New attacks in Italy, reported data breaches, AI and cybersecurity

The role of ISO certifications in ACN cloud qualification: security and quality for the Public Administration

 View all
Threat Intelligence

Surveillance and counter-espionage in Iran

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

In order to deal with the new intense wave of popular protests, the Islamic Republic of Iran (IRI) is deploying every resource at its disposal, including technological ones.

Over the last twenty years, the IRI has equipped itself with a segregable IT infrastructure and a series of tools which, combined with the work of cyber groups, guarantee internal surveillance and counter-espionage.

The expansion of the front of the clashes from the streets to the telecommunications network suggests new scenarios of ‘hybrid warfare’, in a context that is only relatively limited to the national dimension, as it involves technologies and companies in a geostrategic area that is officially not aligned with the Ayatollah regime.

 

National Information Network: much more than a national intranet

In September 2012, the IRI announced the completion of the first phase of the creation of the National Information Network (NIN), also known as Internet-e Paak or ‘Pure’ Internet. The NIN was presented as a fast and reliable infrastructure designed to convey content “compatible with religious and revolutionary values” and as a valid defense mechanism against cyberattacks from abroad.

Published in 2005-06 and officially launched in 2016, the NIN involved the registration of all Iranian websites on .ir domains and their transfer to local servers. In addition, applications and services such as the Ghasedak operating system, the Chaapaar email service, and the Fajr search engine were developed at the national level.

As experts and analysts have clarified, NIN cannot be described as a national intranet, as it is an IP network based on the same protocols as the internet. The decisive factor is that it has very few gateways over which the Government exercises total control. Traffic to and from the outside can therefore be, physically and infrastructurally, filtered and analyzed, diverted, restricted, or even interrupted without affecting the operation of internal government and administrative systems.

The NIN has already suffered blocks of varying scope and duration during the national protests of 2019-20, those in the Province of Sistan and Baluchistan in 2021, and during the ‘Woman, Life, Freedom’ demonstrations following the death of Mahsa Amini in 2022. But the shutdown imposed since January 8 has been described as the longest in the country’s history.

 

Nazer, the app that monitors hijab use

The Nazer (translated as ‘Supervisor’ or ‘Surveyor’) application is active within the NIN.

The tool, which can only be used by authorized persons, is available on the police website and on the national messaging app Eitaa. It works on a crowdsourcing model for reporting, integrated into the Faraja police security apparatus. Its backend automates a process of escalating penalties: warning SMS to the owner, electronic seizure (on the second violation), physical seizure of the vehicle (third and fourth offenses).

Nazer cannot take photos of faces and does not have facial recognition technology, but it can take photos of license plates. In 2024, it was updated to allow the monitoring of women in ambulances, on public transport, or in taxis. In addition, functions have been added to report other types of violations, such as drinking alcohol in public places or participating in demonstrations.

 

Department 40 and the Kashef database

In November 2025, the British news agency Iran International released a report on a state-sponsored cyber apparatus that includes the well-known APT Charming Kitten, associated with Department 40, which in turn is affiliated with the IRGC.

Iran International, which reportedly viewed material uploaded to GitHub by an anonymous user, doxxes a wide range of specific information, including names, ID numbers, and photos of key figures, details on some front companies, and screenshots of internal tools.

Department 40 is believed to be the creation of the IRGC’s counterintelligence Unit, established around 2012 with the limited mission of launching cyber operations. Over the years, it has also recruited cyber specialists in Israel, Turkey, and the United Arab Emirates.

Department 40’s main project is believed to be the Kashef (translated as ‘Detector’ or ‘Discoverer’) database, a surveillance platform that became operational in 2022. Kashef reportedly receives intelligence feeds from all IRGC intelligence divisions and aggregates personal identity information with travel, citizenship, and telecommunications data. In particular, it has reportedly collated detailed information on Iranian citizens with dual citizenship, embassy personnel, employees of foreign-linked companies, and journalists.

 

The regime equips itself with an AI-based platform

On March 15, 2025, the first national Artificial Intelligence platform was unveiled, a critical asset integrated into the NIN, developed in collaboration with Sharif University of Technology, with the final version expected to be ready by March 2026.

From a technical standpoint, the platform’s stated specifications include GPU-based processing, multimodal Large Language Models (LLMs), and open-source intelligent agents adapted to domestic needs.

One of its primary objectives is to ensure business continuity in scenarios of isolation from the global network, eliminating supply-chain attack vectors through external software or remote “kill switches.” However, it should be noted that Sharif University has close ties to the Ministry of Defense (MOIS), the IRGC, and the Air Force, and has been sanctioned by the European Union, the United Kingdom, and Japan for its involvement in military and ballistic missile projects.

 

Starlink and the telecommunications war

To circumvent telecommunications blocks, the population has long been using Elon Musk’s Starlink satellite network. In recent years, Iranians have reportedly smuggled in thousands of antennas, the purchase and connection of which have been facilitated since 2022 by concessions from the Biden administration. In addition, since mid-January 2026, SpaceX, at the invitation of President Trump, has begun to provide free access in the country.

Tehran’s reaction has resulted in a sort of internal technological conflict. According to some analysts, after the 12-Day War of 2025 – during which Starlink satellites operated extensively within Iranian territory – the Pasdaran and Iran’s Cyber Defense Force, under the leadership of the Passive Defense Organization, conducted an extensive reverse engineering operation of enemy tactics, developing a strategy that could also be applied in the current case. During that period, Iranian intelligence radars and interception systems (SIGINT) are said to have footprinted Starlink signals, and now, in the virtual “electronic desert” created by the shutdown, drones and surveillance systems would  have an easy time locating SpaceX antennas.

 

TS-Intelligence

TS Intelligence_Telsy_Platform 2_LUG25

The information reported is the result of the collection and analysis work carried out by the specialists of Telsy’s Threat Intelligence & Response team with the support of the TS-Intelligence platform, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is available as a web-based and full-API platform, designed to be integrated into the organization’s systems and defensive infrastructures, with the goal of enhancing protection against complex cyber threats.

The platform’s continuous research and analysis on threat actors and emerging online threats—whether APTs or cybercrime—produces a constant stream of exclusive intelligence, delivered in real time and structured into technical, strategic, and executive reports.

Discover more about our Cyber Threat Intelligence services.