{
"authors": [
"Tim Maurer"
],
"type": "legacyinthemedia",
"centerAffiliationAll": "dc",
"centers": [
"Carnegie Endowment for International Peace"
],
"collections": [
"Cyber and Digital Policy"
],
"englishNewsletterAll": "ctw",
"nonEnglishNewsletterAll": "",
"primaryCenter": "Carnegie Endowment for International Peace",
"programAffiliation": "TIA",
"programs": [
"Technology and International Affairs"
],
"projects": [],
"regions": [
"Middle East",
"Iran"
],
"topics": [
"Security",
"Foreign Policy",
"Technology"
]
}
Source: Getty
To understand how Iran uses cyber proxies, it’s important to understand how Tehran thinks about cyber security in the first place.
Source: Mark News
In the wake of the biggest protests Iran has seen since the 2009 Green Movement, Iranian hackers have moved back into the spotlight. A report published by the Carnegie Endowment for International Peace in early January 2018 details how Iran has been building and deploying its capabilities. In the past decade, Iran has become one of the most aggressive states to wield offensive cyber capabilities, both at home and abroad. Part of Tehran’s strategy has been to use hackers detached from the state as proxies.
How Tehran managed to acquire these capabilities in such a short period of time and how it uses them is important for understanding what the future might hold for both Iran and the more than 30 countries known to be pursuing offensive cyber capabilities.
To understand how Iran uses cyber proxies, it’s important to understand how Tehran thinks about cyber security in the first place.
When Iranian officials are worried about “cyber war,” they will be thinking of Stuxnet, the malware targeting the country’s nuclear facility in Natanz, or the “Internet in a suitcase” – a tool designed to provide net access, circumventing government censorship.
Unlike the position held by the United States and most other Western countries, Tehran’s view of information security is more expansive, focusing not just internally on dissidents, but externally as part of regional rivalries and geopolitical conflicts. This world view also spills into how proxies are leveraged.
Unprecedented insight into a state-sponsored Iranian cyber operation was provided when the U.S. government decided to unseal a 2016 indictment of several Iranian hackers. The seven men, aged 23 to 37, are accused of trying to bring down the systems of some of the world’s largest financial institutions in 2012 with massive distributed denial of service (DDoS) attacks.
What is remarkable about this episode is that the hacker pseudonyms used by Sadegh Ahmadzadegan, Omid Ghaffarinia and Nader Seidi mentioned in the indictment all appear on a hacker forum where the three publicly boasted about their web defacements until March 2012, only a few months before they joined ranks with the others to launch the DDoS attacks. Once they joined, the DDoS attacks escalated, “transforming the equivalent of a few yapping Chihuahuas into fire-packing Godzillas.” In other words, their collaboration with the other three Iranians mentioned in the indictment – who maintained ties with the Islamic Revolutionary Guard Corps (IRGC) according to the indictment – was crucial to amplifying the effect of this operation. Importantly, in addition to Tehran’s proxies targeting systems abroad such as the DDoS attack against financial institutions in the United States, regime-friendly hackers are also targeting dissidents within Iran.
Tehran’s use of hackers as proxies is not that different from how the Iranian government has leveraged non-state actors in the past to further its political objectives. When thousands of students amassed in front of the U.S. embassy in 1979 its ringleaders initially acted independently but their actions were subsequently endorsed and supported by the Iranian leadership. Tehran has been nurturing these relationships through the Basij, Iran’s volunteer paramilitary group, and the IRGC ever since. It should come then as no surprise that the regime is now replicating this model with regards to its offensive cyber capabilities.
Similar to Iran, other governments around the world are using non-state actors to build and to project power through cyberspace. James Clapper, the former U.S. director of National Intelligence, warned a year ago that more than 30 countries are now developing offensive cyber capabilities. However, how governments structure those relationships and their level of control varies widely and depends on how they conceptualize cyber threats.
For example, there have long been rumors that Russian intelligence services work with cyber criminals and provide them with a safe haven as long as they do not target victims in Russia. Another indictment by the U.S. government, unsealed in early 2017, substantiated these rumors and provided a more detailed account of how these relationships work. According to the indictment, the Federal Security Service of the Russian Federation – popularly known as FSB – worked with a known cybercriminal to hack Yahoo. This cybercriminal is one of the FBI’s Cyber Most Wanted and managed to escape to Russia instead of being extradited to the United States. The hack became one of the largest data breaches in history. The two FSB officials allowed the cybercriminal to make money on the side through various scams in parallel to supporting the FSB.
The Iranian example not only illustrates the growing web of proxy relationships that are emerging between states and hackers but highlights how different approaches inform the use of cyber capabilities. The significant progress Iran has made within the last decade alone hints at what to expect of the increasing number of countries pursuing offensive cyber capabilities. The low cost required for the development and use of hacking tools, the available pool of nonstate actors that can be leveraged for this purpose, and the prevalence of vulnerabilities waiting to be exploited suggest that cyber incidents will continue to make headlines.
Tim Maurer
Former Senior Fellow, Technology and International Affairs Program
Dr. Tim Maurer was a senior fellow in Carnegie’s Technology and International Affairs program.
Carnegie India does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.
This collection of essays by scholars from Carnegie India’s Technology and Society program traces the evolution of the AI summit series and examines India’s framing around the three sutras of people, planet, and progress. Scholars have catalogued and assessed the concrete deliverables that emerged and assessed what the precedent of a Global South country hosting means for the future of the multilateral conversation.
Nidhi Singh, Tejas Bharadwaj, Shruti Mittal, …
On March 10, 2026, India’s Union Cabinet approved amendments to Press Note 3, a regulation that mandated government approval on all foreign direct investment (FDI) from countries sharing a land border with India. This amendment raises questions primarily about whether its stated benefits will materialize and if the risks have been adequately weighed. This piece will address the same.
Konark Bhandari
The induction of INS Aridhaman, which features several technological enhancements, now gives India the third nuclear ballistic missile submarine to ensure continuous at-sea deterrent.
Dinakar Peri
This piece argues that the present Indian strategy, based on opportunistic diversification and utilization of limited strategic reserves, remains inadequate when confronting supply disruptions. It evaluates India’s options in the short, medium, and long terms.
Vrinda Sahai
India and the United States are close to concluding a Reciprocal Defense Procurement Agreement (RDPA) that will allow firms from the two countries to sell to each other’s defense establishments more easily. While this may not remedy the specific grievances both sides may have regarding larger bilateral issues, an RDPA could restore some momentum, following the trade deal announcement.
Konark Bhandari