Table of Contents

While Iran’s offensive cyber operations have required modest resources to develop, they have allowed Tehran to project itself as an emerging cyber power able to cause significant harm to its adversaries. The country’s security establishment has used these resources to signal to domestic and international audiences its ability to confront political subversion and retaliate against attacks on its infrastructure. These actions have brought international attention to Iran as a considerable force, perhaps beyond its actual capabilities, but have been ambiguous enough to allow Tehran to portray itself as a victim of the coercive measures of foreign states.

As judged from evidence of coordination between security agency actions and observed cyber operations, the campaigns of Iranian threat actors almost certainly have a direct relationship with government entities, specifically the Islamic Revolutionary Guard Corps and the Ministry of Intelligence. Given this alignment and collaboration, Iranian threat actors are described here as state-sponsored. However, since the threat actors are commonly private contractors in small security companies, these relationships are sometimes nebulous and the operators are not integrated into the state’s forces.134

Iranian cyber operations often reflect law enforcement behavior normalized by other countries in response to advancing information technologies, such as the hacking of devices to wiretap encrypted internet communications. International standards forums and telecommunication equipment vendors have legitimized the expectation of lawful interception of communications, and the Iranian government faces similar challenges of providing domestic security against terrorist organizations and crime that other countries encounter. These interests are expressed frequently in campaigns, which include the documentation of persistent targeting of militant organizations—both domestic and regional—that are hostile to the Iranian government, including Baluchi separatists and the Islamic State.

With the exception of Saudi Arabia, Iran appears to have had little success in compromising hardened government institutions or well protected organizations. After two decades of cyber crime, governments and private corporations have developed security policies and maintain collaborative relationships with external security organizations (for example, computer emergency readiness teams, or CERTs) that allow them to defend against attacks. In the office environment, companies can provide dedicated technical resources, exercise centralized control over devices, offer user education, and install protective network equipment that reduces risk. Such resources enable the private sector and governments to respond to threats and improve awareness collectively as a community.

Private threat intelligences companies and governmental agencies, such as the FBI’s Cyber Watch (CyWatch), provide corporations with regular reports on common security risks, including information on the attacker’s documented tools and infrastructure. The FBI has produced industry notifications on Iranian intrusion activities based on reports sourced from the private sector, and U.S. government entities have identified Iranian malware through information supplied from threat intelligence companies. When multiple computers in the Voice of America’s Persian service were infected by Iranian malware named Infy, the agent’s origin was identified by network administrators through a private report generated by a threat intelligence company that was made available to the agency.135

Such resources are not readily available to individuals—especially those residing in Iran—who find themselves alone and unprepared when targeted by even the most unsophisticated threat actors. While American banks quickly invested in countermeasures that limited the effectiveness of subsequent DDoS attempts in Operation Ababil, Persian-language social media platforms and media organizations subject to the same attacks commonly turned off services rather than pay thousands of dollars in bandwidth costs.136 One FBI notice sent to the private sector even documented fictitious profiles that were also used to target the Baha’i community.137 However, the FBI and cybersecurity companies do not commonly notify at-risk communities of threats to their safety and privacy. This divergence and exclusion represents the differences in opportunities afforded to nongovernmental and noncorporate targets of state-aligned threat actors.

The increased attention to user security by information technology companies in recent years has directly benefited the targets of Iran. Persian-language digital literacy and information security education programs have been developed through foreign assistance to cater to at-risk audiences, teaching concepts such as password management and how to recognize social engineering. Widely available account features such as two-factor authentication, which requires a user to provide a code sent through text message or an application to log into accounts, have demonstrably made it more difficult for Iranians to conduct credential theft. Private companies, such as Google and Cloudflare, as well as government funders, have supported DDoS-mitigation services that provide civil society organizations with enterprise-level defense resources to protect against such attacks at no cost, leading to a marked decrease in their frequency.

