Reuters reported on April 7 that Ukraine is claiming that Russia is supplying Iran with “cyber support,” citing alleged interactions between Russian cybercriminal hackers and Iranian hacker groups. The Russian government denied the report on April 8.
This arrives on the heels of several other claims related to supposed Russian-Iranian cyber touchpoints during the current conflict. Flashpoint researchers, for example, said that Russian hacker group NoName057(16)—often described as hacktivists targeting public- and private-sector entities in NATO member states and other European countries since March 2022, and with an unclear Russian state nexus (or lack thereof)—claimed on March 9 that it carried out Distributed Denial of Service (DDoS) attacks against Israeli political parties and a defense contractor. Speaking to the press, the researchers said that a group called the Cyber Islamic Resistance (described as a pro-Iranian umbrella group for coordinating multiple hacktivist groups) worked with NoName057(16) to carry out the operation. These kinds of allegations spurred some discussion as to Russian-Iranian cyber and technology engagement and what, if any, support Russia may be able to provide to Iran.
I dive in this article into some of the Russian-Iranian cyber connection points in the private sector. Without getting into the above news reports, this analysis underscores that Russian cybersecurity firms, including ones with close intelligence and defense ties, have been expanding their business in Iran in recent years. This includes provision of cyber defensive capabilities to state-managed threat monitoring efforts as well as the sale of network interception capabilities that Iran could use to surveil or disrupt connectivity to devices.
Amid continued conflict and reports of Iranian-Russian cyber engagement, understanding the nature of these relationships writ large—to explicitly include going beyond reported interactions between criminal groups and looking at entities within the state or closely tied to it—enables a better assessment of the evolving threat landscape.
Private-Sector Cyber Actors in Iran and Russia
Both Iran and Russia are home—as many other countries are—to a range of private-sector cybersecurity companies that support the state. Their government support functions can range from outright offensive activity and enablement (e.g., building exploits, running operations) to defensive activities (e.g., firewalls, intrusion detection systems, threat intelligence sharing) to education, training, talent recruitment, forward-looking research, and more.
For example, the Treasury Department sanctioned two Iranian companies in April 2024 that provide cyber support to the Islamic Revolutionary Guard Corps (IRGC): Mehrsam Andisheh Saz Nik (MASN), a front company for the IRGC’s Cyber Electronic Command (CEC), was described as a supporting entity to the Command’s operations and as “associated with” multiple Iranian advanced persistent threat (APT) groups; and Reza Kazemifar Rahman (Kazemifar), also evidently a front company for the CEC, was described as engaged in “operational testing of malware intended to target job seekers with a focus on military veterans.”
Without suggesting the Iranian and Russian private-sector cyber ecosystems are the same, Russian government agencies employ private-sector contractors, too, such as for defensive support, offensive capabilities, and intelligence agency recruitment. These Russian government cyber contractors include the likes of Positive Technologies, a Russian cybersecurity firm that supports the Federal Security Service (FSB) and other agencies and helps the FSB and the military intelligence agency (GRU) recruit hackers; Neobit, which conducts R&D in support of FSB, GRU, and Foreign Intelligence Service (SVR) cyber operations; and Pasit, which conducts R&D in support of SVR cyber operations in particular. And the list goes on.
A review of available open-source information underscores that Iranian government cyber contractors, Russian government cyber contractors, and other key government and industry players in the respective countries have been expanding various partnerships in recent years on cybersecurity and related areas.
Example: Russian Cyber and Surveillance Firms in Iran
Russia’s Ministry of Digital Development said in July 2023 it was in conversations with the Iranian government about further partnerships in exporting domestic (i.e., Russian) software and strengthening data transmission channels. These companies included Rostelecom, Rostelecom-Solar, Positive Technologies, Speech Technology Center, Protey Scientific and Technical Center, Russian Post, and others. Positive Technologies, as mentioned, is an FSB contractor and involved in other ways with Russia’s defense and intelligence cyber base.
Protey (aka Protei Ltd.), to give another example, is a Russian telecommunications firm that Iranian mobile service provider Ariantel hired to provide user authentication, deep packet inspection (DPI), mobile network signaling, and other capabilities. Documents published by the Citizen Lab indicate that Protei is part of Iran’s legal intercept system (i.e., for telecommunications collection) and could be used, in concert with other firms’ tools, to “directly monitor, intercept, redirect, degrade, or deny all Iranians’ mobile communications, including those who are presently challenging the regime.” These are capabilities Protei already reportedly provides to authorities in Russia, which has an extensive and growing domestic surveillance apparatus. Protei, among others, also built out 4G networks in Afghanistan in 2024.
