The following accounting of the most significant Iranian cyber attacks, either attempted or completed, shows the evolution in Iran’s increasingly sophisticated and bold cyberwarfare activities. The incidents recounted also give an indication of how cyberwarfare fits into Iranian statecraft and national security strategy. Even at times of relative stability or low tensions, Iran has still been active in the cyber domain. Iran’s cyber activities tend to escalate in response to provocations and heightened tensions. On occasion, Iran has resorted to crude, quick strikes when it has sought to immediately respond to a provocation, such as the imposition of new sanctions. Other Iranian malign cyber activities, particularly those of its primary hacker collectives, demonstrated slow and methodical planning involving the strategic selection of targets, the development of custom malware, and protracted periods of infiltration before the deployment of its cyberweapons.
According to the Carnegie Endowment report ,
While the Iranian hacking scene emerged in the early 2000s, there is little evidence of state-aligned cyber activities before 2007.
The earliest impetus for malign offensive Iranian cyber activities was the June 2009 Iranian presidential election, which witnessed the re-election of Mahmoud Ahmadinejad amid widespread, credible allegations of fraud by Iran’s revolutionary regime. The contested election spurred the rise of the opposition Green Movement and marked a perilous period for Iran’s government as its legitimacy increasingly came into question.
Iranian Cyber Army
The internet and social media were central to the Green Movement’s mass mobilization efforts, and the Iranian government subsequently went to war against websites and platforms affiliated with the opposition movement or seen as enabling their ongoing communications and supporting their messaging. Between December 2009 and mid-2011, a group calling itself the Iranian Cyber Army launched a campaign of website defacements targeting sites seen as sympathetic to the Green Movement, replacing their homepages with graphics and messages in support of the Iranian regime. The Iranian Cyber Army is nominally a collective of independent hackers whose aims and ideology are in lockstep with the Iranian governments, but given the regime’s tight controls over the cyber realm, its activities are believed to be overseen by the IRGC’s intelligence apparatus.
Among the group’s targets was Twitter, whose homepage the group hacked and defaced in December 2009 with pro-Iranian and anti-U.S. messages. A month later, the group carried out a similar attack on China’s primary search engine, Baidu. In February 2011, the Iranian Cyber Army claimed credit for a similar attack on the Voice of America’s homepage. Other targets included websites and news outlets affiliated with Iranian opposition elements, including Mowjcamp, Radio Zamaneh, Amir Kabir Newsletter, Jaras, and the MOBY Group.
The Iranian Cyber Army’s attacks during this phase were primitive, but still potentially destructive. They did not rely on technical breaches of infrastructure at the sites themselves, but on social engineering that exploited weaknesses at the sites’ domain registrars, the companies that host the websites. The Iranian Cyber Army’s attacks, known as domain name systems (DNS) attacks, involved impersonating employees at the respective websites with requisite levels of access to the site’s control panels, contacting the domain registrar in order to obtain passwords, and then hijacking pages and redirecting site traffic to pages containing the pro-Iranian propaganda. Obtaining DNS access would enable hackers to control websites’ sensitive data, but in these instances, it appears no data was compromised and the attacks merely hijacked control of the sites for limited periods for propagandistic purposes.
Following the 2010 Stuxnet attack on Iran’s nuclear program, Iran rapidly began investing in and improving its offensive cyberwarfare capabilities, which ushered in increasingly sophisticated attacks. In September 2011, an Iranian hacker (or hackers) claimed credit for an attack that compromised the Dutch certificate authority, DigiNotar, and issued fake security certificates, which communicate to your web browser that the site you are visiting is the site you intended to visit. The hack effectively gave Iran the ability to access the Gmail accounts and spy on the encrypted communications of 300,000 Iranian users. The attack was claimed by a hacker who claimed to have acted alone and who chose to help his government monitor the communications of his fellow citizens, yet it appears that Iranian intelligence was involved as well. The UK Government Communications Headquarters (GCHQ) provided a post-mortem account of the DigiNotar event in which it alleged that an
Having cut their teeth responding to the internal threats to national cohesion and stability represented by the Green Movement, Iran’s cyber threat actors would go on to adapt an offensive cyber posture geared toward confronting the regime’s internal and foreign adversaries concurrently. The same infrastructure and cyberweaponry used against the Iranian opposition would also be turned against the U.S. and its allies.
