OPTIC Lab Open Provenance Threat Intelligence Corpus
Iran · Threat Feature · Open Provenance Threat Intelligence Corpus · March 2026

Patient Operators

Iran's Cyber Operations, 2017–2025

Iran's state-linked operators spent eight years building quiet access inside government ministries, aerospace companies, energy infrastructure, and telecommunications networks across four continents. Thirteen published reports, September 2017 through November 2025, document how that access was established, maintained, and applied — consistently below the threshold at which most organizations recognize they have a problem.

13 Mandiant reports · OPTIC graded dataset · Seed corpus as of March 25, 2026
Reports analyzed 13 September 2017 – November 2025
Primary target sector Gov't 7 of 13 reports — first documented Dec 2017
Lead target country Israel 5 reports — explicit in 4, first Aug 2022
Most recurring technique T1204 Malicious file — 6 reports, avg confidence 0.853
Current context — external to the OPTIC dataset As of March 25, 2026, the U.S. government is publicly describing ongoing military operations against Iran under the designation Operation Epic Fury, beginning February 28 – March 1, 2026. In June 2025, CISA, FBI, NSA, and DC3 warned that the geopolitical environment had elevated cyber risk for U.S. critical infrastructure, the defense industrial base, and organizations with Israeli research or defense ties. The retrospective analysis below covers the 2017–2025 OPTIC seed corpus only; these present-tense developments are noted as context, not as part of the sourced dataset.
Iranian Target Set

Iran's Target Map

Country and sector distribution

OPTIC seed corpus · 13 reports · 2017–2025
Country Sectors documented Actor groups Reports First seen
Built from result_json → victims in optic.article_extractions. Country-sector pairings reflect explicit article-level attribution only; derived mentions are noted. Azerbaijan's documented victim profile is NGO/activist rather than strategic-sector.

The sector and country distribution describes an operational surface aligned to the institutions most directly implicated in Iranian foreign policy exposure: governments facing strategic friction, defense and aerospace industries linked to regional military balance, and energy infrastructure tied to sanctions leverage. Government leads the corpus — seven of thirteen reports, first documented in December 2017. APT34 source Aerospace and energy follow at three reports each, both dated to September 2017. APT33 source

The country picture reflects the same logic, not just volume. Israel's five reports (first documented August 17, 2022) and Albania's three (all explicit, August 2022 through September 2024) represent two distinct kinds of adversarial exposure — one defined by direct territorial and military friction, the other by political rupture over the presence of Iranian opposition groups. UNC3890 source The United States and United Kingdom appear in three and two reports respectively, with U.S. presence dated to the earliest reporting in the corpus.

Aerospace and energy targeting dates to 2017; Israel-specific targeting, despite its prominence in the country count, does not appear until 2022. Azerbaijan appears in the corpus against a different target profile entirely — NGOs and activists rather than any strategic-sector category — marking a surveillance operation rather than the government, defense, and infrastructure operations that dominate the rest of the record.

Mandiant · Sep 20, 2017
"APT33 has shown particular interest in organizations in the aviation sector ... as well as organizations in the energy sector."
Open source →
Mandiant · Aug 17, 2022
"Their focused targeting poses a threat to Israel-based organizations and entities."
Open source →
Iranian Operations · 2017–2025

Eight Years, One Escalation

Reporting timeline by period

Reports per cluster year
Bar height reflects report count per period. Annotations describe operational developments, not publication volume. The 2022 spike reflects a genuine broadening of the documented operation, not an artefact of vendor reporting cycles.

The 2017 baseline is established by APT33 and APT34. APT33's documented activity in this corpus connects to U.S. aerospace, Saudi energy, and South Korean energy environments. APT33 source APT34 anchors Middle Eastern government targeting from December 2017. APT34 source Both operations share a common posture: deliberate, sector-specific access rather than broad opportunistic scanning. The techniques in use at this stage - application-layer blending, valid account use - are already present in the 2017 reporting.

