Table of Contents

Since the first publications on Iranian cyber activities in the summer of 2012—disclosing a malware agent named Madi—cybersecurity companies and Western government agencies have routinely documented intrusions, disruptions, and other malicious activities originating from Iran.4 Yet aside from attacks that sought to subvert foreign infrastructure, these reports have rarely provided context about Tehran’s offensive cyber operations and the motivations for attacks.

Tehran’s perspective is shaped by the many attacks that have targeted its own infrastructure. Since Iran’s covert nuclear facilities were exposed by an opposition group in 2002, numerous foreign actors have staged intrusion operations that sought to gain access to Iran’s nuclear facilities, economic infrastructure, military apparatus, and governmental institutions, for both espionage and sabotage.5

Indeed, the most prominent example of modern cyberwarfare was the sustained campaign of sabotage—unprecedented in its sophistication and preparation—carried out by the United States and Israel against Iran’s nuclear facilities . In what was known as Operation Olympic Games, the malware agent Stuxnet was used to sabotage components of the Natanz uranium enrichment facility, resulting in the destruction of over 1,000 centrifuges and setting back Iran’s nuclear progress by more than a year. This marked one of the first known uses of offensive cyber operations as a coercive measure between states.6

While Stuxnet was solely intended to degrade Iran’s nuclear program, other campaigns sought to sabotage the country’s financial and oil infrastructure. In May 2012, a consortium of researchers disclosed another destructive operation against Iran.7 Malware agents known as Wiper and Flame, successors to Stuxnet, had been discovered when Iran’s Ministry of Petroleum and the National Iranian Oil Company computers were disabled, their hard drives overwritten in a unilateral operation reportedly conducted by Israel.8

Coercive cyber operations targeting Iran continued following Operation Olympic Games. In June 2012, amid stalled nuclear negotiations between Iran and international powers, Tehran’s minister of intelligence claimed the country’s nuclear facilities were subject to another “massive cyber attack.”9 Later that year, Iran alleged additional disruptive operations targeting its Central Bank, Ministry of Culture, and drilling platforms operated by the Iranian Offshore Oil Company.10

In addition to sabotage, foreign intelligence agencies have continually targeted Iranian infrastructure for purposes of espionage, a fact made public to Iran through the intelligence disclosures of Edward Snowden. A former U.S. National Security Agency (NSA) worker, Snowden leaked a presentation on a tool known as Boundless Informant showing Iran to be one of the most highly surveilled countries in the world: billions of Iranian internet and telephone records have been collected by the intelligence agencies of the United States and its partners. In fact, Iran is so frequently surveilled that a Canadian espionage operation targeting Iran once stumbled across a French-run intelligence operation that had compromised the very same network.11

How Iran Embraced Cyber Repression

Iran’s Supreme Leader Ayatollah Ali Khamenei has long believed Washington aspires to overthrow the Islamic Republic by instigating mass mobilization along the lines of the 1989 Velvet Revolution that toppled the Communist regime in Czechoslovakia.12 Following similar logic, Iran’s first cyber operations were motivated by fears that the internet facilitated external threats to regime stability. Tehran often labels the online dissent of its citizenry as cyberwarfare orchestrated by its enemies, namely the United States, to subvert the Islamic Republic. Western government support for unrestricted internet access and Persian-language satellite television stations—such as BBC Persian TV—are perceived as key elements of this strategy. The advent of social media sites, such as Facebook and Twitter, and messaging apps, such as Telegram, are especially threatening given they challenge the Iranian government’s long-standing monopoly over media and communications.

Khamenei’s greatest concerns were realized when the June 2009 contested reelection of hardline president Mahmoud Ahmadinejad—amid widespread allegations of fraud—provoked Iran’s largest popular uprisings since the country’s 1979 revolution. It was also a pivotal moment in the Iranian government’s embrace of offensive cyber capabilities, as this mass mobilization—known as the Green Movement—became one of the first known targets of the regime’s operations. The online contest between the opposition, using the internet to coordinate political resistance, and the government, attempting to repress mobilization, set the stage for future conflicts, including those with foreign powers.