The earliest incidents of major external Iranian cyber attacks were initially reported in the summer of 2012. In July, 2012, security firms Kaspersky Lab and Seculert uncovered an Iranian cyber espionage campaign, relying on spyware called Madi, ongoing since December 2011 that affected 800 victims over the course of a year. The campaign primarily targeted business executives in the fields of critical infrastructure and financial services, as well as Middle Eastern government officials and embassy staff. Of those targeted, 387 were in Iran itself, 54 in Israel, and the rest scattered around the Middle East and Afghanistan. The campaign relied on crude spear-phishing tactics. Those affected clicked on PDF or Microsoft PowerPoint attachments or links to news articles. Once the users downloaded the corrupted files, a Trojan spying software called Madi would be secretly loaded onto their computers.
Remote attackers would then be able “to swipe sensitive files from infected Windows computers, monitor email and instant messages exchanges, record audio, log keystrokes, and take screenshots of victims' activities.” Based on the code used, the researchers who uncovered the Madi campaign characterized the hackers’ tradecraft as “amateurish and rudimentary,” yet effective.
Major Attacks on U.S. Banks and Casino
Iran followed up the Madi campaign with a major offensive cyber operation targeting the U.S. banking sector, heralding the Islamic Republic’s arrival as a major cyberwarfare actor. Beginning in December 2011, an Iranian hacking group calling itself the Izz ad-Din al-Qassam Cyber Fighters began laying the groundwork for a series of Dedicated Denial of Service (DDoS) attacks against U.S. financial institutions. In March 2016, the U.S. Department of Justice unsealed an indictment against “seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps,” responsible for carrying out the series of attacks. The indictment offered a rare glimpse into Iran’s modus operandi with regard to cyber attacks, demonstrating the IRGC’s penchant for using multiple contractors each with their own set of objectives in an attack. According to a leaked briefing document of the National Security Agency obtained by the Intercept, the agency picked up signals intelligence stating explicitly that the campaign was conducted to retaliate against the U.S.’s cyber attacks on Iran’s nuclear facilities, and that senior officials in the Iranian regime were aware of the attack.
The first phase of the campaign, named Operation Ababil, involved the culprits exploiting vulnerabilities in the software of thousands of websites in order pool bandwidth, which it then used to overwhelm their targets. After a few sporadic DDoS attacks, in September 2012, the campaign began in earnest and would continue in phases until July 2013, by which time, the major players in the financial sector had shored up their defenses, leading to the campaign fading away. Ultimately, the culprits hacked into the servers of 46 primarily financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC, deluging them with up to 140 gigabits of data per second, far exceeding their capacity and thereby denying customers from logging into their online bank accounts. The group’s DDoS attacks occurred in waves on 176 distinct days, costing the affected institutions tens of millions of dollars in remediation costs as they worked to counter the attacks.
Following the DDoS campaign against U.S. banks, Iranian “hacktivists” carried out a data deletion attack against the network of a Las Vegas casino owned by Sheldon Adelson, an outspoken opponent of Iran’s nuclear program. Personal computers and servers operating on the casino’s network shut down and had their hard drives wiped clean, disrupting the casino’s operations. The attack destroyed three-quarters of the casino’s servers and the costs of data recovery and rebuilding IT infrastructure were estimated at $40 million. Cyber security researchers determined based on the scale and sophistication that the attack could not have been achieved without government knowledge or backing.
New York Dam
One of the co-conspirators in Operation Ababil was additionally indicted for allegedly hacking into the control system of a dam in upstate New York between August 28 and September 21, 2013. The level of access he had obtained would have allowed him to operate the dam’s sluice gate, responsible for regulating water levels and flow rate. However, the dam’s sluice gate had been manually disconnected at the time of the intrusion for maintenance. This incident was alarming, as it demonstrates Iran’s ability and desire to access industrial control systems, as well as the vulnerabilities posed by the thousands of soft sites around the country that can potentially be manipulated, leading to potential loss of life.
