Federal Bureau of Investigation, Flash Alert: IP Addresses and Domains Used by Likely Iran-Based Cyber Actors to Attack Victims Worldwide , July 25 2017. Unclassified.
National Security Archive
The FBI’s 2017 flash alert publicly tied a swath of malicious IPs to Iran‑based actors, marking a watershed in U.S. attribution and cyber‑defense collaboration.
Source: Federal Bureau of Investigation, Flash Alert: IP Addresses and Domains Used by Likely Iran-Based Cyber Actors to Attack Victims Worldwide , July 25 2017. Unclassified. Date: Jul 25, 2017 Archive: Public Intelligence
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A FBI Flash Alert in the Age of State‑Sponsored Cyber Campaigns
The July 25 2017 flash is a routine‑looking “TLP: Amber” bulletin, but it is a snapshot of a pivotal moment when U.S. law‑enforcement began to publicly name Iran‑linked actors as part of a broader shift toward attributing cyber‑espionage to nation‑states. The FBI’s Cyber Division issued the alert after a joint investigation with private‑sector partners identified a set of 87 IP addresses and 136 domains that were repeatedly used to deliver spear‑phishing and watering‑hole payloads against ministries, universities and energy firms in the Middle East, Europe and the United States. The document’s headline—“IP Addresses and Domains Used by Likely Iran‑Based Cyber Actors”—signals a departure from earlier, vague advisories that merely warned of “malicious activity” without geopolitical framing.
Context: Iran’s Growing Cyber Footprint, 2015‑2017
The alert references activity “since at least early‑2015,” aligning it with the period when Iran’s cyber‑espionage units, most notably the Islamic Revolutionary Guard Corps (IRGC)‑affiliated APT33 and APT34, expanded their reach beyond regional targets. Those groups were implicated in the 2015 “Shamoon 2” attacks on Saudi oil infrastructure and a series of phishing campaigns against aerospace firms. By 2017, U.S. intelligence had amassed enough technical and human‑source evidence to link specific virtual‑private‑server (VPS) rentals in the United States to Iranian operators. The flash therefore serves as an operational bridge between classified intelligence assessments and the civilian cyber‑defense community, urging network administrators to block the listed indicators while subtly broadcasting the attribution.
Who Is Speaking, and What Their Language Reveals
The bulletin is signed only as “FBI FLASH, Cyber Division,” but the internal designation “ML‑000084‑DM” indicates a “Malware” product line, and the repeated “WE NEED YOUR HELP!” call‑to‑action reflects the FBI’s long‑standing “partner‑centric” model: law‑enforcement supplies indicators, private firms supply telemetry, and together they build a shared situational picture. The emphasis on “no guarantees or warranties” is a legal shield, yet the document’s confidence—phrases like “the majority of the victims were located in Middle Eastern countries known to be traditional adversaries of the Iranian regime”—betrays a strategic intent to cast Iran as a hostile cyber actor in the public arena.
Reading Between the Lines: Infrastructure, Attribution, and Strategy
The alert’s technical annex lists a concentration of IP blocks owned by major cloud providers (e.g., Amazon AWS, Microsoft Azure) and a handful of obscure registrars. The FBI notes that at least one domain was registered by a “presumed Iranian national” with a Tehran address, a detail that serves two purposes: it anchors the attribution in a tangible person‑of‑interest, and it warns that even seemingly innocuous hosting services can be weaponized. The mention that traffic “transits US‑based infrastructure to IP addresses located in Iran” underscores a classic “proxy‑through‑the‑West” tactic, complicating defensive filtering because the malicious traffic appears to originate from reputable U.S. networks.
Significance and Legacy
The flash is an early example of what would later become the FBI’s “Cyber Threat Intelligence” (CTI) products that routinely publish attribution‑rich indicators. Its public release contributed to a wave of private‑sector hardening—many security vendors added the listed IPs to their blocklists, and several affected organizations reported successful mitigations. More importantly, the alert foreshadowed the diplomatic friction that erupted after the 2018 “Operation Saffron Rose” indictments, where the U.S. formally charged Iranian nationals for cyber‑espionage. By naming Iran in 2017, the FBI helped set the narrative that state‑sponsored hacking was not a covert, academic concern but a national‑security threat demanding coordinated response.