Soon after an estimated 2 million Iranians protested in Tehran on June 15, 2009, supporters of the Green Movement began to battle the government over control of information.13 When the authorities expelled foreign media, interfered with mobile phone networks, and arrested prominent critics, the internet became a primary channel for coordination amid the chaos. In response, the U.S. Congress, then U.S. president Barack Obama’s administration, and American technology companies sought to maintain Iranian users’ access.14

During the Green Movement, pro-regime hackers engaged in a multipronged strategy of intrusions, disruption of websites, and network surveillance. Between December 2009 and June 2013, a group calling itself the Iranian Cyber Army defaced websites associated with Iran’s political opposition, Israeli businesses, independent Persian-language media, and social media platforms, posting pro-government messages. When human rights activists and opposition leaders called for street protests, critical websites were subject to a deluge of malicious internet traffic to disrupt access, known as distributed denial-of-service (DDoS) attacks.15 Government critics were spied on with malware posing as information on upcoming protest plans and public scandals.16 An Iranian hacker breached the Dutch security company DigiNotar to fraudulently issue encryption certificates that allowed Tehran to spy on all domestic Gmail users, one of the largest security breaches in the history of the internet.17

An Iranian hacker breached the Dutch security company DigiNotar to fraudulently issue encryption certificates that allowed Tehran to spy on all domestic Gmail users, one of the largest security breaches in the history of the internet.

Ultimately, the brutality, surveillance, and censorship exercised by the security forces debilitated the Green Movement, and by 2011 public protests had subsided. Security agencies had adapted to the modern digital environment, with interrogations by the IRGC including an intimate review of an arrestee’s personal life based on printed copies of his or her online communications and social media. An IRGC chief later said that suppressing the demonstrations required widespread arrests, massive repression, and cutting off means of mass communication, such as cellphones and the internet.18 The Green Movement demonstrated to the Islamic Republic that the internet could be used as an instrument of mass mobilization and posed an effective challenge to the regime’s long-held information monopoly.

The tactics, tools, and threat actors that arose during this domestic challenge to regime stability would foreshadow the cyber posture of Iran toward a wider set of internal and foreign threats. A recurrent theme since the outset of Iran’s cyber operations is that Iranian campaigns do not maintain clear boundaries between operations directed against its internal opposition and those directed against foreign adversaries.19 The same infrastructure and tools used by Iranian threat actors for campaigns against the American defense industry are also used to target Persian-language women’s development programs; the same malware used in destructive attacks against Saudi government institutions had been previously used for surveillance against members of the Green Movement opposition.

Iran’s Offensive Cyber Capabilities

Cyber operations have provided Tehran less risky opportunities to gather information and retaliate against perceived enemies at home and abroad. Before information communication technologies were widely available, the Iranian government’s foreign intelligence operations centered chiefly on recruiting agents to spy on and assassinate political dissidents or the diplomats of rivals. These operations usually resulted in international embarrassment when the attackers were caught and condemnation when they succeeded. Compared to clandestine in-country operations, offensive cyber capabilities provide stronger deniability and have thus far been less likely to lead to retaliation upon discovery.

Over the past decade, offensive cyber operations have become a core tool of Iranian statecraft, for the purposes of espionage, signaling, and coercion. Accounts of Iran’s offensive cyber operations follow a consistent pattern across campaigns and among different threat actors. Operations focus on well-defined sets of targets and are less sophisticated than the campaigns of state-sponsored threat actors in other countries—to credibly signal threats and create deterrence requires assured repeatability, a capability that Tehran generally still lacks.

Over the past decade, offensive cyber operations have become a core tool of Iranian statecraft, for the purposes of espionage, signaling, and coercion.

Moreover, the level of professionalization, preparation, and investment necessary to conduct an operation like Operation Olympic Games remains far outside the capacity of Iranian threat actors. Unlike the cyber operations of the United States and Israel, which are conducted by professional intelligence services supported by billion dollar budgets, Iran’s offensive and defensive capabilities are disorganized and modestly funded.20 Thus, while Iran frequently turns to disruptive attacks to apply pressure, it faces a ceiling of capability and opportunity in its ability to threaten opponents. Tehran’s clandestine human intelligence gathering in foreign countries, particularly outside the Middle East, is of similarly low sophistication.

Tehran rarely claims responsibility for offensive cyber operations attributed to it, including those espousing support for the Islamic Republic, and has made contradictory statements on its cyber posture. Iranian authorities have a history of embellishing the country’s military capacity, including for cyber operations. In responding to a series of disruptions of its own infrastructure in October 2012, then minister of intelligence Heidar Moslehi asserted that “the Islamic Republic is so powerful in the cyber space that [even] leaders of the arrogant powers admit and acknowledge our country’s successes.”21 However, IRGC commander Mohsen Kazemeini also claimed that the IRGC’s cyberwarfare division was not tasked with conducting offensive operations.22 Official rhetoric also appears to conflate the state’s effort to push online propaganda with offensive cyber capabilities, leading to claims of tens of thousands of cyber warriors.

