Iran
A dual-track intelligence structure split between the civilian Ministry of Intelligence (MOIS) and the parallel intelligence apparatus of the Islamic Revolutionary Guard Corps, with overlapping mandates and recurring institutional tension.
The Islamic Republic of Iran operates two parallel intelligence pillars under the authority of the Supreme Leader. The Ministry of Intelligence of the Islamic Republic of Iran (Vezarat-e Ettelaʿat va Amniyat-e Keshvar, MOIS — also known by the older acronym VEVAK), established in 1984, is the civilian intelligence ministry, formally accountable to the President and the Council of Ministers but, in practice, to the Office of the Supreme Leader through the Council for Coordination of Intelligence. The Intelligence Organisation of the Islamic Revolutionary Guard Corps (IRGC-IO), established as a service-level body in 2009 from earlier IRGC intelligence functions, is the parallel intelligence service of the Revolutionary Guards, which themselves are constitutionally separate from the regular Iranian Armed Forces.
The 1984 establishment of MOIS, the post-2009 elevation of the IRGC-IO from a directorate-level body to a service-level intelligence organisation — widely characterised by analysts as on a par with MOIS — following the disputed 2009 presidential election and Green Movement protests, and the 2010s expansion of IRGC influence in Iranian state security have produced a recurring institutional tension in the Iranian intelligence community — with cases on record of MOIS and IRGC-IO operating in the same operational space, occasionally with conflicting objectives. The Iranian intelligence services have been the principal subject of Western government attribution for assassination plots against dissidents abroad, support to non-state armed actors in the region, and sustained cyber operations.
IRGC IO cyber operations (IRGC-IO cyber)
The principal cyber-operational arm attributed to the Islamic Revolutionary Guard Corps Intelligence Organisation — Iran's military-intelligence service, distinct from the civilian Ministry of Intelligence. The cluster is tracked across the threat-intelligence industry under multiple vendor labels including Charming Kitten, APT35, and Mint Sandstorm. Operations include sustained targeting of Iranian dissidents abroad, United States and Israeli government and academic targets, and the 2019–2020 operations against United States presidential-campaign personnel.
IRGC Intelligence Organisation (IRGC-IO)
The intelligence organisation of Iran's Islamic Revolutionary Guard Corps, elevated to ministry-equivalent status in 2009 and operating in parallel — and at times in tension — with the civilian Ministry of Intelligence.
MOIS OilRig cluster (MOIS-OilRig)
The principal cyber-operational cluster attributed to Iran's Ministry of Intelligence and Security — the civilian-intelligence service, distinct from the parallel cyber capability of the IRGC Intelligence Organisation. Tracked across the threat-intelligence industry as APT34, OilRig, Helix Kitten, and Hazel Sandstorm. Operations focus on regional Gulf-state, Israeli, and Saudi-Arabian government and energy-sector targets; substantially weaker public attribution and indictment record than the parallel IRGC-IO cluster.
Ministry of Intelligence (MOIS (VEVAK))
Iran's principal civilian intelligence ministry, established in 1984 to consolidate the post-revolutionary intelligence functions previously handled by SAVAMA and revolutionary committees.
How to read a country page
This is the institutional landscape of Iran's intelligence apparatus as it is documented in the public record. Each card above links through to a full agency profile — the service's founding date, statutory basis, jurisdiction, parent ministry, headquarters, official channels, and a structured account of role, history, and notable operations footnoted to primary sources. The agencies on this page may overlap institutionally (a foreign-intelligence service and a signals-intelligence service often share missions and personnel) and may operate against one another in counter-intelligence terms; the country page does not impose a hierarchy among them, only an inventory.
If a particular operation or scandal is what you are looking for rather than the institutional background, see the Dossiers — long-form pieces that cross agencies and countries. The methodology page documents how operations are categorised as confirmed, alleged, or disputed, and what the public record can and cannot tell us. The Lexicon defines the terms that recur across these pages — HUMINT, SIGINT, covert action, plausible deniability, station, asset, finding.
Coverage here grows as new declassifications expand what can responsibly be said about services that remain partly closed. Some agencies have full reference entries; others are stub entries pending the full treatment. Stubs are kept on the index so navigation between related services is preserved while the detailed text is written.
