Iran’s Cyberspace Evolution

When we talk about the security challenges presented by Iran, it’s often in the realm of Iranian nuclear ambitions, sponsorship of terror groups like Hezbollah, or involvement in conflicts like Syria and Yemen. But the Islamic Republic is also a burgeoning cybersecurity threat.

Iran generates aggressive operations in cyberspace for a variety of purposes—espionage, stealing information, attacks on critical infrastructure, and influence campaigns are only a few examples. In fact, the use of cyber tools fits well in Iranian security thinking. Supreme Leader Ayatollah Ali Khamenei often employs a carefully calibrated approach that will allow the Iranian system to fulfill its political interests and ensure plausible deniability, but without paying a price for the activity—in other words, below the threshold of escalation. An analysis of Iran’s conduct in the cyber dimension reveals that Tehran has recently transitioned from cyber defense to offense because of an evolution in thinking over three phases of its cyber development that highlighted to the Iranian leadership the importance of this tool.

Khamenei has highlighted the need for a “cyber jihad” in his public remarks at least twice in the past year. In September,  he counseled, “young people can promote true, correct thoughts on the internet and struggle on the path of God.” In February, the ayatollah said, “today, countering the enemy’s push to distort the realities, achievements, progresses, and epic measures of the Islamic establishment requires a defensive move and a hybrid offensive based on the urgent and definite task of the jihad of explanation.”

The top brass of the Islamic Republic thus understands that as part of its desire to be a global force, it must be at the forefront of cyber technology. As Gholamreza Soleimani,  the commander of the Islamic Revolutionary Guard Corps’ Basij Resistance Force, recently proclaimed, “We can confidently say that now the time of enemies’ hit-and-run attacks has come to an end on cyberspace.”

Iran sees itself as a power like the United States but understands its built-in inferiority in conventional capabilities. Yet in the cyber domain, Iran assumes that it is equal to Washington in many ways. This emboldens Iranian decision-makers, as cyberoperations allow them to camouflage their fingerprints. Attempts to damage dams in the United States or intervene in presidential elections, although unsuccessful, fuel this perception in Tehran, meaning that the cyber weapons allow Iran to “transcend” and face the United States equally without fear of an American response.

Phase 1—Caught by Surprise

The first phase in the Iranian shift took place between 2009 and 2011, with limited offensive and defensive capabilities. The turning point was the system’s experience with the Stuxnet worm that hit the centrifuges installed in the enrichment plant at Iran’s Natanz nuclear facility in 2010. The incident was a wake-up call for the regime, which not only discovered how vulnerable it was to cyberattacks, but also highlighted their potential.

Up until that point, most of Iran’s activity in cyberspace was directed at the Iranian opposition, with the aim of gathering intelligence. Iran was deeply concerned about the possibility of the Green Revolution taking over the country, so it also worked in the cyber domain to prevent this possibility. The Iranian strikes were relatively simple and focused on distributed denial of service attacks (DDOS) and identity theft.

Iran moved in 2010 to create the Cyber Defense Command, which operates under the Organization for Passive Defense. Its main goal was to organize cybersecurity among the various entities that dealt with the issue, with the aim of reducing the damage from future cyberattacks as much as possible. At the same time, Iran’s cyber army began specializing in spot attacks for specific intelligence purposes. 

Phase 2—Building Capacities

From 2012 to 2018, Iran created a cyber oversight architecture and strengthened its defensive capabilities while creating new offensive tools. In 2012, the supreme leader ordered the formation of the Supreme Council of Cyberspace, which coordinates offensive and defensive operations.

Iran found most of its new offensive tools online, mainly used by criminals, which it took and upgraded to its needs. It reverse-engineered and remanufactured the capabilities it managed to capture and used and learned from them. Then it tried to emulate them.

The regime also invested in building cooperation with foreign powers, especially in the defensive sphere, to significantly upgrade its own capabilities. In this framework, Iran later worked to sign cooperation agreements on cyberspace with Russia and China.

