In the early morning hours of January 3, 2020, Iran’s Islamic Revolutionary Guard Corps (IRGC) Quds Force commander Qassem Soleimani was killed in a U.S. drone strike that targeted his convoy immediately after landing at Baghdad’s international airport. Iranian leaders vowed “harsh retaliation” for the attack, and followed up on this threat by firing a salvo of over a dozen ballistic missiles at two Iraqi air bases housing U.S. troops in the early morning hours of January 8, wounding over 100 soldiers. While Iran has not yet taken additional major acts of revenge, it has signaled that it is likely to strike U.S. interests again at a future time of its choosing. Iran’s Supreme Leader, Ayatollah Ali Khamenei, intoned that while the ballistic missile attack represented a “slap on the face” for the U.S., “military action like this (ballistic missile) attack is not sufficient,” vowing to refuse to enter negotiations and to continue to confront the U.S. until its influence is expelled from the region. In the intervening period, Iran’s leaders have maintained a steady drumbeat of threatening rhetoric aimed at the U.S., with Soleimani’s successor, Esmail Qaani, for instance vowing to “hit his enemy in a manly fashion.”
With U.S.-Iran tensions heightened, the U.S. national security apparatus has cautioned that one avenue for retaliation Iran is likely to pursue is launching offensive cyberattacks targeting the U.S. public and private sectors. The day after Soleimani’s killing, the Department of Homeland Security (DHS) issued a bulletin warning that while it did not have information about an imminent attack, “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” Such an attack could further “come with little or no warning.” Several days later, the Cybersecurity and Infrastructure Security Agency (CISA) within DHS issued an alert to stakeholders in the U.S. cybersecurity community recommending a heightened state of awareness and increased organizational vigilance, urging cybersecurity personnel to immediately flag "any known Iranian indicators of compromise and tactics, techniques, and procedures.”
The FBI similarly issued an advisory, obtained by Cyberscoop, to U.S. companies on January 9 assessing that Iranian hackers could use “a range of computer network operations against U.S.-based networks in retaliation for last week’s strikes against Iranian military leadership.” The FBI advisory noted that there had been an uptick in Iranian “cyber reconnaissance activity” since the Soleimani killing, and offered technical advice to companies on thwarting Iranian efforts to exploit vulnerabilities in virtual private network (VPN) applications, which Iran has historically used to gain a foothold in computer networks allowing it to monitor, exfiltrate, and potentially destroy sensitive data.
The latest FBI and DHS advisories echo assessments issued by the U.S. intelligence community for several years warning of Iran’s determination and ability to launch offensive cyber attacks against the U.S. and its allies. The 2018 Worldwide Threat Assessment of the U.S. Intelligence Community concluded that Iran “will continue working to penetrate U.S. and Allied networks for espionage and to position itself for potential future cyber attacks.” The assessment further warned that Iran is growing increasingly aggressive, and will only be further emboldened absent significant push back against its malign cyber activities. According to the assessment, “The use of cyber attacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks. Russia, Iran, and North Korea, however, are testing more aggressive cyber attacks that pose growing threats to the United States and US partners.” The 2019 Worldwide Threat Assessment noted that the Iranian cyber threat has entered a new phase, with Iran increasingly focused on deploying “cyber attack capabilities that would enable attacks against critical infrastructure in the United States and allied countries.” At this point, Iranian cyber attacks are capable of "localized, temporary disruptive effects – such as disrupting a large company’s corporate networks for days to weeks.”
The mounting concerns over an Iranian cyber attack, particularly in the wake of the Soleimani drone strike, reflect the considerable investment Iran has made in advancing its cyber warfare capabilities over the past decade. In 2010, over 15 Iranian nuclear facilities were targeted by the Stuxnet computer virus, a worm jointly developed by the U.S. and Israel that destroyed nearly 1000 centrifuges. The attack exposed the weakness of Iran’s cyber defenses, leading Iran to accelerate the advancement of offensive and defensive cyber warfare capabilities. By March 2012, Iran created a “cyber command” known as the Supreme Council of Cyberspace, comprised of senior military and intelligence officials. The council acts as a unified command tasked with coordinating Iran’s cybersecurity and plotting out of offensive and retaliatory cyber operations.
Iran’s investment in developing its cyberwarfare capabilities fits into Iran’s national security strategy that relies extensively on asymmetric warfare. Iran has honed this strategy since the end of the 1980-1988 Iran-Iraq War, a war that cost Iran over 300,000 lives and devastated the Islamic Republic’s economy and infrastructure. The war shaped the worldview of the network of IRGC officers who served in the war and who form the core of Iran’s military elite to this day, hardening their enmity toward the U.S. and inculcating an aversion to head-to-head combat. As a result, Iran sought asymmetric response capabilities that would enable it to prevail in conflict with stronger powers.
