Table of Contents

Summary

Incidents involving Iran have been among the most sophisticated, costly, and consequential attacks in the history of the internet. The four-decade-long U.S.-Iran cold war has increasingly moved into cyberspace, and Tehran has been among the leading targets of uniquely invasive and destructive cyber operations by the United States and its allies. At the same time, Tehran has become increasingly adept at conducting cyber espionage and disruptive attacks against opponents at home and abroad, ranging from Iranian civil society organizations to governmental and commercial institutions in Israel, Saudi Arabia, and the United States.

Collin Anderson Collin Anderson is a Washington, DC–based researcher focused on cybersecurity and internet regulation, with an emphasis on countries that restrict the free flow of information.

Iran’s Cyber Threat Environment

Offensive cyber operations have become a core tool of Iranian statecraft, providing Tehran less risky opportunities to gather information and retaliate against perceived enemies at home and abroad.

Just as Iran uses proxies to project its regional power, Tehran often masks its cyber operations using proxies to maintain plausible deniability. Yet there are clear indications that such operations are conducted by Iranians and frequently can be linked to the country’s security apparatus, namely the Ministry of Intelligence and Islamic Revolutionary Guard Corps.

Iran’s cyber capabilities appear to be indigenously developed, arising from local universities and hacking communities. This ecosystem is unique, involving diverse state-aligned operators with differing capabilities and affiliations. Over the decade that Iranians have been engaged in cyber operations, threat actors seemingly arise from nowhere and operate in a dedicated manner until their campaigns dissipate, often due to their discovery by researchers.

Though Iran is generally perceived as a third-tier cyber power—lacking the capabilities of China, Russia, and the United States—it has effectively exploited the lack of preparedness of targets inside and outside Iran. Just as Russia’s compromise of Democratic Party institutions during the 2016 U.S. presidential election demonstrated that information warfare can be conducted through basic tactics, Iran’s simple means have exacted sometimes enormous political and financial costs on unsuspecting adversaries.

The same Iranian actors responsible for espionage against the private sector also conduct surveillance of human rights defenders. These attacks on Iranian civil society often foreshadow the tactics and tools that will be employed against other targets and better describe the risks posed by Iranian cyberwarfare.

Through technical forensics of cyber attacks, researchers documenting these campaigns can provide a unique window into the worldview and capabilities of Iran’s security services and how it responds to a rapidly changing technological and geopolitical environment.

Karim Sadjadpour Karim Sadjadpour is a senior fellow at the Carnegie Endowment for International Peace, where he focuses on Iran and U.S. foreign policy toward the Middle East. @ksadjadpour

U.S. Responses Going Forward