The Iranian regime has three primary objectives in the cyberwarfare arena: defending its critical infrastructure and sensitive data from cyber attack, monitoring and responding to online activity within the country, and carrying out offensive cyber operations. The 2009 Green Movement protests laid the groundwork, leading Iran’s security forces to boost their hacking capabilities in order to bolster domestic surveillance and control of cyberspace. The 2010 Stuxnet attack on Iran’s nuclear program served as a catalyst for Iran to expand on these initial advances, and in a short amount of time, to rapidly develop its offensive and defensive cyber capabilities.
In July 2011, the regime allocated $1 billion to boost the country’s cyber capabilities, investing in new offensive and defensive technologies and the recruitment and training of a cadre of cyber experts. In tandem, Iran stood up a variety of domestic agencies tasked with administering cyberspace affairs. In March 2012, Supreme Leader Khamenei announced the formation of Iran’s Supreme Council on Cyberspace, unifying the country’s various cyberspace organs under a single command. The Supreme Council is tasked with setting Iran’s cyberspace policies and strategies from on high, while the somewhat overlapping organizations under it follow its directives. According to the BBC Persian, “This council comprises the highest-level Iranian authorities such as the president, the heads of the judicial power and the parliament, the head of the state-run radio-television, the commanders-in-chief of the IRGC and the police, the ministers of Intelligence, Telecommunication, Culture, Science, etc.”
The main Iranian body tasked with cyber defense is the Cyber Defense Command, which operates under the aegis of Iran’s Passive Defense Organization, and is itself a subdivision of the Armed Forces General Staff and is overseen by a committee headed by the chief of staff of Iran’s Armed Forces. The Passive Defense Organization is charged with coordinating the response of agencies throughout the government to mitigate damage to critical infrastructure and sensitive facilities, non-kinetic responses to military attacks on Iran, and combatting internal dissent in cyberspace. The dedicated Cyber Defense Command was established in November 2010 in response to the Stuxnet attack, and is tasked with crafting defensive cyber doctrine and repelling or mitigating the damage of cyber attacks targeting Iran.
The IRGC’s basij and intelligence organization are the primary cyber threat actors behind Iran’s offensive cyber operations, although it must be noted that the basij’s cyber forces are highly unprofessional. The basij has used its ties to universities and seminaries to recruit a volunteer “cyber army,” the majority of whose operations consist of online posts and replies in favor of the regime. The basij recruits have also engaged in lower-level hacking and infiltration of websites and emails, although some of the most promising recruits are reportedly trained by IRGC operatives to assist in more complex operations.
The IRGC intelligence organization, meanwhile, is the actor behind Iran’s most significant and destructive offensive cyber operations, and is believed to be behind attacks targeting computer networks in the U.S., Israel, Europe, Saudi Arabia, and other Gulf states. Officially, the IRGC denies that it engages in offensive cyber operations, claiming that the thousands of “cyber warriors” it purports to have at its disposal engage only in dissemination of online pro-regime propaganda. The cyber arena allows Iran to use proxies and cutouts to carry out its operations, and these actors remain at arms-length from the official state.
The earliest Iranian-attributed offensive cyber operations were carried out by a group calling itself the Iranian Cyber Army, a collection of ostensibly independent hackers alleged to be sponsored by the IRGC. Later on, as the Iranian Cyber Army faded from the scene, additional hacking collectives emerged with names such as the Izz ad-Din al-Qassam Cyber Fighters, APT 33 (aka Elfin, Refined Kitten, Holmium), Phosphorous (aka APT 35, Charming Kitten, Ajax Security), and OilRIg. These collectives typically employ a “scattered set of independent contractors who mix security work, criminal fraud, and more banal software development,” according to the Carnegie Endowment report. Major Iranian cyber attacks sometimes would employ contractors from multiple institutions, including IT firms and universities, carrying out different phases of the campaign, with the IRGC believed to be the bankroller and coordinator.
The Iranian cyber threat is complex to track, as campaigns and new threat groups disappear as quickly as they emerge, particularly when detection of malign cyber activities is suspected. This shows a lack of sophistication on the part of Iranian cyber forces as state-aligned cyber forces in more advanced countries are typically permanent fixtures, but also provides a strategic advantage and helps Iran maintain plausible deniability. However, there do appear to be commonalities in the tactics, software, and lines of codes used tying these groups together, with evidence ultimately leading back to the IRGC. U.S. indictments against Iranians engaged in cyber sabotage and espionage have revealed operations that “required costly infrastructure, including dedicated servers and dozens of domain names, in addition to personnel time,” indicating the involvement of Iran’s intelligence services. The level of involvement of the IRGC in the planning and execution of cyber attacks is often difficult to ascertain, but the objectives of Iran’s cyber threat actors typically advance the foreign policy and national security objectives of the Iranian regime.