Our Approach

Detecting targeted attacks

Definitive Guide to Ransomware

Threat profileIran

What characterizes Iran’s cyber capabilities is that although its cyber capabilities are less sophisticated than some of the other most active offensive nations, it is still able to inflict damage upon its adversaries. For this purpose Iran maintains a unique ecosystem of proxies, including state-sponsored units, universities and contractors to conduct its offensive cyber-operations.

  • Strategic motives: Espionage, information theft, disruption
  • Strategic goals: Protecting the stability of the regime; achieving regional hegemony
  • Cyber capabilities: ★★★☆☆
  • Number of known cyber operations: ★★☆☆☆
  • Number of APTs: 43

Cyber capabilities

Highly advanced, mature and integrated in intelligence services

Iran showcases how nation states with less sophistication and resources can still be effective and achieve their strategic goals against other active cyber powers such as the US. As Iran currently misses both technical and financial resources to fully develop its cyber capabilities, it typically uses more basic tools and techniques, has a smaller pool to recruit new talent from and outsources most of its operations to research institutes.[1][4] However, Iran is making its way to the top countries when it comes to certain research areas relevant to the cyber domain such as in artificial intelligence. In turn, this knowledge can be used to further develop Iran's offensive cyber capabilities. Nevertheless, the development of both Iran’s defensive and offensive cyber capabilities are currently (heavily) obstructed by both poor organization and funding, especially compared to other leading (cyber) nations such as the United States, China and Russia.

Another characteristic of Iran's cyber power is its unique ecosystem of actors that are all working on advancing Iranian interests through cyberspace. Although the Islamic Revolutionary Guard Corps (IRGC) is Iran’s primary state-sponsored organization tasked with conducting cyber operations, it actively contracts hackers, whose views are aligned with the state, to conduct offensive cyber operations.[2][4] Next to that, it outsources operations to various universities, which possess more knowledge and talent when it comes to cyber operations. The use of proxies in cyber operations also enables Iran to maintain plausible deniability (difficulty of the attribution of acts in cyberspace).[2] Still, it is reported that these proxies are often Iranians that do have ties to the country’s Ministry of Intelligence and IRGC.[2] As a result, Iran does have capabilities to carry out cyber operations and already demonstrated that it can inflict significant political and/or financial damage (see case 1). Iran’s approach can therefore be seen as a showcase of how states with less resources can still be effective against stronger states in cyberspace and how this may well be copied in the years to come by other nation states.

Iranian ransomware groups have also been increasingly observed in the wild. It is reported that these groups use ransomware as a way to conduct disruptive operations whilst at the same time extorting victims for money.[3] APT35, a state-sponsored group, is reportedly one of the actors actively leveraging ransomware.[3][9]

CASE 1: Operation Ababil (2012)

In September 2012, multiple U.S. financial institutions suffered major outages as a result of a series of DDoS-attacks.[5] The attack resulted in significant financial damage, with numbers going into millions of dollars. Responsibility for the attack was first claimed by an Iranian group called the 'Cyber Fighters of Izz Ad-Din Al Qassam', but a couple of years later, the U.S. indicted seven Iranian individuals working for the IRGC for being involved in the attack. U.S. intelligence services linked the attack to earlier imposed U.S. sanctions in reaction to the development of Iran’s nuclear program. Whether it was a response on the sanctions or not, the attack demonstrated that with relatively limited resources, Iran could still inflict harm on the US.

CASE 2: Roadsweep (2022)

In August 2022 Mandiant published an article on disruptive activities from an Iranian threat actor targeting Albanian government organizations. A new ransomware family dubbed Roadsweep attacked the Albanian government using politically themed ransom notes. An organization galled HomeLand Justice claimed the activities and subsequently leaked confidential information related to Albanian citizens. Even though there is no direct evidence for attribution of the attack to a specific group, the timing and actions of the actor are aligned with Iran’s (political) goals. In addition, the lock-and-leak modus operandi of the threat actor fits the profile of known Iranian threat actors such as BlackShadow and Moses Staff. The attack has led Albania to sever diplomatic relations with Iran.[12]

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • Amongst the top countries in certain technology research areas that can be used in developing offensive cyber capabilities (e.g. AI)
  • Multiple contractor groups that conduct offensive cyber operations in line with the interests of the Iranian government
  • Contracting cyber operators to conduct operations in the interest of the state
  • Outsourcing of offensive cyber operations to universities with more knowledge and talent

Weaknesses

  • Relatively basic in-house cyber capabilities
  • High levels of mistrust and paranoia regarding contractors, clash with contracting individuals with more advanced offensive cyber capabilities
  • Less monetary and technical resources to keep developing offensive cyber capabilities in comparison with other cyber powers (United States, China and Russia)
  • Difficulties with modernizing and developing key sectors due to sanctions (e.g. agriculture, maritime and energy)

