IRGC Cyber Division 190: The Unit Tehran Does Not Talk About

Silence Is a Tactic

Tehran does not hand out business cards to units that exist to break things in the dark. The IRGC's Cyber Division 190 is one of them. While Iranian diplomats smile for the cameras and insist their nuclear program is peaceful, this unit spends its days probing American water systems, Gulf energy networks, and Israeli civilian platforms. The mullahs have learned that a missile test draws sanctions and satellite photos, but a well-timed breach of a programmable logic controller earns only a quiet press release from CISA. That asymmetry is the whole point. Division 190 is not a rogue cell. It is a state enterprise, shielded by the IRGC's Cyber Electronic Command, fed by front companies, and protected by the plausible deniability that comes from routing attacks through hacktivist costumes and criminal marketplaces. The unit Tehran refuses to name has become one of the most consequential threats to American infrastructure that most Americans have never heard of.

The Trail Is Harder to Hide Than the Hackers

The regime's operational security is disciplined, yet the results are too large to bury. Microsoft's 2024 Digital Defense Report, covering activity from July 2023 through June 2024, documented IRGC-linked actors marketing stolen data from an Israeli dating website through personas tied to a group Microsoft tracks as Cotton Sandstorm. The same report found Iranian nation-state hackers using ransomware as part of cyber-enabled influence operations, blurring the line between espionage and extortion in ways that signal state backing, not criminal freelancing. Those are not the moves of amateurs in a basement. They are the moves of an organization with budgets, targeting lists, and lawyers who answer only to the supreme leader.

Between November 2023 and January 2024, CISA, the FBI, the NSA, and the Department of Defense Cyber Crime Center confirmed that IRGC-affiliated actors had compromised dozens of U.S. devices in a global campaign. The targets were Israeli-made Unitronics programmable logic controllers and human-machine interfaces, the kind of industrial equipment that keeps water treatment plants, energy facilities, food manufacturers, and healthcare systems running. Many of those devices were exposed to the public internet with factory-default passwords or no passwords at all. Division 190 and its partners did not need a zero-day exploit. They simply walked through the front door that American negligence left unlocked.

Then came the October 2024 joint advisory from the same agencies, warning that since October 2023 Iranian actors had used brute force and password spraying to compromise user accounts, modify multi-factor authentication registrations, and maintain persistent access inside sensitive networks. The advisory described the same pattern again and again: find weak credentials, burrow in, harvest more access, and sell or share the foothold with partners. That is not opportunistic crime. It is pre-positioning for a future order, the kind of presence that can shift from intelligence collection to disruption on a weekend when tensions spike.

Diplomacy Cannot Patch a Backdoor

Some in Washington still believe the answer is another round of talks, more paper promises, and a carefully worded communique about cyber norms. That approach is a fantasy when the other side treats your networks as occupied territory. The Biden administration spent years signaling restraint, and the IRGC responded by turning up the dial. Division 190 does not respect declarations. It respects consequences.

The first step is public attribution. Name the commanders. Sanction the front companies that pay the operators. Revoke visas for their families. The Treasury Department has the tools; what it has lacked is the will to use them consistently. The second step is mandatory baseline security for operators of critical infrastructure. No water plant, pipeline, or power substation should be reachable from the public internet with a default password. The October 2024 advisory proved that Iranian actors are not breaking into fortresses; they are checking whether anyone bothered to lock the gate. Congress should make minimum cyber hygiene a condition of federal licenses, grants, and liability protection.

The private sector should face the same pressure. Insurance carriers should refuse to underwrite operators that will not segment their operational technology networks from the public internet. Software vendors should be held liable when they ship industrial controls without secure defaults. Regulators should stop treating water plants and small utilities as though they are corner stores that happen to run pumps and turbines.

The third step is strategic clarity. The United States should make clear that a destructive cyberattack on critical infrastructure will be treated as an attack on the homeland, full stop. Tehran should know that taking down a regional power grid or poisoning a water system will trigger a response that reaches the IRGC's balance sheet and its leadership, not just its servers.

The Real Test Is Resolve

Division 190 will keep operating because the Islamic Republic believes the West is too divided, too legalistic, and too timid to stop it. Every unenforced red line, every quiet payment to hackers, and every infrastructure owner who leaves a default password in place tells Tehran it can keep punching without getting hit back. The unit may be hidden, but its effects are visible in the CISA alerts, the Microsoft reports, and the water plants that have already been breached.

Conservatives have long argued that weakness invites aggression. The IRGC's Cyber Division 190 is the latest proof. Tehran does not talk about it because it works better in the shadows. It is past time for Washington to drag it into the light and make the cost of its work unbearable. The next attack is not a matter of if. It is a matter of when Washington decides to act.