Iran’s first experience of transitioning from defense to offense took place in 2012, when it attacked companies and infrastructure outside its borders with a malware called “Madi.” Iran used this attack primarily for intelligence purposes, with an emphasis on stealing sensitive documents from various entities, including in the Middle East. That same year, Iran moved to a more active role with malware called “Shamoon,” which Iranian hackers developed based on tools that were common online, possibly using lessons from the Stuxnet attack. Through the same malware, Iran attacked the Saudi oil company Aramco. As part of that operation, Iran deleted information from 35,000 Saudi computers, stole passwords, and prevented other computers from operating on the Aramco network. The attack caused serious economic damage to the Saudi oil company and sharpened the danger posed by cyberattacks from Iran. Iran likely deployed Shamoon 2 from 2016 to 2017 in another round of targeted cyberoperations against Saudi Arabia. 

Some observers have noted that Iran appeared to restrict its cyber activity during this period, which coincided with the inking of the nuclear deal in 2015—focusing more on intelligence collection than disruptive operations in the West, like the hacking of a New York dam in 2013. Nevertheless, international negotiations and agreements themselves have not necessarily completely deterred Iran from aggressive cyberattacks. In practice, it has simultaneously pursued both. The hacking operation of the New York dam took place the same year as the negotiations over the interim Joint Plan of Action (JPOA) started. Iran-linked hackers also penetrated unclassified Navy computers that same year. After the JPOA was concluded, the late Sheldon Adelson’s Las Vegas Sands Corp. was hit by an Iranian hacking operation in 2014. In 2017, following the inking of the final Joint Comprehensive Plan of Action (JCPOA), Iran targeted the U.K. Parliament in a cyberattack, compromising the email accounts of dozens of MPs, including then-Prime Minister Theresa May. These campaigns demonstrated the increasing sophistication of Iranian cyber tools, and provided a testing ground for future operations elsewhere.

During this phase, Iran continued to suffer sporadic cyberattacks itself. For example, in 2011, its state shipping company Islamic Republic of Iran Shipping Lines (IRISL) was hit with one.

Phase 3—The Ripening Stage

Beginning in 2019, Iran maximized its offensive capabilities while fortifying its defensive tools. Tehran integrated and coordinated its methodology during this phase. It is in this space that a real cyber war has developed between Israel and Iran, with the latter using its range of capabilities to build a deterrent balance in cybersecurity, as it responds to any Israeli action in the cyber domain.

Iranian goals include perfecting its penetration of critical infrastructure. This can be seen in Iranians’ hacking into software that operates the water pumps in Israel through American and European servers to hide the source of the malware code. This could have led to the shutdown of the pumps after the discovery of the chemical anomaly, which could have left thousands of civilians without water in the taps, and even caused disease due to the high chlorine levels. Iran also continued to target cyberattacks against gas facilities in Saudi Arabia and Bahrain, using advanced capabilities.

Iranian cyber actors have also engaged in intimidation and foreign influence campaigns. They have repeatedly hacked leading Israeli news sites to intimidate the residents of Israel by amplifying alarming messages about Iran’s kinetic capabilities. Tehran has also sought to exploit political fissures in Israel, Scotland, and the United States to foment instability, undermine confidence in democratic institutions, and push its preferred world view. This tactic can be seen in a recent investigation by the BBC that found an Iranian disinformation unit established a Facebook network to prey upon nationalist and Orthodox Jews to divide, dissemble, and incite the community against Palestinians. In Scotland, Facebook also found Iran’s state broadcaster deployed fake accounts to influence the outcome of a 2014 Scottish independence referendum. This activity continued into 2022, with Facebook disabling an Iranian network earlier this year. 

In the run-up to the 2020 U.S. presidential election, voters in several states, including Alaska and Florida, received emails allegedly from the far-right American group the Proud Boys, but which Iran was actually behind. In those announcements, this organization allegedly threatened voters if they did not vote for then-President Donald Trump. The emails even contained personal information, including the home addresses of some of the recipients, indicating that the senders obtained U.S. voter registration data.

Other behaviors indicate a desire to obtain security information. Iran has directed operations targeting various defense industries, especially in Israel, to obtain sensitive information, and has even tried to engage with senior officials in the Israeli defense industries to extract information from them.