Opportunities

  • Using cyberspace to protect the stability of the regime
  • Conducting cyber operations against countries in the Middle East to strengthen their own information position and regional influence
  • Using proxies in cyberspace to enable plausible deniability
  • Using cyberspace to inflict damage upon stronger cyber powers
  • Executing cyber espionage operations to modernize key industries
  • Pivoting to ransomware attacks to fund cyber operations and potentially offensive cyber capability development

Threats

  • Continuing target for foreign nation-state actors
  • Being in the center of rivalry in the Middle East
  • Targeted sanctions by the US amongst which because of specific cyber-attacks

Geopolitical relations

Interactions with other nations

There is a lot of rivalry going on between Iran and other countries in the Middle East for regional influence and regarding foreign policy.[7][8] Furthermore, ideological differences also play an important part in regional conflicts. Tensions are especially high between Iran and Israel and Saudi Arabia, as Iran appears to perceive them as being used by the US to undermine Iran and therewith its influence in the region. On top of that, Iran is involved in ongoing proxy conflicts with both Israel and Saudi Arabia in neighboring countries.

Iran has a longstanding and volatile relationship with the US. It strongly opposes U.S. hegemony and its attempt to exert influence in the Middle East. Both the US and the EU are proponents of limiting Iran’s nuclear program, although the U.S. stance in the so-called nuclear deal differed through time. The strong aversion of the US against Iran’s nuclear program has also resulted in a long list of sanctions against Iran. Although the EU and Iran generally have had a decent economic relationship, U.S. sanctions have limited this relation.  

Strategic motives

Controlling your cybersecurity risks

Iran’s activities in cyberspace are strongly motivated by regional interests. Iran perceives unrestricted internet access to be a threat to the stability of the regime and is therefore focused on controlling the information flows and identifying and observing Iranian dissidents. Furthermore, Iran aspires a role as regional hegemon and actively uses cyberspace to pursue this goal. Finally, Iran has issues with modernizing some of its key industries. Cyber espionage operations are a way for Iran to work around sanctions and other obstacles that prevents Iran’s access to knowledge needed to develop these industries.

Iran has three primary strategic goals: (1) It wants to ensure the stability of the regime, (2) increase regional hegemony and (3) modernize its key sectors. Regarding the first goal, Iran believes that the acquisition of new information technologies by its own people forms a threat to the internal stability of the regime.[2] It perceives the West as a particularly great threat, as Western countries are strongly advocating freedoms such as unrestricted internet access. As a result, a significant part of Iran's cyber activities is focused on averting the experienced threat from the West. It censors significant parts of incoming traffic and especially keeps a close eye on political opponents both domestic and abroad, such as the Iranian diaspora, human rights defenders, NGOs and many more targets that are considered to be (potential) threats to the stability of the regime.[2]

To achieve its second goal of becoming a regional hegemon, Iran is trying to extend its regional influence through the use of proxies in military operations (e.g. Houthi movements and Hezbollah). In the last decade, Iran has extended the use of such proxy groups to the cyber domain, with multiple groups using their offensive cyber capabilities to serve Iran's interest whilst at the same time increasing the difficulty for foreign targets to attribute attacks to the regime.[4] Such offensive cyber operations are often focused on retaliation against adversaries, and include the use of intimidation, sabotage or defacement (see case 3).

On the economic front Iran has been facing obstacles with attracting foreign capital, technologies and (innovation) knowledge due to longstanding sanctions. As a result, Iran has great difficulties with modernizing and developing some of its most important sectors in its economy, such as their agriculture, maritime and energy sectors. To work around these limitations, it has an arsenal of APTs to its disposal that routinely carry out economic espionage operations to obtain foreign IP, technologies, and knowledge. Furthermore, Iran conducts espionage operations that are focused on gathering strategic intelligence from foreign governmental, military, scientific and economic institutions that can benefit the Iranian government (see case 4).[2]

CASE 3: Attacks on Saudi Aramco and RasGas (2012)

In 2012, major oil company Saudi Aramco was the victim of a piece of malware called Shamoon.[6] Although the operational environment remained unaffected, operations were still brought to a halt, resulting in significant financial damages. Around two weeks after the attack, Quatar-based gas company RasGas was targeted by the same Shamoon malware, resulting in its office related IT-systems, website, and email servers becoming unavailable until they were rebuilt from the ground up. Multiple hacker groups claimed responsibility for the attack. A hacktivist group called ‘Cutting Sword of Justice’ posted multiple pieces of evidence of the attack. The group claimed to have executed the attack to protest Saudi Arabia’s support for government repression in neighboring countries. Another theory is that Iran was directly behind the attack to retaliate against the oil embargo placed upon Iran by the US and EU one month earlier. Although it looks like a hacktivist attack, it cannot be ruled out that Iran was directly involved in the attack. Although RasGas was hit with the same piece of malware, it is unclear if it was attacked by the same group that targeted Saudi Aramco.

