory Sparrow** group.
## Response Actions
- **Containment measures:** Implementation of national internet restrictions/partial shutdown to mitigate further cyber threats to critical infrastructure (e.g., drone control systems, banking).
- **Eradication steps:** N/A (Focus was on defensive network isolation, not clearing specific malware).
- **Recovery actions:** N/A (The article focuses on the *imposition* of the security control, not the subsequent restoration of services).
## Lessons Learned
- Geopolitical conflict is actively involving state and non-state cyber actors targeting critical national infrastructure (financial, military support systems).
- Governments are willing to impose extreme measures (national internet shutdowns) to protect critical infrastructure during heightened security threats.
- Cryptocurrency exchanges are a significant target vector for politically motivated hacking groups.
## Recommendations
- Enhance real-time threat intelligence sharing between critical infrastructure operators (banking, telecommunications).
- Develop and test robust, hardened national intranet options to ensure continuity of essential government/military functions if the global internet is severed.
- Immediate review and strengthening of security postures protecting financial transaction systems against organized non-state actors.