As a result, a well-educated user with two-factor authentication and an iOS device is a more difficult target for Iranian threat actors to compromise. However, while technological options for protecting accounts and devices have improved in recent years, in the end the biggest vulnerability remains the user.

Attempts to forecast the future of Iranian cyber operations are constrained by the secrecy on the part of the Iranian state about its activities and an uncertain geopolitical climate. Like most countries, Tehran does not appear to have a clear doctrine as to when it will engage in disruptive operations and retaliate in cyberspace. Nor is it likely to. In line with its asymmetric strategies in traditional warfare, Tehran has often benefited from ambiguity. This may explain why it denies operations attributed to it, as well as why it did not immediately incorporate threat actors into the military apparatus.

Having been the target of sustained cyber espionage and destructive attacks, Iran is bound to seek the same capabilities used against it.

Having been the target of sustained cyber espionage and destructive attacks, Iran is bound to seek the same capabilities used against it . These capabilities provide Tehran opportunities to impose costs during potential hostilities. While Iran may not appear able to perform synchronized multistage attacks wherever it would like, it can repeatedly hammer away at soft targets in campaigns of attribution. Renewed hostilities between Iran and the United States could be expected to involve the targeting of vulnerable economic, civilian, and governmental services with data destruction, DDoS, and other disruptive attacks. Under current perceptions of Iranian offensive cyber capabilities, it is unclear that it would be prepared and able to launch attacks against the power grid or industrial control systems, such as those conducted against Ukraine.138 Instead, attacks would follow the path of least resistance—targeting state and local governments rather than federal infrastructure, or unprepared sectors that have not been previously targeted such as transportation and logistics rather than the financial services. Attempts by one Iranian to meddle with a local New York dam and other reports about the compromise of state agencies are demonstrative of the abundance of opportunities for Iran to retaliate against the United States.139

Moreover, although Iran has been described as a rational actor, it is not unitary, as the overlapping operations and intragovernmental surveillance conducted by the Ministry of Intelligence and IRGC demonstrate .140 The motivations, coordination, and authorization of Iranian state-aligned campaigns may differ from the policy position of other branches of government, and the use of offensive cyber capabilities is less visible to observers than the mobilization of troops. Iran’s security apparatus can easily conduct hostilities in cyberspace without the consent or awareness of the rest of the government.

Disruptive activities conducted by Iranian threat actors have decreased overall since the interim nuclear deal signed in November 2013—known as the Joint Plan of Action framework. The rhetoric of government and military officials has also evolved over time. In recent years, particularly under the Rouhani administration, fewer blusterous statements have been made regarding Iran’s cyber operations.141 While Tehran is less likely to engage in disruption of American or European infrastructure amid current circumstances, it has engaged in cyber espionage and will continue to do so. The perceived success of previous campaigns has solidified the principle of offensive cyber operations as an effective means for Iran to continue to conduct espionage and surveillance against regional adversaries and political opponents.

Yet Iran will continue to be limited by resource constraints for the foreseeable future. Tehran has rarely appeared able to conduct large-scale exfiltration of classified business and government data, differing, for example, from Chinese efforts to steal Boeing’s industrial secrets or extensive databases from the U.S. Office of Personnel Management.142 What’s more, the threshold of difficulty for compromising such targets will increase over time, and it is unclear whether Iranian capabilities will improve proportionally.

Iran’s massive brain drain, with many of its brightest engineers leaving for political and economic reasons, imposes further constraints on the development of its cyber capabilities. Iran’s minister of science, research and technology estimated that 150,000 highly talented people emigrate from Iran every year, a $150 billion annual economic loss.143 When Iranian engineers leave for Silicon Valley and Europe, the country’s capacity for effective offensive and defensive cyber operations goes with them.