Iran has at times directed cyber operations against U.S. allies as well, with the most significant attacks targeting Saudi Arabia. In addition to being in a state of cold war with Saudi Arabia for regional dominance, targeting American allies is a way for Iran to strike an indirect blow against U.S. interests that is less likely to provoke an American response. In 2012 and then again in late 2016 and early 2017, Iranian-origin malware called Shamoon targeted the Saudi Arabian government and private sector. The Shamoon malware works by overwriting computers’ master book record, making it impossible for them to start back up.
The initial 2012 Shamoon attack targeted Saudi Aramco, a company responsible for 10% of the world’s oil supply at the time. The groundwork for the attack was laid mid-year, when an Aramco computer technician opened a spam email and clicked on a malicious link. On August 15, 2012, the actual cyber attack commenced, and the malware began deleting and overwriting the data on around 30,000 computers. Affected computers were effectively “bricked,” and reportedly displayed images of a burning American flag. The attacks were timed to coincide with Ramadan, when most workers would be absent to allow the malware the maximum time to work unimpeded. The malware only infiltrated office computers and did not impact systems dealing with technical operations. Still, it grounded services to a halt, as office workers resorted to communications with typewriters and fax machines and gasoline refill trucks were turned away with no way to process payments. To mitigate the damage, Aramco purchased 50,000 hard drives, paying higher prices to cut the line and buy all the hard drives on the manufacturing line at several Southeast Asian factories.
The U.S. intelligence community has attributed the Aramco attack to Iran. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, posting a missive online that blamed the “Al-Saud corrupt regime” for using its oil resources to fund “crimes and atrocities” in Middle Eastern countries. The attack was believed to be retaliation for a similar attack that targeted Iran’s oil ministry and National Iranian Oil Company in April 2012. That attack used malware called Wiper to delete hard drives before vanishing. The Shamoon attack demonstrated an Iranian capability to learn from attacks against it and weaponize tactics that were initially used on Tehran.
Between November 2016 and January 2017, a variant of Shamoon re-emerged, and was used in attacks that deleted databases and files on dozens of public and private computer networks in Saudi Arabia. Among the entities struck was the General Authority of Civil Aviation, the Ministry of Labor, and the Saudi Central Bank. In the second wave of Shamoon attacks, files were overwritten with images of a 3-year old drowned Syrian refugee, hinting at the hackers’ motivations.
In 2014, Iranian “hacktivists” carried out a data deletion attack against the network of a Las Vegas casino owned by Sheldon Adelson, an outspoken opponent of Iran’s nuclear program. In March 2018, federal prosecutors unsealed indictments against nine Iranians accused of carrying out cyber attacks on behalf of the IRGC who stole data for financial gain from “144 American universities, 36 American companies and five American government agencies,” as well as 176 universities across 21 foreign countries.
2018 to Today
In August 2018, Facebook and Twitter purged hundreds of Iran-based groups and accounts that appeared to be part of a coordinated, inauthentic effort linked to Iranian state media to spread political content on four different continents, including in the United States. The unusual activity was detected by a private cybersecurity firm called FireEye, which alerted the social media companies. In a statement, FireEye said, “This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests.” The inauthentic pages sought to back Iranian foreign policy imperatives, and featured content that was pro-Iranian and pro-Palestinian, or anti-American, anti-Israeli, and anti-Saudi. Many pages reportedly promoted Quds Day, the Iranian regime-sponsored global day of protest against Israel.
In July 2018, Germany’s domestic intelligence service found that Iranian cyber attacks targeting “the German government, dissidents, human rights organizations, research centers and the aerospace, defense and petrochemical industries” have been growing since 2014. The efficacy of the Iranian cyber attacks on Germany led the report’s authors to conclude that the operations are initiated and guided by intelligence agencies.
In 2019, Iran engaged in a campaign of stepped up malign activities around the region as the Trump administration’s “maximum pressure” campaign increasingly took effect, harming Iran’s economy. As part of its campaign, Iran also stepped up its malign cyber activities. In June 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned,
CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. … Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing.
