James Clapper, Director of National Intelligence and Lt. Gen. Vincent Stuart, Director of the Defense Intelligence Agency, testify during a Senate Armed Services Committee meeting at the Dirksen Senate Office Building on February 26, 2015 in Washington, DC. Evy Mages/Getty Images Jeff Bardin is the chief intelligence officer of Treadstone 71

In his recent testimony before the Senate Armed Services Committee, National Intelligence Director James Clapper named Russia, China and North Korea as the top threats to US cybersecurity.

But another key cyber adversary was left out - the Islamic Republic of Iran.

Ever since the Stuxnet worm damaged Iran’s nuclear program in 2010, the country has been on a tear to build up its own offensive cyber program. It’s now one of the most aggressive nations when it comes to launching certain types of cyber attacks:

2012 - Saudi Aramco hit by wiper malware, 30,000 computers disabled

2013 - Hackers breach New York dam

2014 - Las Vegas Sands hit by a wiper malware attack

Iran is unique though, as a hacker nation, because it tends to rely more heavily than other countries do (ex: China) on decentralized, proxy groups to carry out its overseas attacks. In the government’s view, this gives it plausible deniability when attacks occur, but it also raises questions about how much control Iran’s government actually has over the hackers it is directly or indirectly supporting.

Because of this policy, however, hackers have a pretty good life in Iran. They’re relatively free to attack foreign targets, they have good jobs, they live out in the open and their work is celebrated. The old cliche of the hacker hiding out in a basement is nowhere less true than it is in Iran.

No need to hide.

There is no need for hackers in Iran to hide like they do in the west. Shutterstock

Unlike their counterparts in the US, Europe and (occasionally) Russia, “black hat” hackers in Iran don’t have to hide from government authorities and law enforcement. That’s because hacking isn’t illegal, as long as it’s being done for the government.

For this reason, Iran’s top hacker crews are able to lead very public lives, often with little to no attempt to conceal their activities.

They even post openly on popular Western, Russian and Iranian social networking sites, regularly sharing personal information, locations, employer and university affiliations, families and friends, etc.

Interestingly, Iran’s hackers aren’t big fans of Twitter. They prefer to use a number of other sites instead, two of which are Facebook and vBulletin forums.

They’re well educated.

Many Iranian hackers were educated to a high level in the West. Purdue Computer Science Facebook

Iran’s hackers are also, as a rule, highly educated, with Ph.Ds and Master’s Degrees in computer science, mathematics and physics. This typically isn’t the case with hacking crews in the US or Europe.

They also frequently attend schools in the West. For example, an ex-hacker who went by the screen name “sc0rpion” (real name: Yashar Shahinzadeh) is currently seeking a Master’s degree in information security at a UK university.

Many Iranian professors were educated in the West and maintain close ties to institutions like MIT, Carnegie Mellon, Virginia Tech and Northeastern University. This is likely why many former or aspiring hackers enroll at these universities to advance their educations and skill-sets.

Iran’s Ivy League for hackers.

A General view of the main campus of Sharif University of Technology Masoud K via Wikimedia Commons

Iran has plenty of talented universities of its own, however, and if you’re a skilled hacker, chances are you’re affiliated with at least one of them.

These four universities – Sharif University of Technology, Islamic Azad University, Isfahan University and Yazd University – form a sort of Ivy League for hackers in Iran. They’re all top-notch schools with great science, engineering and technology programs. But they go a few steps further than traditional universities.

For instance, they offer a number of questionable full-semester “cybersecurity” courses, which teach advanced black hat hacking techniques, such as: anti-honeypot technology, how to “pwn” modern web applications, NoSQL database attacks, kernel hacking, hacking secret ciphers, designing rootkits and methods in anonymity.

They also employ many well-known black hats as full-time professors, or adjunct faculty in charge of special training programs. One recent training program led by Professor Yaser Balaghi and a prominent hacker called “ Masoud_pk ” taught students how to use the malware “wool3nh4t, ” along with standard coding lessons on C#, ASP and .NET.

Iranian students work on computers. REUTERS/Raheb Homavandi Prof. Balaghi himself is an interesting figure in Iran. Various security industry reports have tied him to the “Rocket Kitten” hacking group which targeted Israeli and European organizations in 2015.