In the absence of a historical comparison of Iranian cyber operations, new incidents or the rise of new groups is often incorrectly perceived as a dramatic improvement to capacity. Despite systemic challenges stemming from bureaucratic dysfunction and underinvestment in cybersecurity, Iran has the potential to foster more effective operations. Attempts by the government, universities, and the private sector to create a professional cybersecurity community, such as hosting Capture the Flag tournaments, will inevitably result in a deeper talent pool. Observing other nation-state actors provides a set of benchmarks that can be a reliable indicator of improvement or change in posture, including:

  • coordination of threat actors, more consistent improvement to domestically produced malware, and the development of purpose-built tools that could suggest the consolidation of capability, specialization of personnel, and even incorporation into the state;
  • investments in operational security, ranging from reducing the exposure of information on operators to increased investment in concealment (such as Magic Kitten’s relay network);
  • improvements in background research and foreign language abilities within operations, such as more personalization of social engineering attempts, that would reflect the inclusion of nontechnical support staff; and
  • execution of operations that include zero-day exploits or target core infrastructure (for example, compromising network devices, routing protocol hijacks, and telecommunications signaling manipulation), suggesting more investment in resources for systemic cyber operations.

Despite Iran’s current lack of technical sophistication, simple means can still be effective at imposing political and economic costs, as evidenced by Russia’s successful compromise and subsequent leaking of the internal communications of Democratic Party institutions and operatives before the 2016 U.S. election. Some of the most damaging materials used in the operation came via a simple breach of a Gmail account, an opportunity available to anyone. This also reinforces the challenge of discerning intent—what initially appears as espionage can later turn into an attack.144

Given Iran’s dispersed ecosystem of threat actors, deterring Tehran from engaging in offensive cyber operations is as challenging as other efforts to address security issues involving the country. Cyber activities are less likely to lead to regional destabilization than are offline Iranian threats, and historically, Tehran’s disruptive attacks against non-Iranian targets have been retaliation during hostilities rather than instigation toward new conflicts. To maintain credibility at a time when Western surveillance activities are publicly exposed through leaked confidential documents, effective policy responses need to differentiate espionage or signaling from sabotage or the infringement of human rights, actions that violate international norms. It is also important to recognize that Iranian offensive cyber operations do not require technology transfers or the support of other states. Members of Iranian threat actors—primarily low-level software developers working within a small number of companies—will continue to be tough to identify, prosecute, and punish.

Naming and shaming may chill participation in state-aligned operations, especially among talented individuals looking to travel outside the country or study abroad. However, it is unclear whether those publicly identified with Operation Ababil or other campaigns have changed their involvement after being outed. Moreover, the loosely connected and small groups are not cost-effective targets for retaliatory cyber operations. In the end, Iran maintains a large enough pool of sufficiently capable programmers to conduct basic campaigns. Therefore, while exposing Iranian cyber operations and operators may degrade and delay the development of better cyber capabilities, it will not fully deter Iran.

Policy Approaches to Iran’s Cyber Threat

This leaves a select number of policy options, primarily (1) utilizing existing frameworks for targeted sanctions or indictments, (2) improving information sharing on threats across communities, and (3) supporting initiatives to improve information security.

The comprehensive sanctions regime against Iran is unlikely to substantially interfere with its development of offensive cyber capabilities. Iranians commonly use servers outside the country, typically hosted on networks in Europe and Russia that provide service to other cyber crime networks (bulletproof hosting) or registered using false information.145 Since the resources necessary to improve capacity are organizational and professional development rather than computers or infrastructure, there are few technological items or services that could potentially be deterred. Furthermore, overly broad sanctions regimes that attempt to constrain malicious cyber activities would be more likely to have substantial collateral damage on the free flow of information to Iran, as Iranian civil society has widely argued.

The U.S. Treasury Department’s Office of Foreign Assets Control maintains targeted programs that can be brought to bear against international entities that augment Iran’s capacity for surveillance against its population.

