Key Takeaways
-During the uprising, the majority of the internet was shut down, including access to Telegram, except for what the regime called the “halal internet”
-Iran’s IRGC has been developing malicious spyware-enabled apps thru front companies and marketing them as alternatives to Telegram
-The regime’s apps allow the IRGC to track and spy on their users, and were used to identify and arrest protesters during the uprising that started late December 2017
-Some of the apps produced by the IRGC front companies are available globally on the App Store and Google Play
-Americans could unknowingly download the malicious apps as Iran expands its cyber influence worldwide
Press Briefing
On February 15, 2018 NCRIUS hosted a press briefing regarding the cybersecurity threat that Iran poses for the international community. In the press conference, NCRIUS revealed new information about the IRGC’s use of cyber warfare at home and abroad to repress the uprising and expand its influence. For more information, click below.
Press Page

FAQs
What are Iran's cyber capabilities?
The Iranian regime has been improving its cyber capabilities for years, working to expand its influence globally and over its own people through cyber technologies. The IRGC uses its “cyber army” to hack and control opponent websites, attack other networks, and conduct electronic espionage abroad. Some branches of the IRGC’s cyber command attack foreign sites that encourage young Iranians to rise up against the regime, while others work on spreading propaganda and quelling unrest within Iran.
Who in Iran is responsible for the use of cyber warfare?
There is a special unit at the IRGC’s Intelligence Organization that is tasked with Cyber Warfare, based in Ammar Garrison. They work in coordination with the Ministry of Intelligence and Security (MOIS).
How was cyber warfare used during the most recent uprising?
The regime shut down access to the majority of the Internet in Iran and to the popular mobile app “Telegram” which has more than 40 million Iranian users. The IRGC then marketed its homegrown apps to the public as alternatives to Telegram, which are spyware-enabled and allow the regime to track and spy on their users. One IRGC Brigadier General said that as a result of this, “homegrown apps gained momentum… and security forces were able to carry out timely arrests and identify the leaders” of the uprising.
Is the IRGC connected to the global app marketplace?
Three of the top six malicious apps produced by IRGC front companies and identified by NCRI-US are available globally on the App Store or on Google Play. The apps include Mobogram, Wispi, and Telegram Black, and can be downloaded by anyone with access to these global tech marketplaces. All three received a threat score of 100/100 from Hybrid Analysis, as NCRI-US revealed, and have the ability to record audio, send SMS messages, execute code after reboot, and more.
Who is responding to the cyber warfare and how?
After NCRI-US published its report on Iran’s cyber warfare on February 15, 2018, Google removed “Telegram Black” from Google Play and banned its producer from the platform. However, much still needs to be done to limit the IRGC’s access to global marketplaces.
How do Iran's cyber crimes affect Americans?
Anyone with access to Google Play or the App Store could inadvertently download the malicious apps produced by the IRGC and be subjected to surveillance by the Iranian regime. Iran will also continue to use cyber warfare to attack and influence the United States through other methods. As U.S. Director of National Intelligence Dan Coats stated recently, “Frankly, the United States is under attack…Iran will try to penetrate U.S. and allied networks for espionage and lay the groundwork for future cyber attacks.”