By 2022 the picture changes in kind, not just in scale. APT42 reporting shifts attention toward the human layer: social engineering campaigns against government officials, policy researchers, journalists, and NGO workers. APT42 source The February 2022 Telegram malware documentation and the September 2022 APT42 profile together show an operation built for sustained visibility into individuals, not just institutional environments. Telegram case The Albania ROADSWEEP case in August 2022 is the exception in this period - a disruptive action rather than a surveillance or access operation - and its distinctiveness in the corpus reflects something deliberate: it sits at the edge of the ecosystem, not at its center. ROADSWEEP source

The 2024 UNC1860 reporting introduces a qualitatively different layer. Passive backdoors in Middle Eastern telecommunications and government networks, designed to persist without operational noise, represent a shift toward pre-positioning rather than active collection. UNC1860 source The access exists; the question is when and for what it will be used. This is the period in the dataset that most directly frames the current geopolitical context: infrastructure access established years before a potential point of activation.

UNC1549's November 2025 reporting closes the arc. Aerospace and defense targeting under a sustained, technically sophisticated campaign extends the operational surface into the strategic industry layer. UNC1549 source Taken with the telecom footholds of 2024, the endpoint of the dataset suggests an ecosystem that spans infrastructure access, communications penetration, and defense-industrial presence simultaneously.

Mandiant · Aug 4, 2022
"a politically motivated disruptive operation" against Albanian government organizations
Open source →
Mandiant · Sep 19, 2024
"gain persistent access to high-priority networks"
Open source →
Mandiant · Nov 17, 2025
"exploiting trusted connections with third-party suppliers and partners"
Open source →
Iranian Tradecraft

Inside the Access

Documented intrusion sequence

OPTIC technique layer · 13 reports · avg confidence shown
Techniques are ordered by their position in the intrusion sequence, not by report frequency. Confidence scores reflect average OPTIC extraction confidence across all mentions of that technique in the seed corpus.

An employee opens a file. Nothing obvious breaks. The file executes quietly, and the operator has a foothold in an environment with no immediate reason to be suspicious. This entry path — malicious file execution, T1204.002, documented in six of thirteen reports at an average OPTIC confidence of 0.853 — is the most consistent initial access mechanism in the corpus, but the stat matters less than what it enables: a clean handoff to everything that follows. Phishing case

From there, the intrusion proceeds through a sequence that the corpus documents consistently enough to treat as a signature. Command-and-control traffic blends into ordinary web activity - application-layer protocols that look indistinguishable from routine HTTPS traffic. C2 blend Valid accounts, either harvested through prior credential operations or compromised through the initial access, begin accessing systems slightly outside their normal scope. Valid accounts Privilege escalation follows, turning a limited foothold into a durable presence with broader reach. Evidence gets cleaned: indicator removal appears in four reports at an average confidence of 0.725, suggesting operators expect to have time to work and plan accordingly. Communications shift into tunneled protocols - T1572 appears in three reports, at the highest average confidence in the dataset at 0.933, indicating a deliberate effort to shape how traffic flows rather than simply to stay connected. Azure C2 masking

The composite picture across those six techniques is not a sophisticated novel attack. It is a familiar sequence executed with operational discipline. Each individual step - a file opened, a familiar-looking account, a routine web connection - is the kind of thing that defensive tooling is calibrated to ignore in isolation. The power of the playbook is in how each stage hands off to the next without triggering the threshold at which most organizations shift into incident mode.

For a CISO trying to locate this activity in their environment: the diagnostic question is not whether their endpoint protection would catch a known malicious file signature. It is at what point in this sequence their logging and behavioral detection would fire - and whether that point comes before or after the privilege escalation and cleanup phases. In most environments that fit the target profile, the honest answer is: after.

Mandiant · Feb 24, 2022
"allows for malicious traffic to blend in with legitimate user behavior"
Open source →
Mandiant · Nov 17, 2025
"used valid compromised accounts to gain initial access"
Open source →
Mandiant · Feb 27, 2024
"making it difficult to discern the activity from legitimate network traffic"
Open source →
Iranian Operator Landscape

Who Runs What

Iranian cyber operator lanes

OPTIC seed set · actor tenure from entity_article_support
Lane assignments reflect functional mandate as documented in the seed corpus, not official attribution. Co-occurrence between actor labels in the same article often reflects alias relationships (APT42 / Charming Kitten / Phosphorus) rather than independent coordination. Tenure spans reflect first and last publication dates in the OPTIC dataset, not necessarily operational start and end dates.

