How US‑Backdoored Firmware Crippled Iran’s Core Network Devices Despite a 52‑Day Internet Cutoff

Event Overview

On 21 April 2026, The Register reported that Iran accused the United States of using pre‑installed backdoors and a device‑level botnet to paralyze a large number of core network communication devices in Iran, even after the country had isolated itself from the global Internet for 52 days.

Background and Impact

Iran had shut down most civilian Internet traffic, creating a “digital island”. Conventional wisdom holds that cutting off external connectivity prevents remote attacks, yet Iranian officials observed un‑prompted reboots, forced disconnections and system crashes on routers and switches from Cisco, Juniper and MikroTik, causing widespread outages in government, finance and telecom services.

Iran’s Two Main Accusations

1. Firmware/bootloader backdoor – The Iranian technical team claims hidden code was embedded in the firmware or bootloader of the devices, allowing activation via satellite signals or a preset timer. The backdoor is described as extremely stealthy, able to survive factory resets, and possessing full administrative privileges to reboot, disconnect or format the device.

2. Device‑level botnet – The same devices are alleged to have been enrolled in a proprietary botnet during manufacturing, transport or deployment. The malicious code can operate without any Internet connection; once powered on, it waits for commands and can be triggered remotely.

Historical Precedents

The article cites Operation Midnight Hammer (June 2025), where the U.S. combined air strikes with cyber attacks against Iranian nuclear facilities, and the 2013 “PRISM” disclosures that showed the NSA inserting backdoors into equipment from Cisco, Juniper and other vendors. These examples form an “evidence chain” that the United States has long used network‑equipment supply chains as a weapon.

Technical Analysis: Why a Cut‑off Doesn’t Help

Traditional perimeter defenses (firewalls, IDS, network isolation) only protect against attacks that travel over IP networks. Firmware backdoors reside in the hardware‑level software, require no network traffic, and can be triggered by satellite signals, hardware timers or other out‑of‑band mechanisms. Over 90 % of network‑equipment vendors do not sign firmware, leave debug interfaces enabled, and lack integrity verification, creating three major vulnerabilities that enable such attacks.

Because the malicious code is implanted upstream, it persists for the device’s entire lifecycle and cannot be removed by rebooting, reflashing or restoring factory settings.

Broader Implications

The involvement of MikroTik, a Latvian company that markets EU‑based development, demonstrates that even non‑US vendors are vulnerable to U.S.-originated supply‑chain compromises. The article argues that reliance on globalized supply chains hands over critical‑infrastructure security to the equipment‑producing nation.

Recommendations

Achieve 100 % domestic control over core routing, switching and firewall hardware, from chips to firmware.

Mandate mandatory firmware audit, digital signing and disabling of debug ports.

Shift from perimeter‑only defenses to a layered “hardware‑firmware‑system‑application” security model.

Develop international norms that prohibit the weaponisation of network equipment.

Conclusion

The Iranian incident shatters the myth that physical isolation guarantees safety and highlights that supply‑chain security, not just network perimeter security, is the decisive factor in protecting national critical infrastructure.