This special intelligence report presents findings from the MTAC Intelligence platform Operation IRON VEIL investigation — a 91-day deep-packet attribution campaign analyzing 56,362,322 darknet intelligence records across seven Iranian-nexus threat actors operating in six distinct operational theaters. The report provides actionable intelligence for critical infrastructure operators, government agencies, and private sector organizations with exposure to Iranian cyber operations.
Executive Summary
The MTAC investigation reveals a coordinated multi-theater Iranian cyber campaign of unprecedented scale. Key metrics from the 91-day collection window:
Key Findings
1. US infrastructure accounts for 80.2% of all targeted sessions (45.2M records), with energy and financial services as primary verticals. Targeting intensity increased 340% following Operation Epic Fury.
2. SCADA/ICS exposure across North American critical infrastructure exceeds 400,000 identified sessions, with confirmed pre-positioning activity against water treatment and power distribution networks.
3. Seven distinct Iranian-nexus threat actors are operating with reduced central coordination, creating unpredictable and overlapping campaign patterns that complicate traditional attribution models.
4. Gulf States theater shows 215,000 targeted sessions concentrated on UAE, Saudi Arabia, and Bahrain financial infrastructure, consistent with economic destabilization objectives.
5. Canada critical infrastructure targeting (4.2M sessions) represents a significant escalation, with energy pipelines and telecommunications providers as primary targets.
6. Deep packet attribution identified 1,795 unique indicators linking campaign infrastructure to IRGC Cyber Command and MOIS technical units, with high-confidence nexus assessments.
Threat Actor Profiles
Seven Iranian-nexus threat actors were identified operating within the IRON VEIL collection window. The following attribution table summarizes nexus assessments and threat scores.
| Threat Actor | Nexus | Threat Score | Confidence |
|---|---|---|---|
| APT33 (Elfin / Peach Sandstorm) | IRGC | 9.0 / 10 | High |
| APT34 (OilRig / Helix Kitten) | MOIS | 8.0 / 10 | High |
| MuddyWater (Mercury) | MOIS | 8.0 / 10 | High |
| CyberAv3ngers | IRGC-CEC | 9.0 / 10 | High |
| Cotton Sandstorm (Emennet Pasargad) | IRGC | 7.0 / 10 | High |
| Agrius (Pink Sandstorm) | MOIS | 8.0 / 10 | High |
| Tortoiseshell (Imperial Kitten) | IRGC | 7.0 / 10 | High |
Full Report Contents
The complete Operation IRON VEIL report contains the following sections. Download the full PDF to access all findings, attribution data, and actionable recommendations.
Download the Full Report
Access the complete Operation IRON VEIL intelligence report including deep-packet attribution data, full MITRE ATT&CK mappings, SCADA/ICS exposure analysis, theater-by-theater breakdowns, predictive threat assessments, and 24 actionable defensive recommendations.
For emergency incident response or to activate Mjolnir Security's High-Intensity Threat Hunting (HITH) protocol, contact the Global Tracking Center at +1 833 403 5875 or visit mjolnirsecurity.com.