At Treadstone 71, we’ve also noticed an interesting correlation between the timing of Prof. Balaghi’s training courses and cyber attacks against Saudi Arabian domains.

Iran’s top universities also fund research and training programs for cyber attacks on nuclear facilities and other industrial control systems (like SCADA).

In fact, the Atomic Energy Organization of Iran held its own nuclear facility hacking contest in 2013. The results have since been removed from the internet, but Treadstone 71 has full copies of all write-ups. These write-ups show Iran’s hackers were able to find significant security issues with the country’s nuclear facilities and SCADA systems.

The ‘in’ crowd.

You'll be contacted by one of Iran's many hacking groups if you can prove you have the requisite skills. shutterstock

If you’re a hacker in Iran, you want to be ‘in’ with some of the main hacking groups. These include Ashiyane, Arad Group, FullSecurity (aka Milad Hacking), but there are countless others as well.

Keep in mind, Iranian hacker groups often pop up suddenly to launch a new campaign, then disband and re-emerge later under a new name. In many cases, the same hackers may be involved in multiple groups.

Ashiyane is one of the larger, more well established groups with roughly 40 core members. Other groups may be as small as just six or seven members.

Here are some of Iran’s more recent hacking groups:

•MiHaNHaCk Security TeaM

•Iran Security Group

•Milad_Inj3ct0r of White Hat Security

•Deface Sec Team

•Jahesh Security Team

•4TT4CK3R Of IBH & Ashiyane

•Offsec

•Iranonymous

•Iranian Gray Hat Group

•Persian Hack Team

•Danger Security Team

•Jok3r

•GuardIran Team

•Mihan Cyber Security Group

•Blackwolf_Iran

•IRaNHaCK Security

•Persian Reverse Engineering Group

•Emperor-Team (Mr. PReDaToR)

•Iranian_Dark_Coders_Team

•Kheshtak Security

To join one of these groups, you have to be invited. Therefore, aspiring hackers will try to show off their skills by posting exploits in forums like Zone-h.org and iedb.ir (Note: be careful about visiting either of these sites). Iranian hacker groups also keep a close eye on university-affiliated online training programs, and will often recruit people who stand out.

Hackers are successful businessmen.

Most Americans would probably find it strange if a trusted antivirus company was also involved in criminal hacking activities - but that’s exactly what happens in Iran.

Several of Iran’s top cybersecurity companies are owned and operated by black hat hackers. These include: Ashiyane (Apadana firewall developer), AmnPardaz (Padvish antivirus and anti-crypto), FullSecurity Team(website security) and OffSec (malware reverse engineering and binary analysis).

While these companies provide legitimate security services to Iranian businesses and citizens, the people behind them are also conducting criminal hack attacks against foreign countries and companies.

Hackers’ M.O.

The sluice gate of the Boman Avenue Dam is pictured in Rye, New York, December 23, 2015. Iranian hackers breached the control system of a dam near New York City in 2013. REUTERS/Adrees Latif

Iran’s hackers have a lot of skills, but they prefer to go after low-hanging fruit.

Unlike other state-sponsored hackers, Iran’s teams have been more indiscriminate about who they target. They use several types of automated tools (e.g., vulnerability scanners, “Google dorking” and SQL injection) to scour the web, looking for any companies or organizations that aren’t up to snuff on their security. Once they find a vulnerable site, they hack it, and move on.

These tactics are likely to change, since Iran’s hacking industry is evolving rapidly, but for now, companies can prevent many of these attacks by eliminating common web vulnerabilities.

Post-sanctions.

A woman celebrates the tentative Iran nuclear deal. AFP / Getty Images

The lifting of Western sanctions is likely to make life even better for Iranian hackers.

With Western money pouring in, new capital and financial resources available, new markets to sell to, Iran’s technology sector could take off. The country’s universities are also likely to reap huge benefits from a greater exchange of ideas, research and technology.

How will this impact Iranian hackers? We’re likely to see a greater professionalization among the hacker ranks as they develop stronger legitimate lines of business and also as Iran’s government invests more heavily in sophisticated operations.

Iran’s cyber campaigns are also more likely to target regional adversaries like Saudi Arabia, Jordan, the United Arab Emirates, Israel and Turkey in the near future. They’re operations against the US will soon begin to mirror those of China and Russia, focusing on long-term cyber espionage.