The surveillance lane - anchored by APT42, which appears in three reports across 2022 to 2024 - runs long-horizon visibility operations against individuals: government officials, policy researchers, journalists, and NGO workers. APT42 source The output is sustained intelligence on people and organizations, maintained over months or years. APT39 falls into this lane as well, with a focus on telecommunications and personal data. Facing APT42 surveillance means facing an identity and behavioral monitoring problem: the threat is account-level and human-facing, and the appropriate response centers on phishing-resistant authentication, behavioral monitoring of high-value individual accounts, and awareness training for the specific social engineering patterns documented in the reporting.

The access maintenance lane - APT34, which leads the corpus at four reports from 2017 through 2024, and UNC1860 - keeps quiet footholds alive in regional government, telecommunications, and enterprise environments. These are not operations designed to produce immediate intelligence or disruption. They maintain access that other elements of the ecosystem can use when needed. UNC1860's passive backdoor work in telecommunications environments, documented in 2024, is the clearest expression of this function in the corpus. UNC1860 source

The strategic pressure lane encompasses UNC1549, APT33, and UNC3890, and targets the sectors that carry the most geopolitical weight: aerospace, defense, energy, shipping, and healthcare. UNC1549, with two reports spanning 2024 through 2025, represents the most recent and technically sophisticated development in this lane. UNC1549 2024 UNC3890 source Facing this lane means facing a supply-chain and strategic-industry problem: the threat is infrastructure and production-facing, and the response involves OT security posture, third-party access review across defense supply chains, and threat-informed asset prioritization for the specific sector categories that recur in the corpus.

The disruption lane - UNC788 / HomeLand Justice, documented once in the corpus in connection with the Albania ROADSWEEP attack - sits at the edge of the ecosystem and activates when the political objective requires visible effect. ROADSWEEP source Its single appearance in this dataset is consistent with its function: this is not a persistent presence but a capability that is deployed selectively. The Albania case from 2022 remains the clearest documented example of Iranian cyber operations crossing from quiet access into deliberate disruption.

Mandiant · Sep 7, 2022
"consistently targeted Western think tanks, researchers, journalists"
Open source →
Mandiant · Sep 19, 2024
"its role as a probable initial access provider"
Open source →
Mandiant · Aug 17, 2022
"particularly those affiliated with the government, shipping, energy, aviation and healthcare sectors"
Open source →
For Iranian Targets

Three Decisions

Valid account abuse T1078 · 5/13 reports · avg conf 0.860 is documented more consistently than any other access mechanism in this corpus after malicious file execution. For organizations whose sector and geography place them in the documented target set, identity governance is the highest-priority defensive investment the data supports: MFA enforcement without exceptions for privileged accounts, third-party access review, and behavioral baselining that flags accounts operating outside their established scope. This is not generic security hygiene — it is the specific defensive layer that would disrupt the documented access pattern most directly.

Sector and geography are exposure signals, not backdrop. The target profile in this corpus is specific: government (7 reports), aerospace (3), energy (3), defense (2), telecommunications (2). The lead countries are Israel (5), Albania (3), the United States (3), and the United Kingdom (2). An organization that operates in those sectors and countries is in the documented target set and should treat its threat model accordingly — with a dedicated analysis of the specific actor lanes most likely to be relevant to its environment, rather than a generic enterprise security posture applied uniformly.

Cleanup activity is part of the operating pattern. T1070.001 · 4/13 reports · avg conf 0.725 Indicator removal appearing in four of thirteen reports, at a confidence level that reflects explicit sourcing rather than inference, means operators expect to have time to clean up after themselves and plan for it. The defensive implication is not faster detection of initial access — it is forensic resilience: tamper-resistant, forensic-grade logging that preserves evidence of cleanup attempts as its own indicator class, and retrospective visibility infrastructure that does not depend on real-time alerting to recover the intrusion timeline.

Section 6

Source Record