In July 2019, U.S. Cyber Command tweeted that they discovered active misuse of a bug in Microsoft Outlook. FireEye traced the activity to a threat group called APT33, which is allegedly working at the behest of the Iranian government as part of a coordinated campaign against “U.S. federal government agencies and financial, retail, media, and education sectors.”
In November 2019, a Microsoft researcher presented findings that the Iranian hacking group APT 33, the group behind the 2012 Shamoon attacks on Saudi Aramco, has undergone a dangerous evolution and shifted focus, moving away from attacks targeting IT networks in favor of efforts to infiltrate industrial control systems used in electric utilities, manufacturing, oil refineries, and related critical infrastructure. The researcher found that over the course of a year, APT 33 had launched crude password-spraying attacks at tens of thousands of targets, but in recent months, had narrowed focus to 2000 organizations per month while increasing the amount of accounts targeted at each organization ten-fold. The effort indicates that the group is seeking a foothold that would enable it to launch disruptive physical attacks at a time of its choosing.
In December 2019, IBM researchers announced they had discovered a new form of malware, dubbed “ZeroCleare,” that is believed to have been created by Iranian hacking collective APT 34, a group with ties to the government. The malware was reportedly used in data deletion attacks on unnamed Middle Eastern energy and industrial companies in the preceding months. On December 29, 2019, the day the U.S. struck Iran-backed militia targets in Iraq in retaliation for earlier rocket attacks, Saudi cybersecurity officials detected a rapid effort to deploy a cyber attack using malware it nicknamed “Dustman.” The target of the attack was subsequently revealed to be Bapco, Bahrain’s state petroleum organization. The malware was highly similar to the “ZeroCleare” malware discovered earlier in the month, leading experts to conclude that Tehran was the likely culprit.
Following the January 2020 drone strike that killed IRGC Quds Force commander Qassem Soleimani, Iran-based attempts to hack U.S. federal, state and local government websites jumped 50% and nearly tripled worldwide. In February 2020, Reuters and Certfa exposed an Iranian hacking attempt—through Charming Kitten—targeting Israeli academics and researchers who study Iran. Hackers posed as prominent journalists who cover Iran, and asked for email credentials to preview interview questions all in an attempt to penetrate their targets’ accounts.
As the world has struggled to respond to the COVID-19 pandemic, Iran has been one of the hardest-hit nations, driven in large part to various missteps taken by the regime. Despite facing an unprecedented public health crisis, Iran has continued its malign cyber activities unabated. At a press conference on March 20, 2020, Secretary of State Pompeo asserted that Russia, China, and Iran are carrying out online disinformation campaigns to stoke fear and discord in the U.S. On April 2, Reuters reported that hackers working in the interest of the Iranian government have since early March used advanced phishing techniques to try and steal the email passwords of staff members at the World Health Organization, presumably to gain access to intelligence that would aid in the fight against the coronavirus. Analysts believe the hackers were tied to Tehran as the malicious websites used to deceive the staffers were previously used in a campaign targeting American academics with connections to Iran. Similar incidents were reported, where Iranian hackers allegedly targeted British universities researching coronavirus vaccines as well as U.S. pharmaceutical company Gilead Sciences Inc.
In April 2020, suspected Iranian actors undertook an unprecedented campaign of cyber terrorism, attacking industrial control systems with the aim of injuring or killing Israeli civilians. Israeli media reported that six Israeli water facilities were targeted by Iranian hackers, causing irregularities in the operations of infrastructure and control systems at wastewater treatment plants, pumping stations, and sewage facilities that were detected in time to prevent a catastrophic outcome. According to Israeli and western intelligence officials, the most severe attack involved Iranian-written code, routed through American and European servers to disguise its origin, being used to hack into the software systems that controlled the water pumps at a major Israeli water pumping station with the intent of increasing the chlorine levels of treated water that would make its way to Israeli homes. The sophisticated attack was ultimately thwarted, but if successful, it could have sickened hundreds of civilians or triggered fail-safe mechanisms that would have shut off water for residential and agricultural use during a heatwave for those who receive water from the affected facility.
