Iran's Hacktivists Were State Actors All Along, CSIS Report Finds

Iranian hacktivist groups that appear to spring up organically around political conflicts are actually coordinated arms of the state's intelligence apparatus, according to a new analysis from the Center for Strategic and International Studies. The report, published today, documents how groups like CyberAv3ngers present themselves as ideologically motivated activists while executing operations directed by the Islamic Revolutionary Guard Corps.

The finding has implications for how organizations assess threats. What looks like opportunistic hacktivism may actually be state-sponsored operations with far more resources and persistence than typical activist campaigns.

The CyberAv3ngers Case Study

When CyberAv3ngers first surfaced in October 2023, the group positioned itself as pro-Palestinian activists protesting Israel's actions in Gaza. The messaging worked—media coverage treated them as ideological actors rather than nation-state operators.

Within a month, the U.S. Treasury Department sanctioned six IRGC Cyber-Electronic Command (IRGC-CEC) officials for directing the group's operations. The hacktivists were state actors all along.

By November 2023, CISA confirmed CyberAv3ngers had compromised at least 75 devices manufactured by Israeli company Unitronics—including 34 systems in U.S. water and wastewater facilities. The attacks targeted programmable logic controllers (PLCs) and human-machine interfaces exposed to the internet.

One attack left systems displaying the message: "You have been hacked, down with Israel." The propaganda value was obvious. Less obvious was the IRGC's fingerprints on the operation.

Iran's Dual APT Structure

The CSIS analysis maps Iran's offensive cyber capabilities across two main organizations:

IRGC (Islamic Revolutionary Guard Corps): The military branch under the Supreme Leader's direct control, running APT33 and APT35. These groups conduct strategic espionage, sabotage operations, and influence campaigns aligned with regime priorities.

MOIS (Ministry of Intelligence): The civilian intelligence agency operating APT34 (OilRig) and MuddyWater. While nominally separate from the IRGC, these groups share tactics, techniques, and operational coordination.

Both organizations have cultivated proxy relationships with hacktivist groups that provide plausible deniability while extending state reach into targets that would draw international condemnation if attacked directly.

June 2025 Conflict Revealed the Coordination

During the June 2025 escalation between Israel and Iran, researchers analyzed over 250,000 Telegram messages from more than 178 hacktivist and proxy groups. The data revealed rapid mobilization that tracked military operations in real time.

Groups launched DDoS attacks, defacement campaigns, and data theft operations coordinated with kinetic military actions. The timing wasn't coincidental—it demonstrated command-and-control relationships between state actors and ostensibly independent hacktivist organizations.

Groups identified in the analysis include:

• Fatimion Cyber Team
• Cyber Fattah
• Cyber Islamic Resistance
• Laneh Dark
• Handala

Some maintain unclear government affiliations but exhibit TTPs consistent with state training and resourcing.

Why This Matters for Defenders

The distinction between hacktivism and state-sponsored operations affects defensive prioritization. Hacktivist campaigns typically burn hot and fast—high-profile disruptions that generate media attention, then fade as attention shifts elsewhere.

State-sponsored operations exhibit different patterns. They maintain persistence, conduct long-term reconnaissance, and return to targets over months or years. Resources are sustained rather than sporadic.

Organizations in critical infrastructure sectors—particularly water utilities, energy providers, and healthcare systems—should treat Iranian hacktivist activity as potential state operations until proven otherwise. That means:

• Assume persistence: Don't treat a "defacement" as a one-time incident
• Hunt for access: Hacktivist cover may mask deeper compromise
• Expect return visits: State actors maintain target lists and revisit organizations

The 34 U.S. wastewater facilities compromised by CyberAv3ngers weren't random targets. They were selected, surveilled, and exploited by operators with state resources and priorities.

Recent Indicators of Continued Activity

On January 26, 2026, the "APT Iran" Telegram channel was deleted along with most references to Black Industry—an offensive OT framework linked to IRGC operations. A new channel called "Cyber4vengers" has since appeared, suggesting rebranding rather than cessation of operations.

APT Iran was widely believed to be either synonymous with or a subdivision of CyberAv3ngers. The deletion pattern—removing historical content while establishing new presence—follows Iranian operational security practices observed in previous campaigns.

For organizations in targeted sectors, the infrastructure may change but the threat persists. Iranian cyber operations against U.S. critical infrastructure show no signs of de-escalation.

Recommended Resources

Organizations seeking deeper context on state-sponsored threats should consider the comprehensive treatment in Sandworm and related cybersecurity books covering nation-state cyber operations. Understanding the organizational structures behind these attacks helps security teams anticipate behavior patterns.

CISA maintains an Iran threat overview page with current advisories and indicators of compromise. Critical infrastructure operators should subscribe to alert feeds covering ICS/OT threats specifically.