QUICKLOOK: The Evolution and Impact of Iran's Cyber Operations

PDF debrief: A brief look analysis of Tehran's Cyber Capabilities and Strategies

Background Information

Iran's cyber capabilities have evolved significantly over the years, especially after the joint US-Israeli Stuxnet attack on the Natanz nuclear facility in 2010, the Duqu malware identified in 2011, and the Flame malware detected in 2012. These events revealed the system's vulnerabilities and provided an incentive for Tehran to develop its domestic cyber capabilities. The establishment of the Supreme Council for Cyberspace in March 2012 was a fundamental change, tasked with developing a strategy and blueprint for controlling domestic information as well as intelligence abroad. Despite the increased support, international experts still consider Tehran a third-tier cyber power in terms of the sophistication of its hackers, significantly below their more prestigious counterparts in China and Russia. The main reasons for this are international sanctions and a critical economic situation, which make it significantly more difficult for them to procure and develop high-end cybersecurity tools.

Introduction

The Iranian leadership attempted to set up a permanent, formal cyber organization following the Stuxnet attacks. However, this proved to be a failure due to sanctions and insufficient technical support. The response was to develop a three-level approach with a network of individuals who were not formally affiliated with the government or the Iranian Revolutionary Guard Corps, but who were loyal to the regime and religiously committed. The Iranian regime has continued to restrict digital rights and internet freedom. It regularly infiltrates the websites and email accounts of political dissidents using open-source research, and regularly censors their communications and the online content they share. This is complemented by an aggressive and effective disinformation campaign, using social pseudo-media accounts to share and promote false information to influence public opinion, reduce social tensions, and create a positive image of the country.

Event Summary

Iran has been involved in several cyber operations, including the Shamoon attacks against Saudi Aramco in 2012 and 2016, and the DDoS attacks against the US financial sector between 2011 and 2013. The country has also been accused of spreading disinformation and propaganda, particularly during the 2020 US Presidential elections. The specific perpetrators of the Iranian attacks have consistently sought to preserve their anonymity to avoid retaliation, and have therefore diversified their TTPs over time to mask their activity and avoid being traced. The latter has been achieved by creating fictitious groups, using publicly available malware, moving them between companies, sharing their software, code fragments, and attack infrastructure, and engaging and increasingly activating various proxy groups and organizations allied with Iran as the armed conflicts in the Middle East escalated.

Assessment

Iran's cyber capabilities are a significant concern for many countries. The country has been involved in several cyber operations, including the Shamoon attacks against Saudi Aramco in 2012 and 2016, and the DDoS attacks against the US financial sector between 2011 and 2013. The country has also been accused of spreading disinformation and propaganda, particularly during the 2020 US Presidential elections. The Iranian cyber workforce, on the other hand, includes not only those who organize and carry out attacks but also those who evaluate the information they obtain. The latter are often mid- and top-level contractors in the hierarchy outlined above, as the diversity of targets means that they have the expertise and technical background necessary to analyze information illegally obtained from various sources.

Conclusion

The new US foreign policy towards Iran, i.e., to seek a diplomatic solution and negotiate, raises the possibility that Tehran’s hostile relationship with the international community could be normalized. However, even if the latter were to happen, it may not significantly reduce the cyber threat posed by Iran. This is evidenced, inter alia, by the fact that the Iranian Revolutionary Guard Corps is currently lobbying for a parliamentary rewrite of laws governing internet use to improve state control and further increase the effectiveness of intelligence capabilities. Its aim is clearly to establish a national intranet and disconnect Iran from the global internet network. To this end, regime-backed front companies have already produced spyware-enabled mobile apps and VPNs, several of which are already available on the global mobile app market. In addition, it is almost certain that the improvement of Shamoon continues, which Iran will presumably use against its adversaries.