In hindsight, the flash also illustrates the limits of “indicator‑based” defense. While blocking the enumerated addresses can stop known campaigns, the same actors can simply spin up new VPS instances, rendering static lists quickly obsolete. The document’s recommendation to adopt “application whitelisting” and “incident response plans” reflects an evolving understanding that resilience—not just detection—is the ultimate safeguard against a persistent, state‑backed adversary.
The Bulletin’s Enduring Relevance
For scholars of cyber‑warfare, the July 2017 flash is a primary‑source window into how U.S. agencies began to operationalize attribution, blend intelligence with public‑sector outreach, and frame cyber‑espionage within the lexicon of geopolitical conflict. Its language, structure, and technical content continue to inform contemporary CTI products and remind us that the tug‑of‑war over digital infrastructure is as much about narrative as it is about code.
TLP:AMBER FBI FLASH FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
25 JUL 2017
Alert Number ML-000084-DM
WE NEED YOUR HELP! If you find any of these indicators on your networks, or have related information, please contact FBI CYWATCH immediately. Email: cywatch@ic.fbi.gov Phone: 1-855-292-3937
Note: By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.
The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber criminals.
This FLASH has been released TLP:AMBER: Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm.
IP Addresses and Domains Used by Likely Iran-Based Cyber Actors to Attack Victims Worldwide
Summary The FBI assesses a group of malicious cyber actors—likely located in Iran—use Virtual Private Server infrastructure hosted in the United States to compromise government, corporate, and academic computer networks based in the Middle East, Europe and the United States. This infrastructure is used in conjunction with identified malicious domains to support a broad cyber campaign which likely includes the use of e-mail spear phishing, social engineering, and malicious Web sites ("watering hole attack"). These cyber actors almost certainly have been involved in this activity since at least early-2015.
Through a combination of FBI and private sector analysis, it is likely the actors involved with this activity are located in Iran. At least some victim information from this cyber activity transits US-based infrastructure to IP addresses located in Iran. At least one identified malicious domain was registered by a presumed Iranian national connected to a physical address in Tehran, Iran. The majority of the victims were located in Middle Eastern countries known to be traditional adversaries of the Iranian regime.
TLP:AMBER
TLP:AMBER FBI FLASH FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
Technical Details Attached to this FLASH is a list of 87 IP addresses and 136 domain names associated with this cyber activity. Activity related to these IPs and domains detected on a network should be considered an indication of compromise requiring mitigation.
Recommended Mitigations Precautionary measures to mitigate this activity are:
- Prepare an incident response plan to be rapidly implemented in case of a cyber intrusion.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers and software that processes Internet data such as Web browsers, browser plugins, and document readers.
- Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
- Implement application whitelisting to block execution of malware, or at least block execution of files from TEMP directories where most malware attempts to execute from.
Reporting Notice The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI's National Press Office at npo@ic.fbi.gov or (202) 324-3691.
TLP:AMBER
TLP:AMBER FBI FLASH FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
Administrative Note This product is marked TLP:AMBER. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm.
TLP:AMBER
TLP:AMBER
FBI FLASH
FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
Your Feedback on the Value of this Product Is Critical
Was this product of value to your organization? Was the content clear and concise? Your comments are very important to us and can be submitted anonymously. Please take a moment to complete the survey at the link below. Feedback should be specific to your experience with our written products to enable the FBI to make quick and continuous improvements to such products. Feedback may be submitted online here: https://www.ic3.gov/PIFSurvey
Please note that this survey is for feedback on content and value only. Reporting of technical information regarding FLASH reports must be submitted through FBI CYWATCH.