In recent years, Iranian cyber actors have also utilized hacking and leaking operations to obtain intelligence data on senior foreign officials, most especially in Israel. Tehran has been trying to hack into government databases such as insurance companies to obtain personal information and demand ransom in the process. Iran has even started leaking details from these databases, with the aim of extorting money from those companies, but also exploiting the data in terms of demonstrating capabilities, embarrassing Israel, and harming its population. This intent can be seen in Iran-based hackers leaking names from “Atraf,” an LGBTQ dating website in Israel. In March 2022, Iran-linked hackers also targeted David Barnea, director of Israel’s Mossad, allegedly hacking into an old cellphone of his wife’s and distributing personal photos and tax documents. Another incident that month involved a widescale cyberattack on Israeli government websites—specifically those with the gov.il domain—that the defense establishment called at the time the largest such attack ever on the Jewish state. But other observers were unimpressed with the operation, suggesting that it was less sophisticated than the initial reactions made it out to be, with routine, but large scale, DDOS attacks. Officials in Israel assess that at least some of these episodes were in response to its reported attack on an Iranian UAV base near Kermanshah in February which damaged hundreds of drones. 

Lastly, Iranian operatives have been building a target bank. This includes civilian and security infrastructure in countries of interest so that it can be damaged during periods of escalation. This is similar to the approach of the Russians—albeit at a less advanced level—who have reportedly implanted malware in U.S. critical infrastructure for this purpose to activate on demand. 

Government agencies in the United States, the United Kingdom, and Australia warned in November 2021 that Tehran remains interested in targeting critical infrastructure, exploiting vulnerabilities in Fortigate and Microsoft Exchange ProxyShell for ransomware attacks. In one case, an Iranian-linked advanced persistent threat group was casing American health and transportation entities, specifically a hospital specializing in children’s care and a municipal government.

Current Trends

Iran does not operate sporadically in cyberspace but conducts a coordinated campaign in which it operates various tools for discrete purposes. Alongside Iran’s advances in the offensive field, it is also making progress in protecting its critical infrastructure, certainly nuclear sites. After several incidents, the Iranian system is now fortifying its protection of nuclear facilities, particularly with the recent establishment of an Islamic Revolutionary Guard Corps Nuclear Command Center. Although it is still vulnerable to significant cyberattacks, such as the one targeting the Shahid Rajaee port in 2020 and against Iranian gas stations in 2021.

It is important to note that in stark contrast to the kinetic world, in cyberspace, there are no rules. Iran can attack Israel’s water sources, which it would not dare do with conventional kinetic means.  The key question is, how long will the cyber campaign remain in this dimension and not move into kinetic space?

In the end, Iran has embraced the cyber realm and greatly strengthened its efforts in this sphere, as part of a broad toolkit it is developing against its enemies. While geopolitical tensions could trigger an increase in such attacks, particularly on the West, the Iranian system has been consistently perfecting its capabilities—even during periods of negotiation and agreement with world powers. 

Because of the unique characteristics of cyber weapons, with an emphasis on the ability to stay below the escalation threshold and especially the detection threshold, Iran is expected to deepen and intensify its activities in the cyber dimension even if it returns to the JCPOA. In contrast to 2015, when Iran’s president was more interested in moving closer to the West to preserve the Islamic Revolution, incumbent President Ebrahim Raisi’s administration is composed of more extreme elements from Iran’s deep state who thrive off of confrontation with the United States. This is especially the case in the Supreme National Security Council (SNSC)—as the debate has hardened in recent years, with the addition of more conservative voices as members. Therefore, just as it is estimated that Iran’s regional activity to expel Washington from the Middle East will continue—nuclear deal or no nuclear deal—so will its malign cyber activity. In this respect, with the genie being already out of the bottle, there is great importance in building a multilateral deterrent capability in cyberspace, one which will make it clear to Iran that it will pay a heavy price for its operations.

Maj. (Res) Danny (Dennis) Citrinowicz previously served as the head of the Iran branch in the Research and Analysis Division (RAD) in Israeli defense intelligence and as the division’s representative in the United States.  

Jason Brodsky is the policy director of United Against Nuclear Iran (UANI).