Keypoints
- Recorded Future identifies four intelligence/military organizations tied to the IRGC that engage with private cyber contractors.
- Contracting firms produce and export surveillance and offensive cyber technologies used for both espionage and operations that enable human rights abuses.
- Pro-Iranian groups Moses Staff, N3tW0rm, and Agrius have conducted major ransomware-style and espionage campaigns against governments, media, NGOs, critical infrastructure, and healthcare.
- Financial and operational ties suggest contractors coordinate with the IRGC Quds Force to operate in countries like Iraq, Syria, and Lebanon.
- Multi-year leaks and doxxing by dissident hacktivists revealed an interconnected network and overlap between sanctioned individuals and contracting parties.
- A full technical analysis and dataset are available in the linked Recorded Future PDF report for deeper indicators and attribution details.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Ransomware tactics used to disrupt targets: ‘…launched espionage and ransomware attacks…’
- [T1041] Exfiltration Over Command and Control Channel – Espionage activity involving data theft from governments and organizations: ‘…launched espionage and ransomware attacks…victims are linked to governments, media, non-governmental organizations, critical infrastructure, and the healthcare sector…’
- [T1105] Ingress Tool Transfer – Export and deployment of surveillance/offensive tooling by contractors to enable operations: ‘…export technologies for surveillance and offensive purposes.’
- [T1584] Compromise Infrastructure – Use of a network of contracting companies and third-party infrastructure to scale operations and obscure attribution: ‘…their network of contracting companies.’
- [T1567] Exfiltration Over Web Service – Leaks and doxxing used to disclose internal networks and operator links via web-hosted disclosures: ‘…revealed by a string of multi-year leaks and doxxing efforts…’
Indicators of Compromise
- [Threat actor/malware names] named operators – Moses Staff, N3tW0rm, Agrius
- [Domains/URLs] report sources and artifacts – https://go.recordedfuture.com/hubfs/reports/cta-2024-0125.pdf (report PDF), https://www.recordedfuture.com/leaks-and-revelations-irgc-networks-cyber-companies (original post)
- [File name] report artifact – cta-2024-0125.pdf (Recorded Future report)
Recorded Future’s analysis shows IRGC-linked military and intelligence units contracting private cyber firms to develop, export, and deploy surveillance and offensive tooling. These contractors appear to supply capabilities used for targeted espionage and disruptive operations, and financial arrangements tied to the IRGC Quds Force enabled regional operations in Iraq, Syria, and Lebanon.
Operational activity attributed to pro-Iranian groups includes large-scale ransomware-style campaigns and data theft against governments, media, NGOs, critical infrastructure, and healthcare. The report documents how contractors facilitate persistence and tool delivery across jurisdictions and how leaked records and doxxing revealed overlaps between sanctioned individuals and these contracting parties.
The technical takeaway is that the threat ecosystem blends state-linked tasking, commercially developed surveillance/offensive software, and outsourcing through contractor networks to achieve espionage, data exfiltration, and disruptive impact campaigns; defenders should prioritize detection of tool transfer, C2 exfiltration channels, and trade/financial links that enable cross-border operational support.
Read more: https://www.recordedfuture.com/leaks-and-revelations-irgc-networks-cyber-companies