TLP:AMBER
104.200.128.126 104.200.128.161 104.200.128.173 104.200.128.183 104.200.128.184 104.200.128.185 104.200.128.187 104.200.128.195 104.200.128.196 104.200.128.198 104.200.128.205 104.200.128.206 104.200.128.208 104.200.128.209 104.200.128.48 104.200.128.58 104.200.128.64 104.200.128.71 107.181.160.138 107.181.160.178 107.181.160.179 107.181.160.194 107.181.160.195 107.181.161.141 107.181.174.21 107.181.174.232 107.181.174.241 141.105.70.235 141.105.70.236 141.105.70.237 141.105.70.238 141.105.70.239 141.105.70.240 141.105.70.241 141.105.70.242 141.105.70.243 141.105.70.244 141.105.70.245 141.105.70.246 141.105.70.247 141.105.70.248 141.105.70.249 141.105.70.250 144.168.45.126 146.0.73.107 146.0.73.108 146.0.73.109
146.0.73.110 146.0.73.111 146.0.73.112 146.0.73.113 146.0.73.114 173.244.173.10 173.244.173.11 173.244.173.12 173.244.173.13 173.244.173.14 206.221.181.253 209.51.199.112 209.51.199.113 209.51.199.114 209.51.199.115 209.51.199.116 209.51.199.117 209.51.199.118 31.192.105.15 31.192.105.16 31.192.105.17 38.130.75.20 66.55.152.164 68.232.180.122 91.218.247.157 91.218.247.158 91.218.247.160 91.218.247.161 91.218.247.162 91.218.247.165 91.218.247.166 91.218.247.167 91.218.247.168 91.218.247.169 91.218.247.170 91.218.247.173 91.218.247.180 91.218.247.181 91.218.247.182 91.218.247.183
cloud-analyzer.com 1e100.tech 1m100.tech ads-youtube.net ads-youtube.online ads-youtube.tech akamai.press akamaitechnology.com akamaitechnology.tech alkamaihd.com alkamaihd.net azurewebsites.tech banat48.org big-windowss.com britishnews.press broadcast-microsoft.tech cachevideo.com cachevideo.online cachevideo.xyz chromeupdates.online chromium.online cissco.net clalit.press cloudflare.news cloudflare.site cloudflare-analyse.com cloudflare-analyse.xyz cloudflare-statics.com cloudmicrosoft.net cortana-search.com digicert.online digicert.space digicert.xyz dnsserv.host elasticbeanstalk.tech fbcdn.bid fbexternal-a.press fbexternal-a.pw fb-nameserver.com fbstatic-a.space fbstatic-a.xyz fbstatic-akamaihd.com fb-statics.com fb-statics.info fdgdsg.xyz f-tqn.com githubapp.online
githubapp.tech githubusecontent.tech gmailtagmanager.com google-api-analyse.com google-api-update.com hamedia.xyz hotseller.info intel-api.com intelchip.org ipresolver.org javaupdator.com jguery.net jguery.online js.jguery.online kernel4windows.in labs-cloudfront.com mcafee-analyzer.com mcafeemonitoring.com mcafee-monitoring.com microsoft-ds.com microsoft-security.host microsoftserver.org microsoft-tool.com micro-windows.in mpmicrosoft.com mssqlupdate.com mswordupdate15.com mswordupdate16.com mswordupdate17.com myservers.site mywindows24.in nameserver.win nasr.xyz newsfeeds-microsoft.press nsserver.host officeapps-live.com officeapps-live.net officeapps-live.org onlinewebcam.press outlook360.net outlook360.org owa-microsoft.online patch7-windows.com patch8-windows.com patchthiswindows.com qoldenlines.net sdlc-esd-oracle.online
sharepoint-microsoft.co sphotos-b.bid sphotos-b.pw ssl-gstatic.net ssl-gstatic.online static.news symcd.site symcd.xyz tehila.co tehila.global tehila.info tehila.press trendmicro.tech twiter-statics.com twiter-statics.info un-webmail.com updatedrivers.org walla.press win-api.com windefender.org windowkernel.com windowkernel14.com windows-10patch.in windows24-kernel.in windows-api.com windows-drive20.com windows-india.in windowskernel.com windowskernel.in windows-kernel.in windowskernel.net windowskernel14.com windowslayer.in windowssup.in windowsupup.com winfeedback.net win-update.com winupdate64.com winupdate64.net winupdate64.org winupdate64.us win-updates.com
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu