The Iranian Cyber Threat

Download Report

The asymmetric nature of the cyberwarfare domain has enabled Iran to carry out the most sophisticated and costly cyber attacks in the history of the internet age. As Iran’s capabilities have expanded, driven by increased investment over the past decade since the Stuxnet attack on Iran’s nuclear facilities, Iran’s malign activities in the offensive cyber realm have evolved and advanced. Iran has kept up a steady drumbeat of lower-level attacks against the U.S., its allies, and regime opponents at home and abroad, some successful and others thwarted. The most common publicly-known attacks include simple website defacements, online disinformation campaigns to push pro-Iranian regime and anti-U.S. narratives, distributed denial of service (DDoS) attacks, and theft of personally identifiable information and intellectual property. At times, Iran has pushed the envelope launching attacks using destructive wiper malware, crippling entire computer networks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) within DHS notes that according to open-source reporting, numerous offensive cyber operations have been attributed or are alleged to be the work of the Iranian government, or at least Iranian actors working in conjunction with or with the approval of the regime. According to CISA,

Iran’s cyber attacks have targeted sectors including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.

While many Iranian attacks are destructive in nature, others are conducted for purposes of espionage and intellectual property theft, designed to give Iran insights into its adversaries’ strategic planning or to improve its own industrial or military capabilities in the face of sanctions. 

The Attacks

The following accounting of the most significant Iranian cyber attacks, either attempted or completed, shows the evolution in Iran’s increasingly sophisticated and bold cyberwarfare activities. The incidents recounted also give an indication of how cyberwarfare fits into Iranian statecraft and national security strategy. Even at times of relative stability or low tensions, Iran has still been active in the cyber domain. Iran’s cyber activities tend to escalate in response to provocations and heightened tensions. On occasion, Iran has resorted to crude, quick strikes when it has sought to immediately respond to a provocation, such as the imposition of new sanctions. Other Iranian malign cyber activities, particularly those of its primary hacker collectives, demonstrated slow and methodical planning involving the strategic selection of targets, the development of custom malware, and protracted periods of infiltration before the deployment of its cyberweapons. 

According to the Carnegie Endowment report ,

While the Iranian hacking scene emerged in the early 2000s, there is little evidence of state-aligned cyber activities before 2007.

The earliest impetus for malign offensive Iranian cyber activities was the June 2009 Iranian presidential election, which witnessed the re-election of Mahmoud Ahmadinejad amid widespread, credible allegations of fraud by Iran’s revolutionary regime. The contested election spurred the rise of the opposition Green Movement and marked a perilous period for Iran’s government as its legitimacy increasingly came into question.

Similarly, in December 2023, the FBI, CISA, NSA, EPA, and INCD collectively issued a joint Cybersecurity Advisory (CSA), highlighting ongoing malicious cyber activities targeting operational technology devices by APT cyber actors associated with Iran’s IRGC. These IRGC-affiliated actors, known as “CyberAv3ngers,” were actively exploiting Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). The advisory provided detailed indicators of compromise (IOCs) and outlined these threat actors’ tactics, techniques, and procedures (TTPs). Multiple U.S. states reported victims of these attacks, prompting the authoring agencies to urge all organizations, particularly those in critical infrastructure, to implement recommended mitigation strategies to reduce the risk of compromise by IRGC-affiliated cyber actors.

Iranian Cyber Army

The internet and social media were central to the Green Movement’s mass mobilization efforts, and the Iranian government subsequently went to war against websites and platforms affiliated with the opposition movement or seen as enabling their ongoing communications and supporting their messaging. Between December 2009 and mid-2011, a group calling itself the Iranian Cyber Army launched a campaign of website defacements targeting sites seen as sympathetic to the Green Movement, replacing their homepages with graphics and messages in support of the Iranian regime. The Iranian Cyber Army is nominally a collective of independent hackers whose aims and ideology are in lockstep with the Iranian governments, but given the regime’s tight controls over the cyber realm, its activities are believed to be overseen by the IRGC’s intelligence apparatus

