Cyber Threat Intelligence. Allegedly.

5 minute read

Iran has been in an overt war against the United States and Israel since January 2026. This conflict has been marked, for Iran, by significant losses among its military and political leadership early in the war1, creating a power vacuum. It seems that the Islamic Revolutionary Guard Corps (IRGC) filled this vacuum and now appears to exert greater control over the state than before the war2. To avoid being vulnerable to airstrikes, the IRGC also fragmented its operations with many senior officials reportedly going into hiding. At the same time, Iran completely shut down its Internet.

Together, these shifts suggest a paradox: Iran’s cyber operations may be becoming less coordinated—but more unpredictable.

The fragmentation of the IRGC

The airstrikes delivered by the U.S. and Israel forced the Iranian military to divide into smaller operating cells to reduce the impact of strikes. This decentralization makes units smaller, but also more autonomous2. Historically, forced decentralization has produced more autonomous but less coordinated units—as seen with the IRA’s shift to cell-based structure in the 1980s, or Al-Qaeda’s fragmentation after 2001. In both cases, the result was less central coherence but greater operational unpredictability.

Losing senior commanders in such a short time might disrupt the chain of command, and units might lose their central coordination. For cyber units—especially those linked to IRGC, known publicly as APT33, APT35, APT42, Cyber Av3ngers and Cotton Sandstorm—it could mean less coordination, but also more freedom to act, perhaps independently.

Fragmentation may not just decentralize operations—it may also reshape incentives. Units operating with greater autonomy may seek to demonstrate their value through more visible or more aggressive activity, particularly in a context where central oversight is weakened. At the time of writing, there are no public reports of a noticeable change, but the conflict is not over. CISA published an advisory about Iranian-affiliated cyber actors targeting the critical infrastructure in the U.S.3. Despite not providing a clear attribution, the advisory seems to be related to Cyber Av3ngers, a group related to IRGC-CEC.

Iran has long relied on plausible deniability for its cyber operations—sponsoring groups that could be disowned when needed. In an overt conflict, this matters less. When missiles are already flying, denying a cyberattack does not change much for escalation management. But deniability does not go away, it changes audience. Third-party states and post-conflict diplomacy still create incentives to keep some operations technically unattributed. Fragmentation cuts both ways here. Units operating without central oversight may conduct operations Tehran never sanctioned—making deliberate deniability harder to manage. But decentralized cells also look exactly like non-state actors. Attribution becomes harder, and deniability emerges by accident rather than design.

Fragmentation may also push some units toward external dependencies they would not have relied on previously. Russia is reported to provide Iran with satellite imagery and collaborate on cyber operations4. There is already a report about MuddyWater—a group likely related to the Ministry Of Intelligence and Security (MOIS)—usage of a Russian Malware-As-A-Service toolkit. While the report states that the tools were bought “off the shelves”, they also might have been handed out willingly by Russia given the historically permissive relationship between Russian authorities and cybercriminal ecosystems. In the past, members of the Federal Security Service (FSB) were directly connected to cybercrime groups, like in the Evil Corp case5.

Internet Blackout

Since January 2026, Iran has shut down its Internet access. While some privileged individuals were handed “white SIM cards”—granting them unlimited, unfiltered Internet access—the vast majority of citizens can only access a downgraded domestic network6.

The regime’s stated reasoning is that cutting Internet access helps prevent incoming cyber attacks, yet it remains unclear how much it does. This is not the first time that Iran uses this tactic; it did the same in the 2025 conflict7. Knowing this, it is plausible that military strategists planned ahead and did enough pre-positioning without relying too much on Internet connectivity after the start of the conflict. In reality, it is more likely that the Internet shutdown is a convenient disguise for digital censorship. The shutdown happens just after a massive crackdown where thousands of Iranians were reportedly killed8. Restricting access to the Internet might also be a way to avoid the spread of information about the killings, both within Iran and abroad and to make it harder for citizens to organize.

Iranian cyber actors should still retain Internet access broadly comparable to pre-conflict levels. But it is likely that they had to relocate some services and tooling outside of local servers, and possibly out of Iran, to be more agile. It is unclear which organization is responsible for the Internet shutdown in Iran, but if IRGC is the leader, it might abuse its position to pressure or undermine competing agencies such as MOIS.

Taken together, these dynamics—fragmented command structures and disrupted infrastructure—create compounded uncertainty. Iranian cyber units may be operating with less oversight, less coordination, and less stable tooling simultaneously. This is not necessarily a sign of weakness: it may produce more erratic, harder-to-predict behavior. But it also creates friction that even well-resourced threat actors cannot fully absorb.

Conclusion

If some of what I am writing is true, it means that in the upcoming days we may witness Iranian threat actors adapting to the situation in their own ways and diverging from their known TTPs. It could also mean some operations become more opportunistic or that some units seize the opportunity to shine above their rival units.

These are not predictions but hypotheses—meant to be tested against the behavior of Iranian cyber actors in the coming weeks. This analysis was produced under the banner of Plausible Deniability—a fitting name, perhaps, for a piece about a regime that has always preferred to keep it that way.

References

  1. List of Iranian officials killed during the 2026 Iran war. Wikipedia. 2026 Apr. 

  2. The Revolutionary Guards are taking over Iran. The Economist. 2026 Mar.  2

  3. CISA. Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure; 2026. 

  4. Tom Balmforth, John Irish. Exclusive: Russia supplies Iran with cyber support, spy imagery to hone attacks, Ukraine says. Reuters. 2026 Apr. 

  5. National Crime Agency. Evil Corp: Behind the Screens. Nation Crime Agency; 2024 Oct. 

  6. Daisy Johnston. Iran’s Other Front: The War Over the Internet. War on the Rocks. 2026. 

  7. Lorenzo Franceschi-Bicchierai. Iran’s government says it shut down internet to protect against cyberattacks. TechCrunch. 2025. 

  8. What happened at the protests in Iran? Amnesty International. 2026. 

You May Also Enjoy

Threat Actors are playing the META

3 minute read

Cybercriminals and nation-state actors are converging on the same TTPs—not because they collaborate, but because efficiency is universal. They’re all playing...