Iran has used reports of destructive incidents to portray itself as a victim of foreign aggression, deflect attention away from its own actions, and boast of its ability to neutralize potential attacks. When accused by the United States of having conducted a disruptive attack against American banks, Iran’s Deputy Foreign Minister Hossein Jaberi Ansar responded that “the U.S. government, which put millions of innocent people at the risk of an environmental disaster through cyber attacks against Iran’s peaceful nuclear facilities, is not in a position to level accusations against the citizens of other countries, including those of Iran, without substantiated evidence.”23 Iranian officials appealed to international institutions for relief after the country had been affected by the malware agents Flame and Wiper, a move that aligned with its calls for greater United Nations (UN) control over the internet.24

In public statements, Iran has often emphasized its defensive capabilities, announcing in 2015 that its Cyber Attacks Emergency Center had successfully managed to thwart U.S. cyber attacks against the country’s industrial infrastructure.25 Iranian military officials regularly announce new defense products developed by domestic contractors, the most prominent example being the antivirus software Padvish.26 Despite these claims, Iran has shown little success in fostering a mature cybersecurity industry and lags behind both developed economies and key regional rivals in terms of investing in defense or formulating national policies to secure critical infrastructure.

Iran is generally perceived as a third-tier cyber power, lacking an advanced indigenous cybersecurity apparatus capable of carrying out sophisticated operations like China, Israel, Russia, and the United States.

While the Iranian government has committed tens of millions of dollars to cybersecurity in recent years, the scale of these investments pales in comparison to the billions spent annually by the U.S. government or the hundreds of millions spent individually by American banks.27 Were Iran to focus on improving its defensive capabilities, it would still face significant constraints related to sanctions, bureaucratic inefficiency, and a deficit of specialized expertise. Given the sophistication shown by its adversaries, assertions about the quick detection and remediation of foreign intrusions into Iranian networks should be viewed skeptically, a defensive posture that is unlikely to change.

Despite its confident claims, Iran is generally perceived as a third-tier cyber power, lacking an advanced indigenous cybersecurity apparatus capable of carrying out sophisticated operations like China, Israel , Russia, and the United States.28 While technical sophistication does not impede Iranians from conducting successful cyber operations, those actions reflect a disorganization and lack of professionalism that runs contrary to what would be expected of a state actor and limits their capabilities. Tehran’s political and economic isolation has further constrained it from acquiring technology and expertise from foreign governments or companies, and little evidence exists that would indicate substantial cooperation with other nations in the development of its offensive cyber capabilities.

The Difference Between Espionage and Sabotage

Media accounts of cyber operations often paint incidents with a broad brush, labeling all intrusions as attacks regardless of whether the outcome was destructive.29 Offensive cyber operations, however, can be more accurately labeled according to their intent and impact, distinguishing espionage and sabotage. Iranian actors have both engaged in intrusions to extract information from foreign networks (espionage, information gathering) and performed destructive actions to punish or coerce adversaries (sabotage), with a gray area in the middle related to signaling and other motivations. Understanding this difference is important in assessing Tehran’s strategy and the legality of its operations.

International law differentiates activities that are legal, though not desirable, from those that are illegal and could prompt dangerous escalation.30 Just as international law differentiates traditional espionage from coercion or violence, these same principles also apply to cyber espionage. Legal scholars have asserted that “mere intrusion into another State’s systems does not violate the non-intervention principle.”31

Indeed, given the growing number of nations with offensive cyber capabilities, espionage and information gathering through cyber operations has increasingly become accepted as an international norm.32 While the United States naturally denounces Tehran’s targeting of State Department employees, for example, such incidents mirror similar espionage operations against Iranian diplomats by U.S. and other Western intelligence agencies .33

International law experts have provided frameworks for determining what constitutes an “armed attack” in cyberspace, based on severity, invasiveness, directness, and other factors. Such frameworks also reinforce the importance of terminology, differentiating, for example, espionage against the Navy Marine Corps Intranet from a destructive incident such as Iran’s attack on Saudi Arabia’s and the world’s largest oil company, Saudi Aramco.34 Relatedly, scholars have noted that Iran’s use of proxies in offensive cyber operations does not absolve the government of legal obligations or repercussions for their outcome, based in part on international case law from the 1979 Iranian hostage crisis.35

Consistent evaluation of the legality of Iranian cyber operations provides clearer public benchmarks for assessing when Iran violates internationally respected principles and engages in illegitimate behavior. As Tehran continues to conduct offensive cyber operations, it is important for policymakers to assess the intent, scope, and legality of Iran’s actions before considering counter responses.

Notes

4 GReAT, “The Madi Campaign – Part I,” SecureList, July 17, 2012, https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5 .

5 David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1, 2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html.

