Bottom Line: In the past decade, Iran’s cyber capabilities have evolved from a tool used to lash out against domestic opponents of the Islamic Republic to a central pillar of its national strategy of holding adversaries at risk and gleaning crucial foreign intelligence. Despite a fall in disruptive Iranian cyberattacks against the U.S. since July 2015 with the signing of the JCPOA, Tehran continued to bolster its national and proxy cyber capabilities as part of its efforts to counteract adversaries Saudi Arabia and Israel and hold the U.S. at risk.
Background: After falling victim to several cyber intrusions in the early 2000s, Iran focused on ramping up its toolkit and now maintains the ability to launch offensive cyberattacks against domestic and international opponents of the regime.
- Iran wasn’t pursuing offensive cyber capabilities with much urgency until July 2010, when it was revealed that the joint Israeli-U.S. Stuxnet worm had been sabotaging centrifuges at Iran’s nuclear facility in Natanz since 2007. Then, in April 2012, Iranian oil infrastructure was targeted with the sabotage malware Flame and Wiper, which has been linked to Israel. These two disruptive attacks on Iranian infrastructure appear to have informed Tehran’s own cyber doctrine of rhyming their retaliation with actions taken against the regime.
- Tehran has used offensive cyber operations to respond to what it has viewed as international aggression. For example, after the U.S. Treasury Department imposed new sanctions on Iran’s oil and financial sectors in November 2011, and Iran’s oil sector was targeted by sabotage malware in April 2012, Tehran is suspected of deploying the Shamoon disk-wiping malware into the networks of oil giant Saudi Aramco and Qatar’s natural gas authority, RasGas, with clear intentions of retaliating against U.S. energy providers and regional allies. Tehran also quickly pivoted in September 2012, to launching volleys of distributed denial of service (DDoS) attacks against 46 major U.S. financial institutions, known as Operation Ababil, under the thin veil of the Hamas-linked Izz ad-Din al-Qassam Brigades for plausible deniability. Cyber is also a means of targeting vocal opponents of the Iranian regime, such as when Iranian hackers hit the Las Vegas Sands Casino in February 2014, wiping the company’s data after the CEO Sheldon Adelson made provocative comments suggesting the U.S. drop a nuclear bomb on Iran.
- The governmental structure that oversees cyber-related activities, known as the Supreme Council of Cyberspace, was established by Iranian Supreme Leader Ayatollah Ali Khamenei in March 2012, and includes representatives from both the Ministry of Intelligence (MOIS) and the Islamic Revolutionary Guard Corps (IRGC). However, the direct command-and-control structure for engaging in cyber operations often remains unclear, perhaps intentionally to avoid public responsibility for escalatory operations.
James Lewis, Senior Vice President and Program Director, CSIS
“Iranian state-sponsored hackers can be volunteers – like irregulars – often organized through the Basij, which is an Iranian paramilitary group. People who have cyber abilities are on the payroll or getting some support from the Iranian government but aren’t necessarily Iranian government employees. They have a network of individuals who are private contractors but will carry out government instructions.”
Issue: While Iran has previously engaged in asymmetric cyber disruption against the United States, Tehran eased up on such attacks during bilateral discussions leading up to the JCPOA in March 2013. However, Tehran’s reported network reconnaissance activities seemed to indicate that it continued developing contingency plans to attack its enemies’ critical infrastructure during a time of crisis.
- When the JCPOA was in place, Iran appeared to have refocused its disruptive attacks on regional adversaries Saudi Arabia and Israel. In November 2016, a variant of the disk-wiping malware Shamoon – dubbed Shamoon 2 – was deployed against Saudi aviation and transportation authorities, destroying computers in the process. In January 2017, another round of Shamoon 2 attacks hit 15 Saudi organizations, including the Ministry of Labor. During the conflict between Israel and Gaza in the summer of 2014, known as Operation Protective Edge, authorities claimed that the Israel Defense Forces’ infrastructure was targeted by DDoS attacks launched by a wide range of belligerents, including Tehran. Given the sophistication of Israel’s cyber defense compared to Saudi Arabia’s, Tehran has focused on narrow espionage opportunities and the potential disruption of civilian resources in the event of conflict with Israel.
- Iran has demonstrated a propensity to increase its cyber espionage during periods of heightened tensions with the West. For instance, from 2012-2014, during the period before the nuclear agreement was signed and Iran faced crippling international sanctions, Iran targeted U.S. military networks, as well as critical industries such as energy and utilities, oil and gas, chemicals, airlines and transportation hubs, global telecommunications, healthcare, aerospace, education and foreign defense industrial bases.
- With the U.S. withdrawal from the JCPOA announced this past May, Tehran may refocus its cyber capabilities toward espionage and prepare itself for the possibility of heightened tensions with the West. In December 2017, suspected Iranian state-sponsored cyber actors were found conducting reconnaissance of critical infrastructure in the Middle East, as well as using a malware called Triton to potentially cause physical damage to industrial targets in the region.