The attacks highlighted the vulnerabilities facing internet-accessible industrial control systems, and Israel’s Water Authority subsequently ordered all facilities under its jurisdiction to update passwords to their control systems, reduce internet exposure, and ensure that all software is up-to-date. In particular, security researchers have found internet accessible human-machine interfaces to be a potentially vulnerable source of great risk at oil and gas, water, and power facilities. While major facilities tend to be well-protected, researchers have found that human-machine interfaces at some smaller and medium size facilities were susceptible to hacking. Once a malicious cyber actor gained remote access, they would be able to adjust critical inputs controlled by human operators, such as disabling alarms; starting, stopping, slowing down, or speeding up the operation of oil wells or gas pumps; or adjusting chemical levels in the water.
The head of Israel’s National Cyber Directorate warned after the April attacks that “cyber winter is coming and coming even faster than I suspected,” expressing concern that cyber attacks targeting civilian opulations would become increasingly commonplace now that Iran had breached a clear red line. For its part, the Iranian government denied culpability for the attacks on Israel’s water system, claiming that Iran’s cyber posture is purely defensive and that Iran could ill afford the blowback that would arise from trying to poison Israeli civilians. Iran’s official protestations showed how Iranian officials seek to make use of the degree of plausible deniability offered by the cyber realm. As noted earlier in this report, if the attacks were in fact the handiwork of an ostensibly “independent” Iranian hacker collective, major attacks by such groups are typically bankrolled and coordinated by the IRGC, so the regime bears ultimate responsibility.
The suspected Iranian cyber attacks on Israeli civilian water infrastructure touched off a cycle of tit-for-tat cyber attacks and reprisals between the two nations. In May 2020, Israeli officials revealed that then-Israeli Defense Minister Naftali Bennett greenlit a cyber attack that caused delays at a major Iranian port for several days. The Israeli reprisal was intended as a “knock on the door” to remind Iran of Israel’s cyber capabilities and deter future aggression and was calibrated to only cause economic damage rather than harming civilians.
During June and July 2020, Iran was beset by a series of unexplained explosions and fires at military facilities, missile production sites, petrochemical, and industrial complexes, and, most notably, the Natanz uranium enrichment nuclear facility. While the origins of these incidents remain officially undetermined and some may have indeed been accidental or due to natural causes, the volume of explosions and fires over a short period points to an Israeli campaign of deliberate sabotage to set back Iran’s nuclear program and malign regional activities. Israeli security officials cautioned that while “not every event that happens in Iran is necessarily related to us,” Israel is committed to preventing a nuclear armed Iran and, to that end, “we take actions that are better left unsaid.”
At least some of the explosions are believed to be the result of Israeli cyber attacks. Iranian officials blamed the most serious incident, the explosion at Natanz, which reportedly set Iran’s nuclear program back at least a year, on a cyber attack, although other regional officials and an IRGC member who had been briefed told the New York Times that the explosion was caused by a powerful bomb that was smuggled into the facility. In response to the military threats against its nuclear program, Iran has begun reconstituting the damaged building at Natanz underground “in the heart of the mountains,” according to the head of Iran’s Atomic Energy Organization. Iran’s hardening of the physical defenses of its nuclear program means that its adversaries will likely increasingly turn to cyber operations to try and set back Iran’s nuclear progress.
In June 2020, hackers again targeted Israeli water management facilities, attacking agricultural water pumps in the upper Galilee and central Israel. According to the Israeli Water Authority, "These were specific, small drainage installations in the agriculture sector that were immediately and independently repaired by the locals, causing no harm or any real-world effects.” While the attacks were not officially attributed to Iran, the similar nature of the attacks to the April 2020 attacks against Israel’s water infrastructure points to Iranian involvement.