Where sanctions are appropriate, the U.S. Treasury Department’s Office of Foreign Assets Control maintains targeted programs that can be brought to bear against international entities that augment Iran’s capacity for surveillance against its population (Executive Order 13606146) and those responsible for cyber operations against American infrastructure (Executive Order 13694).147 Sanctions and other financial mechanisms could be used to deter foreign countries or other actors from providing support to Iranian offensive cyber operations . Executive Order 13606 offers an example in its authority to designate any entity, whether in Iran or elsewhere, that has facilitated the Iranian government in its “computer and network disruption, monitoring, and tracking.” While the order focuses on human rights, similar language could focus on Tehran’s attacks against critical infrastructure and espionage. The narrowly tailored extension of these authorities could help ensure that Iran’s cyber operations do not benefit from technology transfers or foreign assistance as Tehran expands its security and commercial ties, especially to countries such as Russia and China.

Additionally, the Justice Department has issued indictments against Iranians implicated in disruptive campaigns (the same individuals allegedly responsible for Operation Ababil were also designated under Executive Order 13694) and has successfully obtained the extradition from a third country of a hacker involved in the theft of military secrets.148 Because of the small operational footprint of the groups, targeted sanctions or legal proceedings are more symbolic than disruptive, but few other opportunities exist to impose consequences on individuals who participate in operations.

Given the level of rudimentary nature of its cyber operations, a purely political or legal response that is focused solely on deterring Iran would be ineffective toward addressing national cybersecurity risks. Any system that can be breached by Iranian groups is equally susceptible to others with similar sets of motivations, notably North Korea and Hamas. An effective policy response to the threats posed by Iran must focus on securing critical infrastructure overall.

Information sharing has been one of the most common strategies pursued by the United States, Europe, and the private sector to reduce the effectiveness of Iranian cyber operations. After the Aramco attack, the United States used its superiority in monitoring and attributing Iranian activities to strengthen intelligence relationships with its Arab allies in the Persian Gulf.149 This is an immensely valuable resource that should be extended where possible, and further support can be provided to regional allies. Similarly, the FBI has provided notifications to and facilitated information sharing with the private sector on specific Iranian campaigns. These efforts can be expanded to include more partners and to provide data to civil society organizations.

Unlike traditional security issues, private individuals are more exposed to cyber operations owing to the transnational and virtual nature of threats. This brings in more stakeholders, and increases the burden on individuals to protect themselves from crime and espionage. Responsibility to protect those users rests equally on the private sector and governments. Fortunately, internet platforms and communications services, like Facebook and Google, have played a positive role in providing the tools to help individuals defend against attacks—even going so far as notifying users when they have been targeted by state-aligned campaigns, including those from Iran. These initiatives raise the bar for attackers and should be seen within tech companies as a core obligation of keeping at-risk users safe.

Discussions about securing dissidents would be incomplete without highlighting the pioneering role of the United States government and European development agencies in providing secure communications tools to activists—often referred to as the Internet Freedom agenda. Government funding has provided early stage investment for researchers and developers to produce prototypes and deployable products to protect activists and civil society that would not be the focus of the private sector. A significant proportion, if not majority, of Iranians that bypass the censorship regime do so using safe and reliable tools funded by the State Department and Broadcasting Board of Governors. Both have also supported the development of encryption tools such as Signal that have even been adopted by tech companies within their own messaging applications, demonstrating the importance of Internet Freedom as a public-private cooperation.

The United States and European Union should continue to promote programs and norms on internet access and cybersecurity that prioritize the free and secure flow of information against challenges from countries such as Iran, China, and Russia. Aside from funding for civil society, this includes promotion of democratic values within internet governance frameworks, such as the Internet Corporation for Assigned Names and Numbers (ICANN) and the International Telecommunications Union (ITU). This also highlights the importance of domestic policy on Internet Freedom efforts: proposals to weaken information security products such as encrypted messaging applications would harm individuals in countries where rule of law is weak and backdoor access in communications networks is commonly repurposed for repression.

