Cyber Threat Actor: APT Iran

The threat actor known asAPT Iran operates from Iran and is recognized by that alias in public reporting. The group has been linked to a series of cyber intrusions targeting Iranian governmental and critical infrastructure entities. Observed activity includes compromises of railway networks, telecommunications providers, and property registration systems. These actions have been attributed to the actor in open‑source sources.

In the reported incidents, the actor obtained employee conduct guidelines, identity records, operational reports, and wagon maps from railway systems. Similar data sets were taken from telecommunications and property registration providers in earlier intrusions. The acquisitions also extended to judicial and parliamentary servers, where financial and sanction‑related material was accessed. This pattern shows a focus on transportation, communications, property records, and core government networks. The group publicly claimed that each breach exposed security vulnerabilities in the targeted organizations. By highlighting the leaked documents, the actor sought to demonstrate weaknesses in digital defenses. The statements accompanied the releases of internal files, framing the intrusions as a means to pressure authorities into improving security. No public indication of financial profit or ransom demand accompanied these messages.

A representative operation occurred in late 2024 when the actor compromised the digital infrastructure of a railway company, leading to the extraction of sensitive employee and operational files. Earlier in the same year, a comparable breach affected the railway sector with analogous data loss. Beyond transportation, the actor has been associated with disruptions to judicial servers and parliamentary networks, which yielded access to financial and sanction‑related material. These incidents illustrate a recurring focus on transportation and core government networks.

Attribution in the open‑source material is limited to the alias APT Iran and the geographic location of Iran; no explicit connection to a state sponsor or criminal consortium is stated. Consequently, any assertion about state nexus or affiliations would go beyond the provided information. The actor’s public statements emphasize the exposure of vulnerabilities rather than financial gain or other motives.