IRGC IO cyber operations

Audio readout of this profile.

Overview

The IRGC Intelligence Organisation cyber-operational capability is the principal publicly-attested cyber-operational arm of the Islamic Revolutionary Guard Corps Intelligence Organisation — the military-intelligence service of the Islamic Revolutionary Guard Corps, distinct from and operationally parallel to the civilian-intelligence cyber capability of the Ministry of Intelligence (tracked as OilRig / APT34 in this bestiary).¹

The cluster is tracked across the threat-intelligence industry under a substantial alias-set: Charming Kitten (CrowdStrike), APT35 (Mandiant), Phosphorus and then Mint Sandstorm (Microsoft), Newscaster (iSIGHT Partners), Magic Hound (Palo Alto Unit 42), NewsBeef (Kaspersky Lab), TA453 (Proofpoint), and Cobalt Illusion (Secureworks). The proliferation reflects the cluster's substantial operational tempo and its accumulating cross-vendor visibility across the post-2014 period. See APT designation for the naming-conventions context.²

History & Origins

The publicly-attested operational footprint begins approximately 2011 with what Kaspersky Lab subsequently characterised as the cluster's first sustained targeting campaign against Iranian-dissident communities in Western jurisdictions. The institutional attribution to the IRGC Intelligence Organisation specifically (rather than to the broader Iranian state) rests on the United States Department of Justice indictments of 2018 and 2020, on the Federal Bureau of Investigation Most Wanted Cyber criminals roster entries, and on the supporting threat-intelligence-industry technical analyses.³

The IRGC's institutional investment in cyber capability accelerated substantially after the 2010 Stuxnet attack against the Iranian Natanz uranium-enrichment facility, in what is widely characterised in subsequent analysis as a doctrinal response to the demonstrated asymmetric vulnerability of Iranian state infrastructure to Western cyber operations. The IRGC IO cyber capability has remained operationally active across the period and shows substantial tooling and tradecraft evolution.⁴

Operational footprint (documented)

2011–2016 Iranian-dissident targeting. Sustained social-engineering and credential-theft operations against Iranian-dissident communities in Europe, North America, and the United Kingdom. The operational pattern centres on substantial pre-operation reconnaissance of target communities followed by elaborate social-engineering — typically impersonating journalists, academics, conference organisers, or family members to establish trust, then directing the target to spearphishing infrastructure designed to capture account credentials. Documented in successive reports by Citizen Lab at the University of Toronto Munk School of Global Affairs and by Amnesty International.⁵

**2016 Newscaster / NewsBeef campaign.** A multi-year social-engineering campaign in which the operators impersonated journalists and operated false journalistic-organisation infrastructure (the "NewsOnAir" persona-network) to target United States government, defence-industrial, and academic targets. The operation is the foundational documented case for the cluster's social-engineering tradecraft and was the first major Western secondary-literature reconstruction of the IRGC-attributed cyber-operational profile.⁶

2018–2020 United States and United Kingdom targeting. The United States Department of Justice indictment of 23 March 2018 named nine Iranian nationals — Gholamreza Rafatnejad, Ehsan Mohammadi, Abdollah Karima, Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, and Sajjad Tahmasebi — in connection with sustained intrusions of approximately 320 universities (including 144 United States universities and 176 universities in 21 other countries), 47 corporations, the United States Department of Labor, the Federal Energy Regulatory Commission, the United Nations and the United Nations Children's Fund, and Western academic-research repositories. The institutional affiliation specified in the indictment is the Mabna Institute, an Iranian contractor working at the direction of the IRGC.⁷

2019–2020 operations against United States presidential-campaign personnel. In October 2019 Microsoft publicly disclosed that the Phosphorus (later Mint Sandstorm) cluster had conducted approximately 2,700 reconnaissance operations against the personal email accounts of United States political-campaign personnel, government officials, and journalists across August–September 2019, with successful compromise of approximately four accounts. Microsoft's public attribution to the Iranian Government was the first major real-time corporate attribution of the IRGC IO cluster to an active electoral-targeting operation. The June 2020 attempted compromise of the Trump 2020 presidential-campaign personnel was attributed to the same cluster by Google's Threat Analysis Group.⁸

Sustained Israeli, Saudi, and Gulf-state targeting. Across the post-2014 period the cluster has conducted sustained collection against Israeli government, defence-industrial, and academic targets; against the Saudi Arabian and Gulf-state diplomatic and energy-sector institutions; and against international observers and human-rights organisations monitoring Iranian human-rights and sanctions-compliance questions. The targeting pattern reflects the broader IRGC strategic-collection requirements documented in successive United States State Department and Israel National Security Council public assessments.⁹