As the history of Iranian offensive cyber operations demonstrates, the same actors responsible for espionage against the private sector engage in surveillance of human rights defenders, and with considerably more success, owing to the targets’ resource constraints. These at-risk communities provide a canary for the tactics and tools that will be employed against other targets, and increased information exchange will enable more effective education and mitigation strategies for all. Policymakers have long understood that the changes that will lead Iran to be a productive member of the international community will come from within. The safety and security of the Iranian civil society organizations and democratic voices targeted by government cyber operations should be recognized and protected as the critical stakeholders within cybersecurity and foreign policy discussions that they are.


134 Healey defines “state-integrated” as the “national government integrates third-party attackers and government cyber forces, with common command and control.” This still allows for informal coordination with external parties so long as the government remains in control. While Iranian threat actors receive tasking from the government, there is little indication that any of them are formal members of the security forces.

135 Based on a Freedom of Information Act request by the authors to the Broadcasting Board of Governors on cybersecurity incidents related to Iran.

136 David M. Faris and Babak Rahimi, eds., Social Media in Iran: Politics and Society After 2009 (Albany, NY: SUNY Press, 2015).

137 An FBI notice sent to private industry on May 29, 2014, described a similar set of personas that expanded on the iSIGHT Partners’ (now FireEye) Operation Newscaster report that was released a few days prior. While iSIGHT Partners identified fourteen accounts of American or European background, the FBI provided a list of fifty-six unique personas, of which fifteen had family names that appeared to be Persian and had not been identified in the previous report. The accounts identified by the FBI have been since deleted, but appeared to have been Iran-focused. Federal Bureau of Investigation, “FBI Notification: Malicious Cyber Actors Targeting U.S. Government Networks and Employees,” Public Intelligence, June 23, 2014, .

138 John Hultquist, “Sandworm Team and the Ukrainian Power Authority Attacks,” Threat Research (blog), FireEye, January 7, 2016, .

139 “A Dam, Small and Unsung, Is Caught Up in an Iranian Hacking Case,” New York Times, March 25, 2015, FireEye (which owns Mandiant) has described multiple cases of “Iran-based network reconnaissance activity,” including unauthorized intrusions into several U.S. state government agencies. “FireEye Releases Annual Mandiant Threat Report on Advanced Targeted Attacks,” FireEye, April 10, 2014, .

140 Alex Vatanka, “The Iranian Industrial Complex: How the Revolutionary Guards Foil Peace,” Foreign Affairs, October 17, 2016,

141 For example, when Iranian state–aligned media have covered such issues in recent years, it has typically been through republishing English-language reports without substantial further comment or by reporting on denials by the government, such as when Mashregh News covered Citizen Lab’s August 2015 “London Calling” report and took issue with claims about attribution.

142 Adam Segal, “Why China Hacks the World,” Christian Science Monitor, January 31, 2016,

143 “Iran Loses $150 Billion a Year Due to Brain Drain,” MEHR News Agency, January 8, 2014, .

144 Secure Works Counter Threat Unit, “ThreatGroup-4127 Targets Hillary Clinton Presidential Campaign,”, June 16, 2016,

145 The compromises of several certificate authorities by “ComodoHacker,” the individual responsible for the DigiNotar breach, appear to have used a stolen Israeli credit card for registering domains used in the attack.

146 Office of the Press Secretary, “Executive Order: Blocking the Property and Suspending Entry Into the United States of Certain Persons with Respect to Grave Human Rights Abuses by the Governments of Iran and Syria via Information Technology,” White House, news release, April 23, 2012,

147 “Sanctions Related to Significant Cyber-Enabled Malicious Activities,” U.S. Department of the Treasury, last modified August 9, 2017,

148 Members of Iranian threat actors do travel to countries that the United States has successfully received extraditions from.

149 Cory Bennett, “White House Pledges Cyber Cooperation With Gulf Leaders,” Hill, May 14, 2015,; and
Ellen Nakashima, “As Cyberwarfare Heats Up, Allies Turn to U.S. Companies for Expertise,” Washington Post, November 22, 2012,