As a revisionist regional power, the Islamic Republic of Iran’s hegemonic strategy is predicated on supplanting Western influence throughout the Middle East and spreading its Islamic revolutionary doctrine. Iran is hamstrung in this effort by its inferior conventional military forces compared to its adversaries, the U.S. and its Middle Eastern allies. Iran’s annual military budget is estimated to be below $20 billion per year, which is dwarfed by Saudi Arabia, the world’s number three annual defense spender at $67.6 billion per year. While Iran’s defense spending is roughly in league with other adversaries such as the United Arab Emirates and Israel, Iran’s military is qualitatively inferior due to procurement issues, as Iran is subject to a U.N. arms embargo.
Despite these structural disadvantages, Iran has succeeded in establishing pockets of political, military, and diplomatic influence in neighboring countries instead relying on asymmetric means. Iran has, for instance, cultivated ties with militias and terrorist organizations to anchor loyal proxies in and destabilize neighboring states, giving it outsized influence in Lebanon, Iraq, Syria, and Yemen. Similarly, it has amassed the Middle East’s largest and most diverse ballistic missile arsenal and developed an advanced drone program, mitigating its air force’s lack of a long-range strike capability. Ultimately, Iran seeks to leverage its asymmetric warfare strategy to increase the costs to the U.S. of maintaining its military presence and influence in the region with an eye toward driving it out.
Iran’s development of cyberwarfare capabilities makes for a potent addition to its asymmetric toolkit that gives Iran an additional, low-cost means beyond its limited conventional capabilities to conduct espionage on and strike stronger adversaries in furtherance of its foreign policy and national security objectives. Despite its aggressive malign regional conduct, Iran is a risk-averse actor that seeks to avoid direct combat against conventionally superior adversaries. Cyber attacks enable Iran – either offensively or in retaliation – to inflict serious economic and national security costs in a manner that typically offers an element of attribution with deniability as to the origin of the attack and reduces the likelihood of a kinetic response.
The cyberwarfare domain is additionally appealing as it offers a relatively even playing field, and Iran has been a pioneer in demonstrating the power of weaker actors to confront superpowers. Iran is a second-tier cyber threat with indigenous capabilities that match up with North Korea, lagging behind the biggest threat actors, Russia and China. As such, Iran may be capable, but would have difficulty, executing on its own major cyber attacks against the highest-value targets in the U.S., the federal government, the military, the largest banks and corporations, and the most critical industrial control systems – water systems, the electric grid, transit systems, oil refineries, manufacturing, and other major infrastructure. More worryingly, there are multitudes of soft targets, such as state and local governments, small banks, and critical infrastructure whose networks contain vulnerabilities that Iran can and has sought to exploit. Complicating matters, Iran could potentially buy the services of first-rank skilled actors on the dark web if it sought to attack the highest-value targets in the U.S. in the short term. This would bring Iran better technological skills and the imprimatur of a foreign hacker in prospective attacks, masking Iran’s involvement.
According to the U.S. government and cybersecurity experts, Iran has indeed been laying the groundwork for major cyber attacks on high-value targets, especially industrial control systems. At the 2018 Aspen Security Forum, U.S. officials warned that “Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and health care and technology companies in the U.S., Germany, the U.K. and other countries in Europe and the Middle East.” James Lewis, a former State Department cybersecurity and intelligence official further added, “The Iranians have been doing these types of probes for years now — mapping out the networks of critical infrastructure to find potential vulnerabilities." In October 2019, a cybersecurity researcher from the Netherlands identified 26,000 industrial control systems across the United States that are largely unguarded and vulnerable to a cyber attack.
The U.S. and Iran have been in a state of heightened tensions since the withdrawal from the Iran nuclear deal and imposition of a maximum pressure campaign. As the economic screws have tightened further, Iran has stepped up its provocations, advancing its nuclear and ballistic missile programs, targeting commercial shipping and energy infrastructure in the Persian Gulf region, and adopting an increasingly aggressive public posture against the U.S. military presence in Iraq. Actions taken by the U.S. against Iran, ranging from the imposition of new sanctions or kinetic operations like the drone attack against Qassem Soleimani, can alter Iran’s threat perception and prompt retaliatory measures. Offensive cyber attacks are a potential avenue that Iran is likely to pursue, especially given its heavy investment in the domain and multitude of vulnerable nodes it can target. An attack targeting physical infrastructure would mark a dramatic escalation for Iran and would likely trigger heavy reprisals, which has largely prevented them from attempting such attacks thus far. Still, the concern in the national security and intelligence communities that Iran has attained such capabilities highlights the need for vigilance and for public and private sector stakeholders to harden their cyber defenses.
This resource contains two sections. The first focuses on the structure of Iran’s cyber infrastructure—offensive and defensive. The second analyzes the Islamic Republic’s cyber methods and modus operandi, profiling the kinds of operations it has employed in recent decades. The resource concludes with recommendations for how to best tackle the Iranian cyber threat.