Among the group’s targets was Twitter, whose homepage the group hacked and defaced in December 2009 with pro-Iranian and anti-U.S. messages. A month later, the group carried out a similar attack on China’s primary search engine, Baidu. In February 2011, the Iranian Cyber Army claimed credit for a similar attack on the Voice of America’s homepage. Other targets included websites and news outlets affiliated with Iranian opposition elements, including Mowjcamp, Radio Zamaneh, Amir Kabir Newsletter, Jaras, and the MOBY Group

The Iranian Cyber Army’s attacks during this phase were primitive, but still potentially destructive. They did not rely on technical breaches of infrastructure at the sites themselves, but on social engineering that exploited weaknesses at the sites’ domain registrars, the companies that host the websites. The Iranian Cyber Army’s attacks, known as domain name systems (DNS) attacks, involved impersonating employees at the respective websites with requisite levels of access to the site’s control panels, contacting the domain registrar in order to obtain passwords, and then hijacking pages and redirecting site traffic to pages containing the pro-Iranian propaganda. Obtaining DNS access would enable hackers to control websites’ sensitive data, but in these instances, it appears no data was compromised and the attacks merely hijacked control of the sites for limited periods for propagandistic purposes.

Iranian Hacker(s)

Following the 2010 Stuxnet attack on Iran’s nuclear program, Iran rapidly began investing in and improving its offensive cyberwarfare capabilities, which ushered in increasingly sophisticated attacks. In September 2011, an Iranian hacker (or hackers) claimed credit for an attack that compromised the Dutch certificate authority, DigiNotar, and issued fake security certificates, which communicate to your web browser that the site you are visiting is the site you intended to visit. The hack effectively gave Iran the ability to access the Gmail accounts and spy on the encrypted communications of 300,000 Iranian users. The attack was claimed by a hacker who claimed to have acted alone and who chose to help his government monitor the communications of his fellow citizens, yet it appears that Iranian intelligence was involved as well. The UK Government Communications Headquarters (GCHQ) provided a post-mortem account of the DigiNotar event in which it alleged that an

Iranian intelligence agency added a specific rule in an internet router that forced Google’s traffic through an alternative route inside the country.

Having cut their teeth responding to the internal threats to national cohesion and stability represented by the Green Movement, Iran’s cyber threat actors would go on to adapt an offensive cyber posture geared toward confronting the regime’s internal and foreign adversaries concurrently. The same infrastructure and cyberweaponry used against the Iranian opposition would also be turned against the U.S. and its allies. 

Madi

The earliest incidents of major external Iranian cyber attacks were initially reported in the summer of 2012. In July, 2012, security firms Kaspersky Lab and Seculert uncovered an Iranian cyber espionage campaign, relying on spyware called Madi, ongoing since December 2011 that affected 800 victims over the course of a year. The campaign primarily targeted business executives in the fields of critical infrastructure and financial services, as well as Middle Eastern government officials and embassy staff. Of those targeted, 387 were in Iran itself, 54 in Israel, and the rest scattered around the Middle East and Afghanistan. The campaign relied on crude spear-phishing tactics. Those affected clicked on PDF or Microsoft PowerPoint attachments or links to news articles. Once the users downloaded the corrupted files, a Trojan spying software called Madi would be secretly loaded onto their computers.

Remote attackers would then be able “to swipe sensitive files from infected Windows computers, monitor email and instant messages exchanges, record audio, log keystrokes, and take screenshots of victims' activities.” Based on the code used, the researchers who uncovered the Madi campaign characterized the hackers’ tradecraft as “amateurish and rudimentary,” yet effective.