- Iran has also turned to proxy groups such as Hezbollah to execute its cyber warfare. Since September 2010, Iran has hosted Hezbollah officials for “Cyber Hezbollah” conferences. Hezbollah, under a separate attack infrastructure, has also previously leveraged malware common to the Iranian Ministry of Intelligence. This not only suggests intelligence sharing between Hezbollah and Iranian hackers, but also the direct sharing of cyber capabilities. There has also been reported cooperation between Hezbollah’s hackers and the Iranian company ITSec Team, indicating that joint operations take place.
Rhea Siers, former Deputy Associate Director for Policy, National Security Agency
“Iranians are using cyber on a continuous basis to confront Israel and other U.S. partners in the Middle East. The latest reports on their capabilities provide clear information that the Iranians have prepared their contingency planning to strike back at the U.S., Israel, Saudi Arabia and others. The number of Iranian-originated or assisted attacks is rising rapidly.”
Leslie Ireland, Former Assistant Secretary of the Treasury for Intelligence Analysis
“It would surprise me if Iran came through with some big dramatic cyberattack. They will move very incrementally – maybe it is the resumption of DDoS attacks on different industries or maybe it is more aggressively scanning our critical infrastructure. They will use cyber and proxy capabilities because they don’t have a nuclear weapons program they can turn to right now.”
Response: When hit with cyberattacks in the past, the U.S. has hesitated to respond in kind through cyberspace given the potential for further cyber retaliation by Iran. This suggests that other levers – such as diplomatic, economic, law enforcement and military measures – are trusted as more effective than responding with cyber capabilities when seeking to deter Iranian cyber provocations.
- The U.S. has traditionally responded to Iranian state-sponsored cyber campaigns through indictments and sanctions imposed against individuals and entities. In March 2016, the U.S. Justice Department unsealed indictments for seven employees of the Iran-based companies ITSec Team and Mersad Company for conducting the DDoS attacks against U.S. financial institutions – as well as intrusions into a dam in upstate New York – on behalf of the IRGC. Employees of both companies were also sanctioned by the U.S. Treasury Department in September 2017 for their involvement in DDoS attacks against U.S. financial institutions.
- In March 2018, the U.S. Department of Justice revealed indictments for nine Iranian hackers, and the U.S. Treasury concurrently sanctioned these same individuals as well as one entity, the Mabna Institute, for engaging in Iranian state-sponsored theft of intellectual property from 144 American universities, which was valued at approximately $3.4 billion, as well as from 176 other universities across 21 countries. The espionage campaign also targeted 47 private sector companies, including some based in the U.S., stealing an estimated 31.5 terabytes of data since the Iranian hackers presumably became operational in 2013.
- While Iran’s probing of critical U.S. and allied systems is alarming, it should be expected as a contingency plan should Iran’s relations with regional adversaries and the West deteriorate. It has been reported the U.S. had similar plans – known as Operation Nitro Zeus – to disrupt Iranian critical services. The U.S. is likely seeking to maintain access should Tehran resumes its journey toward nuclear weapons.
James Lewis, Senior Vice President and Program Director, CSIS
“If you are thinking you might end up in a conflict with somebody, you will need to do pretty frequent reconnaissance so that you can be ready to take action. The U.S. does reconnaissance on Iran every day, but that doesn’t mean that we are about to attack Iranian critical infrastructure through cyber means. Reconnaissance indicates hostile intent, but it is not the thing that itself is dangerous or a precursor to attack.”
Rhea Siers, Former Deputy Associate Director for Policy, National Security Agency
“There’s an interesting debate about using indictments to end the anonymity of individual hackers or organizations. It’s a good public signal, but it’s difficult to assess its operational impact long-term. The IRGC isn’t about to hang up its hacking out of fear of U.S. indictments or “red lines,” as it continues to engage in a whole range of transnational criminal efforts to support its activities and surrogates, such as Hezbollah. Indictments might help establish red lines, but there has to be operational activity in addition to sanctions to demonstrate a real determination to deter these IRGC activities.”
Looking Ahead: Iran will continue to attempt to hold U.S. and allied critical infrastructure hostage, and through proxies such as Hezbollah, Iran will increasingly seek to conduct clandestine intelligence collection to further its reach.
Leslie Ireland, Former Assistant Secretary of the Treasury for Intelligence Analysis
“The Iranian DDoS campaign seemed to abate after the Joint Comprehensive Plan of Action began, so there appeared to be at least some deterrent value in having something that the Iranians really wanted and really needed to be successful. The costs of Iran walking away from the JCPOA are too great still, and what they will rely upon are the asymmetric measures that they have – cyber and proxy activity on the ground.”
James Lewis, Senior Vice President and Program Director, CSIS
“The Iranians don’t want the nuclear deal to go away, and so that is the thing that shapes their behavior to the United States. If we did cancel the nuclear deal, that would take the leash off when it comes to cyber actions. But ever since the deal was put in place, they have been very cautious about doing anything, because it is not in their interests to have sanctions re-imposed. So that is the biggest constraint right now on Iranian behavior against the United States.”