Executive Summary
The following report comprises a collection and analysis of Iran’s capabilities and accomplishments to date in the cyber field. Iran’s cyber capabilities have been continuously improving over the course of the last five years, as state-backed groups have used digital means to supress political and protest activity within the country and project a heightened geopolitical profile amongst its neighbours and adversaries. Iran is economically weakened at present and suffering from sanctions from a number of countries. By using cyber tactics, the state is able to project substantial political profiles that outstrips their real-world economic power, thereby expanding its sphere of influence in the MENA region.
Iran plays a significant role in the development of the present cyber threat landscape. The first major cyber-physical sabotage to draw mass attention on the international stage. Stuxnet was a partnership between Western offensive coordinators to neutralise Iran’s developing nuclear program. In response to the attack, Iran took steps to increase its cyber offensive capabilities to the point that it has become one of the major cyber actors operating on the global scale.
For the most part, Iran’s cyber activities are conventional in nature. Linked actors regularly undertake in DDoS attacks, website defacement, phishing and spearphishing techniques, and theft of personal data or intellectual property, particularly against other MENA actors such as Israel as well as the United States. Shortly after Stuxnet, Iranian cyber teams began a prolonged series of distributed-denial-of-service (DDoS) attacks against the US financial sector, disrupting continuity at 46 major financial institutions over the course of six months. In 2017, seven hackers affiliated with various Iranian cyber groups, were indicted by the US Justice Department for the attack. These actors were also considered responsible for the presence of malware on a New York dams SCADA systems in the same period. This indictment demonstrates the range of ambitions for many of the Iranian actors involved in its cyber campaigns, and that the US is a major target for the state. It also indicates the potential immaturity of many of the attacks, in that they can be traced and individuals can be held responsible.
All this is not to undersell the impact of Iran’s capabilities, however, or to imply that the majority of its attacks are not overwhelming carried out against Middle Eastern states. Recent years have proved that its cyber attacks have the potential to cause great disruption and geopolitical tension in the region.
In 2012, for example, the infection of Saudi Aramco computer systems by the Shamoon wiper was hugely destructive and this attack has been strongly tied to Iranian cyber actors by US intelligence forces. The first Shamoon attack (there have since been several) occurred on the Islamic holiday of Lailat al Qadr, meaning that employees would be absent from offices, allowing the attack to trigger without immediate detection. This tradecraft would become something of a trend in major attacks carried out by Iranian-linked cyber groups in the years since, with multiple attacks emerging after a return to business following national religious holidays.
The full report can be downloaded here.