Major Attacks on U.S. Banks and Casino

Iran followed up the Madi campaign with a major offensive cyber operation targeting the U.S. banking sector, heralding the Islamic Republic’s arrival as a major cyberwarfare actor. Beginning in December 2011, an Iranian hacking group calling itself the Izz ad-Din al-Qassam Cyber Fighters began laying the groundwork for a series of Dedicated Denial of Service (DDoS) attacks against U.S. financial institutions. In March 2016, the U.S. Department of Justice unsealed an indictment against “seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps,” responsible for carrying out the series of attacks. The indictment offered a rare glimpse into Iran’s modus operandi with regard to cyber attacks, demonstrating the IRGC’s penchant for using multiple contractors each with their own set of objectives in an attack. According to a leaked briefing document of the National Security Agency obtained by the Intercept, the agency picked up signals intelligence stating explicitly that the campaign was conducted to retaliate against the U.S.’s cyber attacks on Iran’s nuclear facilities, and that senior officials in the Iranian regime were aware of the attack.

The first phase of the campaign, named Operation Ababil, involved the culprits exploiting vulnerabilities in the software of thousands of websites in order pool bandwidth, which it then used to overwhelm their targets. After a few sporadic DDoS attacks, in September 2012, the campaign began in earnest and would continue in phases until July 2013, by which time, the major players in the financial sector had shored up their defenses, leading to the campaign fading away. Ultimately, the culprits hacked into the servers of 46 primarily financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC, deluging them with up to 140 gigabits of data per second, far exceeding their capacity and thereby denying customers from logging into their online bank accounts. The group’s DDoS attacks occurred in waves on 176 distinct days, costing the affected institutions tens of millions of dollars in remediation costs as they worked to counter the attacks.

Following the DDoS campaign against U.S. banks, Iranian “hacktivists” carried out a data deletion attack against the network of a Las Vegas casino owned by Sheldon Adelson, an outspoken opponent of Iran’s nuclear program. Personal computers and servers operating on the casino’s network shut down and had their hard drives wiped clean, disrupting the casino’s operations. The attack destroyed three-quarters of the casino’s servers and the costs of data recovery and rebuilding IT infrastructure were estimated at $40 million. Cyber security researchers determined based on the scale and sophistication that the attack could not have been achieved without government knowledge or backing.

New York Dam

One of the co-conspirators in Operation Ababil was additionally indicted for allegedly hacking into the control system of a dam in upstate New York between August 28 and September 21, 2013. The level of access he had obtained would have allowed him to operate the dam’s sluice gate, responsible for regulating water levels and flow rate. However, the dam’s sluice gate had been manually disconnected at the time of the intrusion for maintenance. This incident was alarming, as it demonstrates Iran’s ability and desire to access industrial control systems, as well as the vulnerabilities posed by the thousands of soft sites around the country that can potentially be manipulated, leading to potential loss of life. 

Shamoon

Iran has at times directed cyber operations against U.S. allies as well, with the most significant attacks targeting Saudi Arabia. In addition to being in a state of cold war with Saudi Arabia for regional dominance, targeting American allies is a way for Iran to strike an indirect blow against U.S. interests that is less likely to provoke an American response. In 2012 and then again in late 2016 and early 2017, Iranian-origin malware called Shamoon targeted the Saudi Arabian government and private sector. The Shamoon malware works by overwriting computers’ master book record, making it impossible for them to start back up. 

The initial 2012 Shamoon attack targeted Saudi Aramco, a company responsible for 10% of the world’s oil supply at the time. The groundwork for the attack was laid mid-year, when an Aramco computer technician opened a spam email and clicked on a malicious link. On August 15, 2012, the actual cyber attack commenced, and the malware began deleting and overwriting the data on around 30,000 computers. Affected computers were effectively “bricked,” and reportedly displayed images of a burning American flag. The attacks were timed to coincide with Ramadan, when most workers would be absent to allow the malware the maximum time to work unimpeded. The malware only infiltrated office computers and did not impact systems dealing with technical operations. Still, it grounded services to a halt, as office workers resorted to communications with typewriters and fax machines and gasoline refill trucks were turned away with no way to process payments. To mitigate the damage, Aramco purchased 50,000 hard drives, paying higher prices to cut the line and buy all the hard drives on the manufacturing line at several Southeast Asian factories.   