Recent operations 2022–2024. Sustained operations against Israeli government and critical-infrastructure targets during the post-October-2023 Gaza-conflict period, including the December 2023 Lord Nemesis attack against Israeli water-and-wastewater infrastructure; against United States and European energy-sector targets following the United States re-imposition of secondary sanctions on Iranian oil-export infrastructure; and against the United States 2024 presidential-campaign personnel — with the September 2024 United States Department of Justice indictment of three IRGC-affiliated operators in connection with operations against Trump-campaign personnel.¹⁰

Attribution

The United States Department of Justice indictments — March 2018 (nine defendants associated with the Mabna Institute), September 2020 (additional defendants), November 2021 (the DOJ indictment of two Iranian nationals for election-interference-related operations), and September 2024 (the Trump-campaign indictment) — collectively constitute the foundational public-record attribution of the IRGC IO cluster. The institutional affiliation specified across the indictments is variously "the Islamic Revolutionary Guard Corps," "the IRGC Intelligence Organisation," or contractor entities (Mabna Institute, Emennet Pasargad) working under IRGC direction.¹¹

The Federal Bureau of Investigation has added approximately 14 named IRGC-affiliated operators to its Most Wanted Cyber criminals list across the 2018–2024 period. The United States Department of Treasury has imposed targeted sanctions on the IRGC IO cyber leadership and on multiple contractor entities — Mabna Institute (March 2018), Emennet Pasargad (October 2021), and the IRGC IO Director (multiple). The institutional standing of the IRGC IO cyber capability as a publicly-named threat actor across the United States, United Kingdom, and Israeli attribution architecture is settled.¹²

See also

• IRGC Intelligence Organisation — parent service
• Ministry of Intelligence (MOIS) — sibling Iranian-state cyber actor (different parent ministry, different mission)
• MOIS / OilRig — sibling Iranian-state cyber actor at the MSS bestiary level
• APT designation — naming-conventions context
• Stuxnet — the 2010 attack against Iranian Natanz centrifuge cascades that is widely characterised as the doctrinal antecedent of Iran's contemporary cyber-capability investment

Sources & Further Reading

1. Insikt Group (Recorded Future), Iranian-state cyber threat-actor profiles (multi-year update); Mandiant Iranian threat-actor profiles; United States Department of Treasury sanctions designations.
2. CrowdStrike Global Threat Report series for the Kitten family DPRK-attribution analogue; Mandiant APT35 (Phosphorus) threat-actor profile; Microsoft Threat Intelligence naming convention, including the Sandstorm family for Iran-attributed clusters; Proofpoint TA453 periodic analyses; Palo Alto Unit 42 Magic Hound playbook.
3. Citizen Lab, University of Toronto Munk School of Global Affairs and Public Policy, Return of the Cherry App and related Iranian-targeting research; Kaspersky Lab GReAT Freezer Paper around Free Meat (2014) — first Kaspersky technical analysis of the cluster.
4. David E. Sanger, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power (Crown, 2012); Kim Zetter, Countdown to Zero Day, op. cit.; subsequent academic analysis of Iran's cyber-capability investment in Survival and International Affairs.
5. Citizen Lab Iranian-targeting research stream (multi-year); Amnesty International, State-Sponsored Online Attacks Against Iran's Civil Society (December 2018).
6. iSIGHT Partners (now Mandiant), NewsCaster: An Iranian Threat Within Social Networks (May 2014); Kaspersky Lab GReAT, Freezer Paper around Free Meat, op. cit.
7. United States Department of Justice, Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps (23 March 2018).
8. Tom Burt (Microsoft Vice President for Customer Security and Trust), Recent cyberattacks require us all to be vigilant (4 October 2019); Google Threat Analysis Group June 2020 disclosure on the Trump-campaign targeting.
9. Israel National Cyber Directorate periodic threat assessments; Saudi Arabia National Cybersecurity Authority periodic assessments; subsequent academic analysis in Journal of Strategic Studies.
10. Mandiant post-October-2023 Iranian-state cyber-activity research; United States DOJ August 2024 indictment of three Iranian nationals.
11. DOJ indictments (multi-year), op. cit.; Microsoft's October 2019 attribution disclosure, op. cit.
12. FBI Most Wanted Cyber list (multi-year); Department of Treasury OFAC sanctions designations against IRGC IO leadership and contractor entities (multi-year).