In October 2020, Israeli cyber security firms Clear Sky and Profero reported that they had identified a campaign of ransomware attacks targeting prominent Israeli companies and organizations the previous month by a hacker collective called MuddyWater (sometimes also referred to as TEMP.Zagros, Static Kitten, or Seedworm). According to Microsoft researchers, MuddyWater “is believed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran's primary intelligence and military service.” The MuddyWater campaign involved exploiting vulnerabilities in the Windows operating system that the affected organizations had not patched yet, allowing hackers to effectively take over their internal networks. The hackers were then able to install malware -- reportedly a variant of Shamoon – that would encrypt the data on computers within the network, blocking users from accessing them. Typically, these attacks are known as ransomware, as hackers will demand payment to restore access to the network. In this instance, however, the hackers did not seek payment, indicating their motivation was primarily to disrupt the affected organizations by preventing them from regaining access to their data. The prioritization of harming Israeli companies over monetary gain suggests that MuddyWater’s motive was primarily ideological, buttressing the belief that its hacking is carried out at the directive of the Iranian regime. The campaign was ultimately thwarted due to intervention by Israel’s National Cyber Directorate, Clear Sky, and Profero.
Shortly after the revelation of the MuddyWater campaign, Iran reported that the country’s port authority and one other unnamed institution had been targeted by cyber attacks that caused significant disruption. State media blamed the attack on Iran’s “sworn enemies.”
Cybersecurity researchers then revealed in December 2020 that Iranian hackers had launched cyber attacks involving ransomware, hitting 80 Israeli firms in November and December of 2020. The Iranian operation, known as Pay2Key, appeared to have been the handiwork of a state-sponsored hacking collective known as Fox Kitten, the name given to collaborate between APT33 (Elfin, Magnallium, Holmium, and Refined Kitten) and APT34 (OilRig, Greenbug). The Pay2Key attacks targeted dozens of companies in Israel’s insurance, logistics, and industrial sectors, encrypting data on computers and workstations to make them unusable. Pay2Key also claimed to have penetrated the Israeli Aerospace Industries.
Pay2Key would, in some instances, issue taunting messages to affected firms and threaten to expose their data unless the companies remitted payments in BitCoin. Even after payment, Pay2Key did not turn over decryption keys in several instances and went ahead with leaks of sensitive information. Clear Sky assessed that the campaign’s motives were primarily ideological and designed to incite panic in Israel rather than financial and noted that the wave of attacks caused significant damage to several of the affected companies. These incidents highlight that the Iranian cyber threat adds additional layers of insecurity at a time of international crisis.
The tit-for-tat campaign of sabotage between Iran and Israel escalated further in April 2021, as Israel is believed to have been behind an apparent cyber attack that triggered an explosion that caused a major blackout at the Natanz enrichment complex. The attack reportedly destroyed the power system that runs the facility’s centrifuges and may have set back Iran’s enrichment at Natanz by nine months. The incident occurred shortly after Iran announced the installation of new advanced centrifuges at Natanz and after Iran has begun enriching uranium to 60%, steps taken by Tehran to increase its leverage in negotiations with the Biden administration. At the time of the attack, Iran and the U.S. had just entered negotiations to restore compliance with the JCPOA, a development Israel opposes as it views the JCPOA as leaving Iran a pathway to a nuclear bomb. The attack underscored Israel’s willingness to take matters into its own hands if it is dissatisfied with the direction of diplomatic efforts to resolve Iran’s nuclear program. Iran has referred to the attack as “nuclear terrorism” and vowed reprisals, but Tehran is constrained by its desire to acquire sanctions relief. Its calculus may change, and it may even be compelled to target the U.S., which it views as complicit in Israel’s cyberwarfare, if diplomacy breaks down.
Beyond its escalating cyber warfare with Israel, Iran has also recently upped its cyber activities in terms of influence campaigns. U.S. authorities alleged that Tehran engaged in electoral interference during the 2020 U.S. presidential election by obtaining voter registration data and sending spoofed emails designed to intimidate voters and undermine confidence in U.S. democratic institutions. In December 2020, the FBI found that Iran had been behind a website called “Enemies of the People,” which exploited claims of voter fraud in the United States to incite “lethal violence” against the FBI director, a former U.S. cybersecurity official, and state election officials who were involved in refuting the claims. The website posted these officials’ home addresses and other personal information. These incidents demonstrate the growing investment Tehran is making in these kinds of operations, which target the United States.