The U.S. intelligence community has attributed the Aramco attack to Iran. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, posting a missive online that blamed the “Al-Saud corrupt regime” for using its oil resources to fund “crimes and atrocities” in Middle Eastern countries. The attack was believed to be retaliation for a similar attack that targeted Iran’s oil ministry and National Iranian Oil Company in April 2012. That attack used malware called Wiper to delete hard drives before vanishing. The Shamoon attack demonstrated an Iranian capability to learn from attacks against it and weaponize tactics that were initially used on Tehran.

Between November 2016 and January 2017, a variant of Shamoon re-emerged, and was used in attacks that deleted databases and files on dozens of public and private computer networks in Saudi Arabia. Among the entities struck was the General Authority of Civil Aviation, the Ministry of Labor, and the Saudi Central Bank. In the second wave of Shamoon attacks, files were overwritten with images of a 3-year old drowned Syrian refugee, hinting at the hackers’ motivations.

Hacktivists

In 2014, Iranian “hacktivists” carried out a data deletion attack against the network of a Las Vegas casino owned by Sheldon Adelson, an outspoken opponent of Iran’s nuclear program. In March 2018, federal prosecutors unsealed indictments against nine Iranians accused of carrying out cyber attacks on behalf of the IRGC who stole data for financial gain from “144 American universities, 36 American companies and five American government agencies,” as well as 176 universities across 21 foreign countries.

2018 to Today

In August 2018, Facebook and Twitter purged hundreds of Iran-based groups and accounts that appeared to be part of a coordinated, inauthentic effort linked to Iranian state media to spread political content on four different continents, including in the United States. The unusual activity was detected by a private cybersecurity firm called FireEye, which alerted the social media companies. In a statement, FireEye said, “This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests.” The inauthentic pages sought to back Iranian foreign policy imperatives, and featured content that was pro-Iranian and pro-Palestinian, or anti-American, anti-Israeli, and anti-Saudi. Many pages reportedly promoted Quds Day, the Iranian regime-sponsored global day of protest against Israel.

In July 2018, Germany’s domestic intelligence service found that Iranian cyber attacks targeting “the German government, dissidents, human rights organizations, research centers and the aerospace, defense and petrochemical industries” have been growing since 2014. The efficacy of the Iranian cyber attacks on Germany led the report’s authors to conclude that the operations are initiated and guided by intelligence agencies.

In 2019, Iran engaged in a campaign of stepped up malign activities around the region as the Trump administration’s “maximum pressure” campaign increasingly took effect, harming Iran’s economy. As part of its campaign, Iran also stepped up its malign cyber activities. In June 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned,

CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. … Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing.

In July 2019, U.S. Cyber Command tweeted that they discovered active misuse of a bug in Microsoft Outlook. FireEye traced the activity to a threat group called APT33, which is allegedly working at the behest of the Iranian government as part of a coordinated campaign against “U.S. federal government agencies and financial, retail, media, and education sectors.” 

In November 2019, a Microsoft researcher presented findings that the Iranian hacking group APT 33, the group behind the 2012 Shamoon attacks on Saudi Aramco, has undergone a dangerous evolution and shifted focus, moving away from attacks targeting IT networks in favor of efforts to infiltrate industrial control systems used in electric utilities, manufacturing, oil refineries, and related critical infrastructure. The researcher found that over the course of a year, APT 33 had launched crude password-spraying attacks at tens of thousands of targets, but in recent months, had narrowed focus to 2000 organizations per month while increasing the amount of accounts targeted at each organization ten-fold. The effort indicates that the group is seeking a foothold that would enable it to launch disruptive physical attacks at a time of its choosing. 

