New evidence shows that Iranian intelligence and military services are associated with cyber activities targeting Western countries through their network of contractor companies.
A series of multi-year leaks and doxxing efforts by anti-Iranian government hacktivists and dissident networks have exposed a complex network of entities associated with the Islamic Revolutionary Guard Corps (IRGC) involved in cyberattacks and information manipulation campaigns.
Cyber threat intelligence provider Recorded Future discussed some of the findings in a new report, released on January 25, 2024.
At least four intelligence and military organizations linked to the IRGC were found to collaborate with most of the cyber contracting parties. These include:
- IRGC Electronic Warfare and Cyber Defense Organization (IRGC-EWCD)
- IRGC Intelligence Organization (IRGC-IO)
- The IRGC Information Protection Organization (IRGC-IPO)
- The IRGC Foreign Operations Group, aka the Quds Force (IRGC-QF)
“Each organism is closely associated with specific advanced persistent threat (APT) groups; for example, in 2022, the Nemesis Kitten APT Cobalt Mirage, UNC2448, TunnelVision and Mint Sandstorm (formerly tracked as “DEV0270″) have been linked via personas to the IRGC-IO by the anti-government group Lab Dookhtegan,” explains the report. .
Leaks analyzed by Recorded Future show that these agencies have long-standing relationships with cyber entrepreneurs based in Iran. Public records also show an ever-growing network of shell companies connected through individuals known to serve various branches of the IRGC.

Some of these cyber operators involved in offensive cyber activities include “Ayandeh Sazan Sepehr Aria Company”, “Sabrin Kish”, “Soroush Saman Company” and other sanctioned entities like “Najee Technology Hooshmand Fater LLC” and “Emen Net Pasargad”, Recorded Future. reported.
However, researchers have noticed constant movement within the network of Iran-based cyber entrepreneurs, with companies frequently disbanding and renaming in an attempt to conceal their activities.
“We observed overlap between staff members, regularly referred to as “board members,” who share roles at different contracting companies. Some data reveals the names of senior IRGC officials allegedly responsible for directing and coordinating Iran’s offensive cyber ecosystem,” the Recorded Future researchers wrote.
Involved in manipulation campaigns in the 2020 US presidential election
Through their connections to these cybercontractors, the Iranian government agencies mentioned above are associated with, if not directly complicit in, the targeting of major U.S. financial institutions, industrial control systems (ICS) in the United States and around the world, and ransomware attacks against various industries, including healthcare providers like children’s hospitals.

They also combine information operations with cyber intrusions to foment instability in target countries. For example, some of these contractors were involved in targeting the 2020 US presidential election.
Finally, some of these contractors have been shown to export their technologies abroad, both for surveillance and offensive purposes.
Leaks show that cyber-offensive infrastructure linked to the IRGC has been used to deploy financially motivated attacks, for example.
Finally, based on these leaks, researchers at Recorded Future concluded that U.S. government sanctions are likely proving to be an effective legal and diplomatic tool, making it more difficult for cyber companies under the IRGC umbrella to evade detection.
“It is likely that these efforts also undermine the ability of entrepreneurs to openly recruit new and skilled labor,” the report reads.
Read more: Iranian threat group hits thousands with password spraying campaign