Iranian Hybrid Warfare: Internal Suppression and Transnational Influence Operations

BLUF:

The Iranian regime is transitioning from reactive crisis management to a proactive digital isolation strategy to secure domestic stability. Recent breaches of state media and renewed civil unrest have accelerated plans for a “Barracks Internet,” while simultaneous offensive cyber operations and foreign influence campaigns indicate Tehran is increasingly weaponizing digital infrastructure to suppress dissent at home and sow discord within Western adversaries.

Key Judgements:

• KJ-1: The Iranian government is highly likely to implement a permanent, tiered national internet by late-2026. This “whitelist” system will designate global internet access as a state-vetted privilege, effectively severing the general population from unmonitored external communication.
• KJ-2: Recent inauthentic behavior clusters targeting French and Scottish independence movements are likely part of a broader IRGC-led influence operation designed to exploit Western sociopolitical fractures. The synchronization of these accounts with Iranian domestic internet outages confirms an Iran-based point of origin.
• KJ-3: The sophisticated phishing campaign targeting the Iranian diaspora and Middle Eastern officials represents a shift toward high-precision intelligence collection. I assess with moderate confidence that these operations aim to map opposition networks and preemptively disrupt coordination between domestic activists and external supporters.

Intelligence Analysis

I. Domestic Instability and the Media Breach

On Sunday, 18 January 2026, the Islamic Republic of Iran Broadcasting (IRIB) suffered a significant technical breach. Activists hijacked the Badr satellite feed to air footage of exiled Crown Prince Reza Pahlavi. The broadcast, which lasted approximately ten minutes, specifically called for the defection of military and security forces, a direct strike at the regime’s “center of gravity.” This incident demonstrates persistent vulnerabilities in state-controlled infrastructure despite heavy investment in cyber defense.

II. The “Barracks Internet” Initiative

In response to the December 2025-January 2026 protest wave, Tehran has accelerated the “National Information Network” (NIN). Reporting indicates a move toward “Absolute Digital Isolation,” where the general public is routed through a domestic intranet, while “White SIM cards” (unfiltered lines) are reserved for regime loyalists and security officials.

This architecture allows the regime to maintain economic functions (banking and logistics) during unrest while completely darkening the digital environment for protestors.

III. Transnational Influence Operations (France and Scottland)

Open-source evidence from 2025 and early-2026 reveals that clusters of “patriotic” accounts in France and “Scottish Independence” personas on X (formerly Twitter) are operated by Iranian cyber units. These accounts:

• Mimic local identities
• Go silent instantly when Iran suffers domestic internet or power outages
• In some cases, have pivoted to pro-Tehran messaging upon restoration of services

The primary objective is not the success of these movements, but the erosion of social cohesion within NATO and EU member states as a retaliatory measure for Western support of Iranian dissidents.

IV. Targeted Cyber Espionage

The recent phishing wave utilized the Phoenix backdoor and QR-code-based WhatsApp hijacking. Unlike broad cybercrime, this campaign is surgically focused on:

1. Iranian experts/dissidents: To monitor regime change discourse.
2. Regional officials: Including a Lebanese cabinet minister, to collect intelligence on regional shifting alliances.
3. US-based experts: To identify potential channels of influence or intelligence being fed to Western governments.

Analysis of Alternatives (AoA)

• Alternative 1: Independent Non-State Actors. The TV hack and phishing could be the work of decentralized hacktivist groups (e.g., Edalat-e Ali) acting without foreign state support. While plausible for the breach, the scale and sustained nature of the “Barracks Internet” and the global IO clusters suggest state-level resources and strategic intent.
• Alternative 2: Technical Coincidence. The silencing of French/Scottish accounts could be attributed to platform-wide bot purges rather than Iranian internet outages. However, the exact temporal correlation with Iranian kinetic incidents (e.g., the June 2025 strikes) makes this highly improbable.

Final Assessment

The regime is entering a “Fortress Iran” phase. By decoupling from the global web, Tehran aims to make domestic coordination impossible while maintaining a digital sniper capability to target enemies abroad. Analysts should expect increased friction between the regime’s need for global economic integration and its survivalist need for total information control.