6 The preparation for Operation Olympic Games was substantial. Intelligence agencies in the United States and Israel obtained confidential information about the specific configuration of the centrifuge controllers in Natanz, built a test environment based on comparable hardware seized from Libya, and then deployed the malware agent through human assets inside Iran to reach computers disconnected from the internet. These operations were sustained over years. Later versions of Stuxnet exploited several previously unknown vulnerabilities and sought to strategically infect other computers in Iran in the event that they were connected to the Natanz systems.

7 Iran’s National Computer Emergency Response Team, Kaspersky Lab, and CrySyS Lab.

8 Ellen Nakashima, Greg Miller, and Julie Tate, “U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say,” Washington Post, June 19, 2012, https://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html.

9 “Iran Says Detected ‘Massive Cyber Attack:’ State TV,” Reuters, June 21, 2012, https://www.reuters.com/article/us-iran-cyber-nuclear/iran-says-detected-massive-cyber-attack-state-tv-idUSBRE85K1EA20120621.

10 “Iran ‘Fends Off New Stuxnet Cyber Attack,’” BBC News, December 25, 2012, http://www.bbc.com/news/world-middle-east-20842113.

11 Communications Security Establishment Canada, “SNOWGLOBE: From Discovery to Attribution,” accessed December 4, 2017, a presentation discussing the French malware otherwise known as Babar, available at http://www.spiegel.de/media/media-35683.pdf.

12 Karim Sadjadpour, “Reading Khamenei: The World View of Iran’s Most Powerful Leader,” Carnegie Endowment for International Peace, March 10, 2008, http://carnegieendowment.org/files/sadjadpour_iran_final2.pdf.

13 “15 June 2009 – Tehran – Iran – Protest continued – Protesters Are Going to Freedom (Azadi Sq),” YouTube video, 1:02, posted by “saeidkermanshah,” June 15, 2009, https://www.youtube.com/watch?v=9_hr7G4At84.

14 A common example of this collaboration is when Twitter had planned to conduct maintenance after the June 2009 election. The State Department requested that the company delay the downtime in consideration of the protests. See Sue Pleming, “U.S. State Department Speaks to Twitter Over Iran,” Reuters, June 16, 2009, http://www.reuters.com/article/us-iran-election-twitter-usa-idUSWBT01137420090616 . More aggressively, in an opinion piece in the Wall Street Journal, a former under secretary of state and an assistant secretary of defense advocated for increased funding for communications tools and foreign broadcasting efforts with the express intent to “undermine the regime in Tehran.” See James K. Glassman and Michael Doran, “The Soft Power Solution in Iran,” Wall Street Journal, January 21, 2010, http://www.wsj.com/articles/SB10001424052748704541004575011394258630242.

15 The day before the March 2012 Iranian parliamentary elections, employees of the BBC were unable to access their email owing to a DDoS attack attributed to Iran. The Mujahedin-e Khalq has also claimed that when its former encampment in Iraq, Camp Liberty, was attacked in February 2013, its websites were subjected to a sustained DDoS attack designed to interfere with reporting. “Cyber-attack on BBC Leads to Suspicion of Iran’s Involvement,” BBC News, March 14, 2012, www.bbc.com/news/technology-17365416.

16 One document used as bait in the malware campaign appears to be a secret letter from the Ministry of Intelligence to members of the religious establishment in Qom concerning the protests over subsidies. Another displayed maps in Tehran describing protest routes toward Azadi Square, mirroring the activities on the ground. The malware agent would arise again over time in attempts to compromise the American defense industrial base in May 2014, and again in the Shamoon 2 attacks.

17 Black Tulip: Report of the Investigation Into the DigiNotar Certificate Authority Breach (Delft: Fox-IT BV, 2012), https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2012/08/13/black-tulip-update/black-tulip-update.pdf . In a confidential document on its own ability to monitor secure traffic, the UK Government Communications Headquarters (GCHQ) provides an account of the DigiNotar event, discovered in the course of its own espionage on Iran. GCHQ asserts that an Iranian intelligence agency added a specific rule in an internet router that forced Google’s traffic through an alternative route inside the country. “Profiling SSL and Attributing Private Networks,” GCHQ, December 28, 2014, https://edwardsnowden.com/2015/01/07/profiling-ssl-and- attributing-private-networks/.

18 Akbar Ganji, “Iran’s Green Movement Five Years Later – ‘Defeated’ But Ultimately Victorious,” Huffington Post, accessed December 4, 2017, https://www.huffingtonpost.com/akbar-ganji/iran-green-movement-five-years_b_5470078.html.

