Offense
The IRGC’s basij and intelligence organization are the primary cyber threat actors behind Iran’s offensive cyber operations, although it must be noted that the basij’s cyber forces are highly unprofessional. The basij has used its ties to universities and seminaries to recruit a volunteer “cyber army,” the majority of whose operations consist of online posts and replies in favor of the regime. The basij recruits have also engaged in lower-level hacking and infiltration of websites and emails, although some of the most promising recruits are reportedly trained by IRGC operatives to assist in more complex operations.
The IRGC intelligence organization, meanwhile, is the actor behind Iran’s most significant and destructive offensive cyber operations, and is believed to be behind attacks targeting computer networks in the U.S., Israel, Europe, Saudi Arabia, and other Gulf states. Officially, the IRGC denies that it engages in offensive cyber operations, claiming that the thousands of “cyber warriors” it purports to have at its disposal engage only in dissemination of online pro-regime propaganda. The cyber arena allows Iran to use proxies and cutouts to carry out its operations, and these actors remain at arms-length from the official state.
The earliest Iranian-attributed offensive cyber operations were carried out by a group calling itself the Iranian Cyber Army, a collection of ostensibly independent hackers alleged to be sponsored by the IRGC. Later on, as the Iranian Cyber Army faded from the scene, additional hacking collectives emerged with names such as the Izz ad-Din al-Qassam, Cyber Fighters, APT 33 (aka Elfin, Refined Kitten, Holmium), Phosphorous (aka APT 35, Charming Kitten, Ajax Security), APT 42, and OilRIg. These collectives typically employ a “scattered set of independent contractors who mix security work, criminal fraud, and more banal software development,” according to the Carnegie Endowment report. Major Iranian cyber attacks sometimes would employ contractors from multiple institutions, including IT firms and universities, carrying out different phases of the campaign, with the IRGC believed to be the bankroller and coordinator.
The Iranian cyber threat is complex to track, as campaigns and new threat groups disappear as quickly as they emerge, particularly when detection of malign cyber activities is suspected. This shows a lack of sophistication on the part of Iranian cyber forces as state-aligned cyber forces in more advanced countries are typically permanent fixtures, but also provides a strategic advantage and helps Iran maintain plausible deniability.
However, there do appear to be commonalities in the tactics, software, and lines of codes used tying these groups together, with evidence ultimately leading back to the IRGC. U.S. indictments against Iranians engaged in cyber sabotage and espionage have revealed operations that “required costly infrastructure, including dedicated servers and dozens of domain names, in addition to personnel time,” indicating the involvement of Iran’s intelligence services. The level of involvement of the IRGC in the planning and execution of cyber attacks is often difficult to ascertain, but the objectives of Iran’s cyber threat actors typically advance the foreign policy and national security objectives of the Iranian regime.