In December 2019, IBM researchers announced they had discovered a new form of malware, dubbed “ZeroCleare,” that is believed to have been created by Iranian hacking collective APT 34, a group with ties to the government. The malware was reportedly used in data deletion attacks on unnamed Middle Eastern energy and industrial companies in the preceding months. On December 29, 2019, the day the U.S. struck Iran-backed militia targets in Iraq in retaliation for earlier rocket attacks, Saudi cybersecurity officials detected a rapid effort to deploy a cyber attack using malware it nicknamed “Dustman.” The target of the attack was subsequently revealed to be Bapco, Bahrain’s state petroleum organization. The malware was highly similar to the “ZeroCleare” malware discovered earlier in the month, leading experts to conclude that Tehran was the likely culprit.

Following the January 2020 drone strike that killed IRGC Quds Force commander Qassem Soleimani, Iran-based attempts to hack U.S. federal, state and local government websites jumped 50% and nearly tripled worldwide. In February 2020, Reuters and Certfa exposed an Iranian hacking attempt—through Charming Kitten—targeting Israeli academics and researchers who study Iran. Hackers posed as prominent journalists who cover Iran, and asked for email credentials to preview interview questions all in an attempt to penetrate their targets’ accounts.

As the world has struggled to respond to the COVID-19 pandemic, Iran has been one of the hardest-hit nations, driven in large part to various missteps taken by the regime. Despite facing an unprecedented public health crisis, Iran has continued its malign cyber activities unabated. At a press conference on March 20, 2020, Secretary of State Pompeo asserted that Russia, China, and Iran are carrying out online disinformation campaigns to stoke fear and discord in the U.S. On April 2, Reuters reported that hackers working in the interest of the Iranian government have since early March used advanced phishing techniques to try and steal the email passwords of staff members at the World Health Organization, presumably to gain access to intelligence that would aid in the fight against the coronavirus. Analysts believe the hackers were tied to Tehran as the malicious websites used to deceive the staffers were previously used in a campaign targeting American academics with connections to Iran. Similar incidents were reported, where Iranian hackers allegedly targeted British universities researching coronavirus vaccines as well as U.S. pharmaceutical company Gilead Sciences Inc.

In April 2020, suspected Iranian actors undertook an unprecedented campaign of cyber terrorism, attacking industrial control systems with the aim of injuring or killing Israeli civilians. Israeli media reported that six Israeli water facilities were targeted by Iranian hackers, causing irregularities in the operations of infrastructure and control systems at wastewater treatment plants, pumping stations, and sewage facilities that were detected in time to prevent a catastrophic outcome. According to Israeli and western intelligence officials, the most severe attack involved Iranian-written code, routed through American and European servers to disguise its origin, being used to hack into the software systems that controlled the water pumps at a major Israeli water pumping station with the intent of increasing the chlorine levels of treated water that would make its way to Israeli homes. The sophisticated attack was ultimately thwarted, but if successful, it could have sickened hundreds of civilians or triggered fail-safe mechanisms that would have shut off water for residential and agricultural use during a heatwave for those who receive water from the affected facility.

The attacks highlighted the vulnerabilities facing internet-accessible industrial control systems, and Israel’s Water Authority subsequently ordered all facilities under its jurisdiction to update passwords to their control systems, reduce internet exposure, and ensure that all software is up-to-date. In particular, security researchers have found internet accessible human-machine interfaces to be a potentially vulnerable source of great risk at oil and gas, water, and power facilities. While major facilities tend to be well-protected, researchers have found that human-machine interfaces at some smaller and medium size facilities were susceptible to hacking. Once a malicious cyber actor gained remote access, they would be able to adjust critical inputs controlled by human operators, such as disabling alarms; starting, stopping, slowing down, or speeding up the operation of oil wells or gas pumps; or adjusting chemical levels in the water.

The head of Israel’s National Cyber Directorate warned after the April attacks that “cyber winter is coming and coming even faster than I suspected,” expressing concern that cyber attacks targeting civilian opulations would become increasingly commonplace now that Iran had breached a clear red line. For its part, the Iranian government denied culpability for the attacks on Israel’s water system, claiming that Iran’s cyber posture is purely defensive and that Iran could ill afford the blowback that would arise from trying to poison Israeli civilians. Iran’s official protestations showed how Iranian officials seek to make use of the degree of plausible deniability offered by the cyber realm. As noted earlier in this report, if the attacks were in fact the handiwork of an ostensibly “independent” Iranian hacker collective, major attacks by such groups are typically bankrolled and coordinated by the IRGC, so the regime bears ultimate responsibility.

