Iran is a second tier cyber power. By the standards of other state actors, its capabilities—both offensive and defensive—are relatively modest, but they are growing steadily. Cyber operations have also become an integral component of Iranian military doctrine and strategy, which place a heavy emphasis on the principles of asymmetry and hybrid warfare. Outclassed by its adversaries in the conventional military realm, Tehran has opted to invest heavily in cyber, where the barrier to entry is relatively low and the regime can compete more effectively.
Iran was a relative latecomer to the cyber arena. Iranian officials first started to emphasize cyber warfare (jang-e saybari) as an element of military doctrine and strategy starting in the mid-2000s. Then, in 2010, an extremely advanced malicious computer worm, later dubbed Stuxnet, was used to sabotage some of the industrial control systems associated with Iran’s uranium enrichment efforts. Many assumed that the United States and/or Israel were behind the attack, the first in which a nation state had used a cyber weapon to target another state’s critical infrastructure. Although Stuxnet apparently only had a limited impact on Iran’s enrichment efforts, it bolstered the perception among regime officials that Iran had been a victim of unjustified cyber aggression by the United States and its allies, and gave impetus to Iran’s nascent cyber efforts.
Within a few years, Iran’s military and security services had developed an extensive network of commands and agencies with distinctive cyber missions and roles, including the Supreme Council of Cyberspace (shora-ye ali-e fazaye majazi), which was established in 2012 as the top policy-making body on cyber issues, and, on the military side, the Cyber Defense Command (gharargah-e defa-e saybari), which falls within the purview of the Passive Defense Organization of the Armed Forces General Staff. Offensive cyber operations appear to be largely, although not exclusively, the preserve of the Islamic Revolutionary Guard Corps (IRGC), a parallel, ideological military that operates alongside the state’s regular armed forces (artesh).
Iran’s military and security services also routinely leverage cyber proxies—with varying degrees of affiliation to the regime—to bolster their capabilities while affording the Iranian government a degree of plausible deniability in its operations. While Iran’s willingness to leverage cyber proxies, especially hacktivists, is hardly unique, it does complicate the already complex issue of attribution with cyber attacks.
As Iran’s nascent cyber infrastructure has evolved, so have the capabilities and tactics employed by its cyber forces and proxies. Prior to 2012, these were fairly basic by hacking standards, mainly DDoS (denial of service) attacks and DNS hijackings and recursions designed to disable or deface websites. In February 2011, for instance, a group claiming to be the Iranian Cyber Army (ICA) attacked the Voice of America’s (VOA) website by hijacking the website’s domain name. A year later, the Izz al-Din Qassam Cyber Fighters, another Iranian hacker group, launched a wave of DDoS attacks against major U.S. banks, including Bank of America, Citigroup, JP Morgan & Chase, and Wells Fargo. Although they certainly did not go unnoticed, these and similar attacks on other Western websites proved to be ephemeral. They were of limited impact and duration. Most of the websites involved were up and running within a matter of hours.
Then, in 2012, the Cutting Sword of Justice—widely assumed to be an Iranian proxy or intelligence entity masquerading as a hacktivist group—used a cyber weapon, the “Shamoon virus,” to incapacitate the networks of energy firms in Saudi Arabia and Qatar. Saudi Aramco was hit particularly hard. More than 30 thousand computers in Aramco’s commercial arm were taken offline, the first example of Iran using its capabilities to physically damage the networks of its adversaries. In 2014, the Iranian government was accused of being behind a damaging cyberattack on the Sands Las Vegas Corporation (LVS). Many supposed that this attack was directed at the CEO of LVS, Sheldon Adelson, who has been an outspoken and vociferous critic of Iran’s nuclear program. Director of National Intelligence James Clapper described the Sands attack as a "destructive cyberattack" on par with North Korea's hack of Sony.
Iranian network exploitation efforts were also becoming more sophisticated. In 2013, Iranian hackers managed to penetrate the Navy Marine Corps Intranet (NMCI), the Navy and Marine Corps’ unclassified communications network. Capitalizing on a weakness in NMCI’s public website, hackers remained on the network for four months, exfiltrating account information and other data from the network until the Navy was able to patch NMCI’s vulnerabilities and remove any associated malware. The NMCI incident has been followed by several relatively sophisticated attempts to exploit social networking sites, such as LinkedIn and Facebook, using social engineering techniques (establishing fake online personas, etc.) in order to obtain sensitive information from U.S. officials and contractors.
These and other operations suggest that Iran’s cyber efforts are maturing and becoming more systematic. They also suggest that the Iranian government is increasingly willing to countenance offensive cyber operations—as distinct from network exploitation efforts—in situations short of actual war.
