Table of Contents

Cyberspace has become the newest frontier in the four-decade-long U.S.-Iran cold war. Perhaps more than any government in the world, the Islamic Republic of Iran has been the target of uniquely destructive cyber attacks by the United States and its allies . At the same time, groups associated with Iran’s security forces—namely the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence—have become increasingly adept at conducting their own offensive cyber operations.The targets of such operations include Iranian government critics at home and abroad, corporations, and nongovernmental organizations, as well as the economic, defense, and diplomatic institutions of countries including Germany, Israel, Saudi Arabia, and the United States.

The Iranian government has provided conflicting public accounts of its offensive cyber operations, touting its capabilities while denying responsibility for attacks attributed to it. Consistent with its use of proxy groups to assert its regional power, Tehran frequently masks its involvement in such operations using cutouts (intermediaries) to avoid attribution and provide it plausible deniability. Despite these denials, it is clear Iran has invested in indigenous cyber capabilities for both defensive and offensive purposes, and is willing to use them in the event of conflict.

Tehran’s offensive cyber capabilities are relatively unsophisticated compared to states like China, Russia, and the United States. While the Iranian hacking scene emerged in the early 2000s, there is little evidence of state-aligned cyber activities before 2007. This comparatively late start and underinvestment in part accounts for its lower capacity. Yet Moscow’s compromise of Democratic Party institutions and political operatives during the 2016 U.S. election demonstrated that information warfare can be conducted through basic tactics. Iran has similarly preyed upon the lack of sophistication or preparedness of vulnerable targets both inside and outside Iran, including Saudi oil companies, Middle Eastern governments, and U.S. banks. Though these operations have often caused great financial damage, the methods used to destroy data or disrupt access were relatively simple.

Iran has demonstrated how militarily weaker countries can use offensive cyber operations to contend with more advanced adversaries. Tehran’s operations against foreign interests have been mostly espionage and sabotage campaigns against soft targets in rival countries, rather than economic theft. Disruptive and destructive attacks have repeatedly been used by Tehran to signal its ability to impose retaliatory costs on its adversaries. Overall, these disruptive incidents appear to have been restrained based on strategic calculations, and limited to tit-for-tat exchanges within the same domain during times of conflict.

Iran has demonstrated how militarily weaker countries can use offensive cyber operations to contend with more advanced adversaries.

That said, most victims of Iranian cyber operations are in Iran or the large Iranian diaspora—the so-called internal enemies that Tehran’s leadership fears. The early and effective adoption of the internet and social media by regime opponents and critics has fed the perception of Tehran’s hardliners that foreign powers are conspiring to subvert the Islamic Republic through new technologies. But the targets of Tehran’s digital surveillance include not only human rights defenders and perceived enemies of the state but also apolitical cultural institutions and even Iranian government agencies. Digital espionage and disruptive attacks against government critics have demonstrated to the Iranian public that its online activities are not outside the reach of the state.

This report provides a historical analysis of the activities and observed capabilities of Iranian threat actors who perform offensive cyber operations, most likely on behalf of the Islamic Republic. For purposes of maintaining a consistent terminology, the cyber activities covered in this report are framed in terms of “offensive cyber operations,” which in the U.S. Department of Defense’s words are actions “intended to project power by the application of force in or through cyberspace,”1 or through distinguishing the intended effects (such as disruption, exfiltration, or destruction). This narrows the scope of research to intelligence and other offensive actions, rather than the full realm of Iranian government attempts to build influence online or control information.

Hackers working in coordination on cyber operations are described as “threat actors,” although groups can have a single member and their composition can change over time. The terms “state-sponsored” or “state-aligned” are used throughout this report to reflect the direct relationship between the attackers and the Iranian government that is accounted for throughout the operations.2

Forensic artifacts and other records collected from cybersecurity research provide unprecedented insight into the security and intelligence priorities of the Iranian regime. The true intent of an attacker is not always evident in an intrusion. The compromise of a system for espionage or reconnaissance can later provide an electronic foothold used for sabotage. While Tehran has conducted highly visible attacks against rivals during times of conflict, the decade-long history of Iranian cyber operations reveals that the primary reason for such campaigns appears to be espionage.

Iran has been the target of espionage and destructive coercive measures launched by foreign states, including not only the United States and Israel but also Canada, France, Russia, and the UK. These attacks further motivated Tehran to develop indigenous defensive and offensive cyber capabilities as well as a credible retaliatory threat. These exchanges are directly correlated to Iran’s domestic and geopolitical climate, which has been reflected in the reduction of disruptive attacks since the signing of the 2015 nuclear deal, formally known as the Joint Comprehensive Plan of Action (JCPOA).

While Tehran has conducted highly visible attacks against rivals during times of conflict, the decade-long history of Iranian cyber operations reveals that the primary reason for such campaigns appears to be espionage.

The primary source of data used in this report is documentation collected from attacks against a variety of nongovernmental organizations (NGOs) and other targets, both inside Iran and abroad. Forensic investigation techniques provide a broader perspective on the range of activities of threat actors, helping to identify specific participants and their potential connections to Iranian governmental entities. For example, the “sinkholing” of malware—the interception of communications through the redirection of domain names—provides insight into both the perpetrators and the victims of such campaigns. In other cases, the lack of professionalism by Iranian groups has led to the disclosure of names, aliases, and email addresses of their members in malware code and domain registration records.

This first-hand research complements numerous reports—based also on primary source material—published by cybersecurity companies on specific Iran-related incidents or threat actors. These publications provide alternative insights into Iran’s targeting of other sectors outside the authors’ immediate perspective, such as defense companies and governments. An index of these reports will be made available online.3 Interviews with targets of Iranian campaigns—including activists and scholars based in Iran and abroad—help elucidate Tehran’s motivations and place the attacks in a broader context. Interviews with cybersecurity professionals similarly provide background on larger industry trends.

The intent of this report is to strengthen policy discussions of Iran’s cyber operations by increasing public knowledge about the nature of such activities. Since cybersecurity research is typically limited to disclosures of specific threat actors or incidents, such publications do not provide insight into larger motivations and observable trends. This report differs in that it considers the historical patterns and the broader context of Iranian cyber operations, particularly their relationship to changing political conditions. It also emphasizes the overlap between Iranian campaigns conducted against foreign government institutions and/or corporate entities and those directed against human rights and civil society organizations, commonly neglected stakeholders in cybersecurity policy debates.

A better understanding of the history and strategic rationale of Iran’s offensive cyber operations must inform U.S. strategy toward Iran and future U.S. responses to Iran’s actions. This is especially true given the United States is reliant on an inadequately guarded cyberspace and should anticipate that future U.S. cyber attacks against Iranian targets could trigger retaliatory attacks on U.S. infrastructure. Iran’s recent history suggests such an outcome.

Notes

1 “Department of Defense Dictionary of Military and Associated Terms,” Federation of American Scientists, amended February 15, 2016, https://fas.org/irp/doddir/dod/jp1_02.pdf.

2 The authors cannot identify under what level of authority the attacks are authorized and whether Iran will professionalize such operations under state security forces. However, they can say with high confidence that such activities are coordinated with the Iranian government. See Jason Healey, “Beyond Attribution: Seeking National Responsibility for Cyber Attacks,” Atlantic Council, February 22, 2012, http://www.atlanticcouncil.org/publications/issue-briefs/beyond-attribution-seeking-national-responsibility-in-cyberspace.

3 This material will posted on “Iran Threats,” Github, https://iranthreats.github.io.