CASE 4: Large-scale cyber espionage campaign by Silent Librarian (2013-2017)

In 2018, The U.S. Department of Justice charged nine Iranian individuals linked to Silent Librarian, part of the IRGC, for conducting a massive cyberespionage campaign against, amongst other targets, hundreds of universities.[10] The campaign ran from 2013 until 2017 and hackers stole more than 31 terabytes of intellectual property and other academic data from universities all over the world. IRGC’s Silent Librarian consists of hackers-for-hire and is responsible for stealing foreign intellectual property and other cutting-edge research to boost Iran’s own universities and research institutes. However, next to using the obtained data for the benefit of the Iranian government, the hackers also sold the data to buyers situated in Iran to increase profits as hackers-for-hire.

Iranian APTs

OUR OBSERVATIONS

0

Advanced Persistent Threats (APTs)

0

Tactics, Techniques & Procedures (TTPs)

0

Attack tools

Hunt & Hackett currently tracks 43 Iranian APTs. The data in the Threat Diagnostic System illustrate how Iran’s activities in cyberspace are strongly driven by regional interests. Iran has a large focus on countries in the region, such as Israel, Iraq and Saudi Arabia (see figure 1). Furthermore, the data also illustrate Iran’s volatile relationship with the US, resulting in many Iranian cyber-attacks being directed at U.S. targets.

Figure 1

Figure 1 - Targeted countries by Iranian APTs

Anomalies are based on differences between Iran and the rest of the actors in the dataset. In other words, anomalies indicate to what extent Iran has a larger focus on certain countries or sectors when compared to all the actors that Hunt & Hackett tracks. The anomalies are again in line with the observation that Iranian activity is driven by regional interests, as Iranian actors have a relatively strong focus on countries in the region, such as Israel, Iraq, Kuwait, Lebanon and Bahrain (see figure 2).

Figure 2

Figure 2 - Anomalies in the data compared to the global threat landscape (observed countries)

The data also show how Iran is largely focused on gathering intelligence from governmental, military, scientific, and economic institutions to gather intelligence and to improve the information position of the Iranian government (see figure 3). This shows that Iran’s activity is on the one hand driven by regional interests, hence the focus on strategic (political) targets. On the other hand, the data illustrates that Iran is actively targeting sectors that are driven by intellectual property and other technologies that Iran needs in order to evade sanctions and modernize its key industries.

Figure 3

Figure 3 - Targeted sectors by Iranian APTs

Compared to the global picture, Iranian actors has a strong interest in aviation, in addition to utilities and eductation that are also frequently targeted by Iranian APTs (see figure 4). Aviation is one of Iran’s industries that has been significantly hampered by economic sanctions.[11] As a result, Iran cannot buy any aircrafts that carry more than ten percent parts originating from the US. Iran’s current fleet is aging rapidly and it is predicted that it needs hundreds of aircrafts to replace its entire fleet. Due to the sanctions, Iran experiences great difficulty replacing them, resulting in more aircraft staying on the ground. In turn, this leads to less revenue, as the number of passenger, cargo and overflights are steadily declining.[11] An explanation for the focus on on aviation is likely that Iran tries to acquire (U.S.) aviation technologies via cyberespionage operations in order to evade sanctions by gaining illicit access to relevant IP (e.g. technical specifications, drawings) in order to upgrade their aircraft fleet. The same can be said about utilities, as this is another example of a sector that contains relevant information for Iran in terms of advanced knowledge and technologies in order to modernize its key industries. Furthermore, Iran is known to conduct cyberespionage operations on scientific targets, such as universitites and research institutes with the goal of collecting intellectual property and information on cutting-edge research. This is supported by the data, as a spike can be observed in education, meaning that Iranian actors target the education sector more than other threat actors.
Figure 4

Figure 4 - Anomalies in the data compared to the global threat landscape (sectors)

This profile aims to describe Iran’s cyber power from a threat intelligence perspective. For a geopolitical angle of Iran’s cyber power, see the chapter on Iran from IISS’s research paper called 'Cyber Capabilities and National Power: A Net Assessment' (downloadable as PDF) on https://www.iiss.org/blogs/research-paper/2021/06/cyber-power---tier-three.

Sources

Our articles covering Iranian threats

From Hunt & Hackett experts

Questions or feedback?

Get in touch