Full Report
For a long time, the Iranian government has treated free internet access as a privilege that is extended by the state to those willing to carry its message and withheld from everyone else. Around four hours after Israeli and American strikes began, internet traffic collapsed by 98 percent — a near-total blackout. Iran’s communications infrastructure was deliberately dismantled by the…
Analysis Summary
# Incident Report: State-Imposed Internet Blackout (Iran)
## Executive Summary
In response to Israeli and American kinetic military strikes and domestic civil unrest, the Iranian government intentionally dismantled its own communications infrastructure, resulting in a 98% collapse of internet traffic. This near-total blackout was leverage by the state to control the information environment, suppress protest movements, and conceal internal activities from the international community. The incident demonstrates a "kill-switch" capability used as a tool of domestic repression under the guise of national security.
## Incident Details
- **Discovery Date:** February 28, 2026
- **Incident Date:** Recurring; most recent total shutdown Feb 28, 2026
- **Affected Organization:** National Telecommunications Infrastructure (Iran)
- **Sector:** Communications / Government
- **Geography:** Iran (National)
## Timeline of Events
### Initial Access
- **Date/Time:** January 8, 2026 (Initial Shutdown) / February 28, 2026 (Major Blackout)
- **Vector:** Authorized Administrative Access (State-mandated)
- **Details:** The Iranian government utilized its centralized control over Internet Service Providers (ISPs) and the national gateway to initiate a deliberate shutdown.
### Lateral Movement
- **Details:** Not applicable in a traditional cyber sense; action was propagated through state-controlled telecommunications hierarchies to all regional transit points.
### Data Exfiltration/Impact
- **Impact:** Total loss of connectivity for approximately 85 million people. Internet traffic collapsed by 98% within four hours of military strikes.
### Detection & Response
- **Detection:** Global internet monitors (e.g., NetBlocks, IODA) and external observers noted a sudden drop in BGP (Border Gateway Protocol) announcements and traffic volume.
- **Response Actions:** The state restricted access for several weeks; international volunteers responded by donating bandwidth and proxy resources to bypass restrictions.
## Attack Methodology
- **Initial Access:** Government mandate via the Ministry of Information and Communications Technology.
- **Persistence:** Maintaining control over the "National Information Network" (Intranet).
- **Privilege Escalation:** Not applicable (State actors already hold root authority over infrastructure).
- **Defense Evasion:** Use of "national security" as a legal/official justification to mask human rights abuses.
- **Credential Access:** Administrative control over core routers and ISP licenses.
- **Discovery:** Monitoring of domestic traffic to identify and target resistance nodes.
- **Lateral Movement:** Propagation of shutdown commands across state-owned infrastructure.
- **Collection:** Interception of unencrypted domestic traffic during "partial" relief periods.
- **Exfiltration:** N/A.
- **Impact:** Near-total service disruption (Blackout) aimed at dismantling the internet to prevent "adversary targeting intelligence."
## Impact Assessment
- **Financial:** Massive disruption to digital commerce, banking, and international trade (costs estimated in the hundreds of millions USD daily).
- **Data Breach:** While not a data theft incident, it resulted in a "breach" of the right to information.
- **Operational:** Near-total shutdown of civilian, educational, and non-state business operations.
- **Reputational:** Significant international condemnation and highlighting of the regime's digital authoritarianism.
## Indicators of Compromise
- **Network Indicators:** Sudden 98% drop in BGP routing table entries; unreachable IP ranges belonging to Iranian ASNs (Autonomous System Numbers).
- **Behavioral Indicators:** State-issued public statements justifying "temporary" shutdowns for security protocols.
## Response Actions
- **Containment Measures:** State-controlled "kill-switch" implementation.
- **Eradication Steps:** (By external actors) Implementation of VPNs, Tor bridges, and donated bandwidth.
- **Recovery Actions:** Partial restoration of services on Jan 28, 2026, though heavily filtered.
## Lessons Learned
- **Architecture of Suppression:** A centralized internet gateway allows a state to weaponize its own infrastructure against its population in minutes.
- **Correlation with Kinetic Events:** State-sponsored blackouts are increasingly timed to coincide with military strikes or civil unrest to manage "information optics."
- **Ineffectiveness against Military:** The article notes the blackout did not significantly limit the capabilities of sophisticated military adversaries, only civilians.
## Recommendations
- **Decentralization:** Support for decentralized connectivity tools (satellite internet, mesh networks) to bypass central gateways.
- **Infrastructure Auditing:** For international organizations, maintaining "out-of-band" communication channels for personnel within the geography.
- **Monitoring:** Continued investment in real-time global connectivity monitoring to provide rapid evidence of state-sponsored disruptions.