In April 2025, Russia’s state-run National Research University (MPEI), which has cooperated with Iranian government and university actors since 1962, hosted a delegation from Iran’s National Cybersecurity Authority along with representatives from Positive Technologies. Positive Technologies presented some of its work to secure energy facilities as well as its work on trusted AI in the energy sector, and both sides discussed the prospects for joint research and building further energy cybersecurity capabilities. “Secure facilities” is notable language here, as Positive Technologies does indeed market penetration testing and other cybersecurity capabilities at the same time as it reportedly provides vulnerability discovery, exploit development, and capability reverse-engineering services to the FSB.
While it does not clearly describe this in its online materials, Positive Technologies has reportedly had local teams in Iran, at least in 2024, to sell its products. In July 2024, the Iranian government approved Positive Technologies (along with Indian company Acron and Chinese company Sangfour) to provide managed threat detection and response services centrally inside Iran under the supervision of the Presidential Strategic Management Center.
Positive Technologies has undertaken this expanded role in cybersecurity protection of systems in Iran under government supervision as part of a broader push to expand into the Middle East and North Africa region. For example, Positive Technologies provides a range of cyber services in Saudi Arabia and the UAE, among others, with a particular focus on industrial IT and OT infrastructure. It also published an extensive report on Iran’s cybersecurity landscape in 2024 explicitly geared towards engaging Iranian audiences. Citing its own insights in the report also further suggests that Positive has enough presence on networks in Iran as to have insights there in the first place.
Events such as the one pictured above—a collaboration between a Russian state-managed research university, Iranian cyber officials, and a known Russian cyber intelligence contractor, among others—are therefore likely mechanisms for companies such as Positive Technologies to expand their business in Iran. To what ends is unclear.
Example: Iranian Cyber Intelligence Contractor Engagements in Russia
In 2024, ANO Digital Economy, founded in Moscow to implement the Russian government’s national “Digital Economy” program, hosted a delegation led by the Tehran Chamber of Commerce, the Iranian Knowledge-Based Organizations Forum, the Iranian National Innovation Fund, and others. The visit included an Iran-Russia Information and Communication Technology Forum wherein Iranian and Russian companies explained their activities and products, and the day concluded with a business-to-business negotiation session for companies from the respective countries.
That same year, the Iranian cybersecurity company Ravin Academy attended Positive Hack Days, the flagship conference and capture-the-flag competition put on by Positive Technologies and which the Russian intelligence services use to recruit hackers. The US government sanctioned Ravin Academy in 2022, saying it was founded by two members of Iran’s Ministry of Intelligence and Security (MOIS) with the direction to train and recruit hackers. Ravin also, per the US government, provides information security training, threat hunting, cybersecurity, red team, digital forensics, malware analysis, security auditing, penetration testing, network defense, incident response, vulnerability analysis, mobile penetration testing, reverse engineering, and security research to the MOIS. The Ravin Academy’s attendance of a Russian cybersecurity conference closely tied to Russia’s security services raises questions about the nature of its attendance (e.g., if there were separate meetings) and the potential for knowledge-sharing on offensive or defensive cybersecurity subjects.
Conclusion
Private-sector cybersecurity companies play key roles in the Russian and Iranian cyber ecosystems across offensive capability deployment, talent cultivation, recruitment, defensive capabilities and services, international connectivity and partnerships, and more. It is clear that Russian and Iranian cybersecurity companies, including those with close ties to their respective states’ security services, have been expanding their touchpoints and engagements in recent years. Core focus areas include cyber threat monitoring and IT and OT cybersecurity, among others, and prompt many open questions, such as what exactly some of the companies may be doing behind the scenes.
More specific analysis of Russian and Iranian cyber connection points would provide further insights into the presence or lack of cooperation, the nature of that cooperation (e.g., at what level, for what purposes), and any relevant risks for other stakeholders. A more detailed analysis would also include coverage of other government-government cyber touchpoints and a look at other government-supporting entities, such as universities and individuals. Key questions to explore further include:
- What specific business agreements or contracts have been established between Russian and Iranian private-sector cyber firms that support their governments?
- How do Russian or Iranian universities that may have known links to their national security establishments cooperate in cybersecurity-related coursework, training, or knowledge exchanges?
- Across the spectrum of Russian-Iranian private-sector cybersecurity touchpoints, as well as touchpoints in related sectors (e.g., government-supporting universities), what technology research areas are of highest interest and most recent attention?