19 The most conspicuous and potentially only counterexample could be Oilrig, which across a multiple year history appears primarily focused on foreign targets and has not been publicly linked to attacks against Iranians.

20 Figures for both the United States and Iran are kept secret, however, a leaked intelligence budget for the 2013 provides some insight into how cyber operations are funded. Barton Gellman and Ellen Nakashima, “U.S. Spy Agencies Mounted 231 Offensive Cyber-Operations in 2011, Documents Show,” Washington Post, August 30, 2013, https://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html.

21 “Minister: Iran Faces 500 Daily Cyber Attacks,” Khabar Online, November 10, 2012, http://english.khabaronline.ir/detail/183007.

22 “We just want to monitor (enemies’) cultural and social moves in cyber,” quoted in “IRGC to Set Up Division to Defend Iran Against Cyber Threats,” Sahar TV, October 16, 2012, http://english.sahartv.ir/news/irgc-to-set-up-division-to-defend-iran-against-cyber-threats-1638.

23 “Statement by Foreign Ministry Spokesman for Indictment of US Justice Department Against Seven Iranian Citizens,” Iranian Ministry of Foreign Affairs, March 26, 2016, http://mfa.gov.ir/index.aspx?fkeyid=&siteid=1&pageid=2122&newsview=385735.

24 Alexander Gostev, “What Is Flame Malware?,” Kaspersky Lab, accessed December 5, 2017, https://www.kaspersky.com/flame.

25 “US Cyber Attack on Iranian Oil Ministry Foiled,” FARS News Agency, May 26, 2015, http://en.farsnews.com/print.aspx?nn=13940305001092.

26 “Iran Unveils 12 Cyber Products,” FARS News Agency, December 14, 2013, http://en.farsnews.com/newstext.aspx?nn=13920923001322.

27 “Iranian Internet Infrastructure and Policy Report: Special Edition – The Rouhani Review (2013–15),” Small Media, 2015, https://smallmedia.org.uk/sites/default/files/u8/IIIP_Feb15.pdf ; Office of the Press Secretary, “Fact Sheet: Cybersecurity National Action Plan,” White House, press release, February 9, 2016, https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan ; and Steve Morgan, “Bank of America’s Unlimited Cybersecurity Budget Sums Up Spending Plans in a War Against Hackers,” Forbes, January 27, 2016, https://www.forbes.com/sites/stevemorgan/2016/01/27/bank-of-americas-unlimited-cybersecurity-budget-sums-up-spending-plans-in-a-war-against-hackers/#694de941264c.

28 Barbara Slavin and Jason Healey, “Iran: How a Third Tier Cyber Power Can Still Threaten the United States,” Atlantic Council, July 29, 2013, http://www.atlanticcouncil.org/publications/issue-briefs/iran-how-a-third-tier-cyber-power-can-still-threaten-the-united-states.

29 Recent espionage incidents targeting U.S. State Department employees have been described in the press as “attacks” that sought to “jab at the United States and its neighbors without provoking a military response.” Despite the implication of aggression, the incident appeared to be motivated for espionage. David E. Sanger and Nicole Perlroth, “Iranian Hackers Attack State Dept. via Social Media Accounts,” New York Times, November 24, 2015, http://www.nytimes.com/2015/11/25/world/middleeast/iran-hackers-cyberespionage-state-department-social-media.html.

30 Michael N. Schmitt, “Cyber Operations and the Jus Ad Bellum Revisited,” Villanova Law Review (December 2011): 569–605.

31 Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge: Cambridge University Press, 2013). U.S. officials have acknowledged that international law applies to actions in cyberspace as well. Patrick Tucker, “NSA Chief: Rules of War Apply to Cyberwar, Too,” Defense One, April 20, 2015, http://www.defenseone.com/technology/2015/04/nsa-chief-rules-war-apply-cyberwar-too/110572/.

32 Carmen-Cristina Cîrlig, “Cyber Defence in the EU: Preparing for Cyber Warfare?,” briefing, European Parliament, October 2014, http://www.europarl.europa.eu/EPRS/EPRS-Briefing-542143-Cyber-defence-in-the-EU-FINAL.pdf.

33 As has been documented in intelligence material leaked by Edward Snowden: “Iran – Current Topics, Interaction With GCHQ,” Intercept, February 10, 2015, https://theintercept.com/document/2015/02/10/iran-current-topics-interaction-gchq/ .

34 International law also differentiates interference, nonviolent operations such as propaganda, and psychological operations, so long as they are not sufficiently coercive. Schmitt, “Cyber Operations and the Jus Ad Bellum Revisited.”

35 Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Cambridge: Cambridge University Press, 2018).