The Growing Threat of Cyber Cooperation Between Russia and Iran
Since 2021, Russia and Iran have undertaken extensive cybersecurity cooperation, most of which has focused on common defensive measures. However, in late March, Moscow delivered a substantial upgrade to the Islamic regime’s digital arsenal. As the Wall Street Journal has reported, the Kremlin is now delivering powerful surveillance software to Tehran.
The prospect of enhanced Iranian cyber capabilities should obviously concern U.S. officials. Tehran has undertaken increasingly aggressive and disruptive cyberattacks against America and its partners over the last decade. The growing authoritarian partnership with Moscow—both in cyberspace and in conventional domains—will only accelerate the development of Iran’s cyber capacity. There are a few reasons the Kremlin is unlikely to transfer offensive cyber capabilities to Tehran. But even greater cooperation between the two countries is a threat to U.S. interests, and the longer Russia’s foray into Ukraine lasts, the more leverage Iran will have over it.
What would keep Russia from giving Iran the capability to attack U.S.-based networks? Some offensive components, such as malware programs and exploits for vulnerabilities are “rivalrous goods”—the consumption or use of these tools by one hacker precludes the reasonable or effective use of the same capabilities by others. Such capabilities are also “use it and lose it” in nature: Once deployed to disrupt U.S. networks, they have little reuse value. Additionally, sharing offensive tools would require Russia to give Iran too much access to its broader offensive cyber operations ecosystem, and there is the risk of misattribution—that any attacks by Iran could be blamed on Russia instead.
In contrast, sharing cyber espionage capabilities comes with fewer barriers. Cyber espionage capabilities are by necessity covert: Unlike offensive tools designed to degrade, disrupt, or destroy a target’s computer or network functionality, effective digital spying requires a hidden, prolonged presence on computers or networks. This means that surveillance capabilities generally have a longer lifespan than tools meant for disruption. And because of the covert nature of cyber espionage, attackers can use the same digital spy tools without compromising the future use of those tools by other attackers. As long as targets remain unaware of information collection and exfiltration on their networks, both Russian and Iranian hackers could utilize the same vulnerabilities, exploits, or malware with few negative repercussions.
Moreover, Moscow has two major incentives to share its cyber intelligence tools and infrastructure with Tehran. First, sharing digital espionage capabilities can lower transaction costs against common targets. Collecting intelligence on the United States becomes much easier when Russia and Iran can deconflict or coordinate operations looking to acquire the same type of information. Second, the Kremlin can amplify its intelligence gains by sharing its digital espionage architecture with Tehran. Iranian use of Russian surveillance equipment or networks provides Russian hackers with built-in backdoors to monitor Iranian intelligence operations.
As such, the most meaningful cyber cooperation between Russia and Iran is likely to revolve around surveillance equipment and espionage capabilities. Both regimes prioritize domestic information control. It is no surprise that PROTEI Ltd.—a Kremlin contractor known for communications monitoring technologies—would provide powerful censorship capabilities to Ariantel, one of Iran’s regime-affiliated mobile providers. Moscow can even facilitate Iran’s ability to innovate within its own cyber operations ecosystem, a measure that does not reduce the effectiveness of Russia’s own cyber arsenal. As cyber cooperation between the two authoritarian regimes continues, joint training exercises offer a forum for sharing knowledge and expertise on finding and exploiting vulnerabilities.
Yet future offensive cyber collaboration between America’s authoritarian adversaries remains a possibility. The Kremlin could share capabilities with Tehran’s hackers under three conditions: 1) Moscow has no operational use for specific exploits or tools; 2) Iran sees value in using those capabilities against a target; and 3) those hacking tools are not capable of compromising Russian computers or networks. But these criteria are incredibly difficult to satisfy.
The 2024 U.S. election could certainly serve as a focal point for greater Russo-Iranian cyber cooperation. Both Moscow and Tehran have a mutual interest in disrupting and degrading public confidence in American democracy. Timing operations around the election window also reduce friction between Russia and Iran over when to use shared exploits or tools. The primary source of disagreement would only be over proportionality, i.e., the severity of effects created by an offensive cyber operation.
But the most likely driver of offensive cyber capability transfers is Russia’s increasing reliance on Iranian military equipment for its illegal war in Ukraine. Russian forces have already acquired and used hundreds of Iranian drones to attack Ukrainian military and civilian targets. More recently, Iran has shipped massive amounts of ammunition across the Caspian Sea to resupply Russian troops in eastern and southern Ukraine. Moscow’s wartime needs have undoubtedly accelerated ties between the two authoritarian regimes into a more comprehensive defense partnership. And broader defense cooperation between Russian and Iran begets greater trust for cyber collaboration.
Leadership in Washington must realize though that as the war in Ukraine grinds on, the revolutionary Islamic regime will gain more leverage over the Kremlin. Cyber capabilities are subordinate to greater strategy, and the Russian need for Iranian weapons on the battlefield more than outweighs its desire to withhold hacking tools from Tehran. This is yet another reason for the U.S. to support a swift Ukrainian victory over Russian forces.
