Iran’s near total blackout appears to be easing after 200 hours. we’re at the very early stages of any kind of return to normal. But early Saturday morning, NetBlocks reported ”a very slight rise in internet connectivity,” albeit “overall connectivity remains at ~2% of ordinary levels and there is no indication of a meaningful return.”
It’s likely that this will continue thru the weekend and service will begin to restore. Cyber investigator Nariman Gharib reports two carriers are now starting to reconnect. “It’s still unclear which cities have connectivity, but tehran has been confirmed. It remains uncertain whether this restoration is permanent or temporary.”“`html
Iran’s Internet Restrictions and Potential Cybersecurity Intelligence Gains
Table of Contents
This analysis examines Iran’s internet restrictions implemented in late 2022 and early 2023, and the potential benefits for cybersecurity intelligence gathering, as initially reported by CSO Online. This report provides updated verification as of January 17, 2026.
Iran’s Internet Shutdown (2022-2023)
Iran implemented significant internet restrictions beginning in September 2022, initially in response to protests following the death of Mahsa Amini, and continuing intermittently into 2023.
The restrictions varied in scope,ranging from blocking access to social media platforms like Instagram,whatsapp,and Telegram,to more extensive limitations on overall internet connectivity.reports indicated that access was largely limited to government agencies and essential services during peak periods of disruption. The stated justification from Iranian authorities was to maintain national security and counter “foreign interference.”
While the most severe restrictions were lifted by late 2022 and early 2023, internet monitoring and filtering remained prevalent. Access Now documented the ongoing censorship and surveillance practices. As of January 17, 2026, internet access in Iran remains subject to government control and filtering, though not at the level of the 2022-2023 shutdowns. Freedom House consistently ranks Iran as “Not Free” regarding internet freedom.
Cybersecurity Intelligence Opportunities
The limited internet access during the shutdown created a unique prospect for cybersecurity intelligence gathering by external actors.
With a drastically reduced number of active users and a concentration of activity within government networks, the “signal-to-noise ratio” was significantly altered. This allowed for more focused monitoring of network traffic and the potential identification of infrastructure and communication patterns used by Iranian state-sponsored cyber actors. Specifically, the reduced traffic volume made it easier to identify and analyze the digital fingerprints of key Iranian cyber infrastructure.
For example, researchers could analyze the routing paths, protocols, and tools used by Iranian entities with less interference from civilian traffic. Mandiant has previously detailed the tactics, techniques, and procedures (TTPs) of Iranian threat actors, and the shutdown likely provided additional data points for refining these profiles. The analysis of this data could reveal previously unknown command-and-control servers, malware variants, and attack vectors.
Several Iranian state-sponsored cyber groups are known for conducting malicious cyber activities.
These include:
- APT35 (Phosphorus/Charming Kitten): Linked to iran’s Ministry of Intelligence and Security (MOIS),focusing on espionage and credential theft. CrowdStrike provides detailed reporting on APT35.
- APT33 (elmo): Another group associated with the MOIS, targeting aerospace, defense, and energy sectors. Palo Alto Networks Unit 42 has extensively documented APT33’s activities.
- MuddyWater: A financially motivated group with ties to Iran’s intelligence services, known for targeting telecommunications, government, and financial sectors. Secureworks provides ongoing analysis of MuddyWater.
The internet shutdown likely provided opportunities to observe and analyze the infrastructure used by these groups with reduced interference.
Key Iranian government agencies involved in cybersecurity and internet control include:
- Ministry of Details and communications Technology (MICT): Responsible for overseeing internet infrastructure and policies.MICT Official Website
- Supreme Council of Cyberspace (SCC): The highest authority on cybersecurity policy in Iran. Information on the SCC is limited, but