The suspected Iranian cyber attacks on Israeli civilian water infrastructure touched off a cycle of tit-for-tat cyber attacks and reprisals between the two nations. In May 2020, Israeli officials revealed that then-Israeli Defense Minister Naftali Bennett greenlit a cyber attack that caused delays at a major Iranian port for several days. The Israeli reprisal was intended as a “knock on the door” to remind Iran of Israel’s cyber capabilities and deter future aggression and was calibrated to only cause economic damage rather than harming civilians.

During June and July 2020, Iran was beset by a series of unexplained explosions and fires at military facilities, missile production sites, petrochemical, and industrial complexes, and, most notably, the Natanz uranium enrichment nuclear facility. While the origins of these incidents remain officially undetermined and some may have indeed been accidental or due to natural causes, the volume of explosions and fires over a short period points to an Israeli campaign of deliberate sabotage to set back Iran’s nuclear program and malign regional activities. Israeli security officials cautioned that while “not every event that happens in Iran is necessarily related to us,” Israel is committed to preventing a nuclear armed Iran and, to that end, “we take actions that are better left unsaid.”

At least some of the explosions are believed to be the result of Israeli cyber attacks. Iranian officials blamed the most serious incident, the explosion at Natanz, which reportedly set Iran’s nuclear program back at least a year, on a cyber attack, although other regional officials and an IRGC member who had been briefed told the New York Times that the explosion was caused by a powerful bomb that was smuggled into the facility. In response to the military threats against its nuclear program, Iran has begun reconstituting the damaged building at Natanz underground “in the heart of the mountains,” according to the head of Iran’s Atomic Energy Organization. Iran’s hardening of the physical defenses of its nuclear program means that its adversaries will likely increasingly turn to cyber operations to try and set back Iran’s nuclear progress.

In June 2020, hackers again targeted Israeli water management facilities, attacking agricultural water pumps in the upper Galilee and central Israel. According to the Israeli Water Authority, "These were specific, small drainage installations in the agriculture sector that were immediately and independently repaired by the locals, causing no harm or any real-world effects.” While the attacks were not officially attributed to Iran, the similar nature of the attacks to the April 2020 attacks against Israel’s water infrastructure points to Iranian involvement.

In October 2020, Israeli cyber security firms Clear Sky and Profero reported that they had identified a campaign of ransomware attacks targeting prominent Israeli companies and organizations the previous month by a hacker collective called MuddyWater (sometimes also referred to as TEMP.Zagros, Static Kitten, or Seedworm). According to Microsoft researchers, MuddyWater “is believed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran's primary intelligence and military service.” The MuddyWater campaign involved exploiting vulnerabilities in the Windows operating system that the affected organizations had not patched yet, allowing hackers to effectively take over their internal networks. The hackers were then able to install malware -- reportedly a variant of Shamoon – that would encrypt the data on computers within the network, blocking users from accessing them. Typically, these attacks are known as ransomware, as hackers will demand payment to restore access to the network. In this instance, however, the hackers did not seek payment, indicating their motivation was primarily to disrupt the affected organizations by preventing them from regaining access to their data. The prioritization of harming Israeli companies over monetary gain suggests that MuddyWater’s motive was primarily ideological, buttressing the belief that its hacking is carried out at the directive of the Iranian regime. The campaign was ultimately thwarted due to intervention by Israel’s National Cyber Directorate, Clear Sky, and Profero.

Shortly after the revelation of the MuddyWater campaign, Iran reported that the country’s port authority and one other unnamed institution had been targeted by cyber attacks that caused significant disruption. State media blamed the attack on Iran’s “sworn enemies.”

Cybersecurity researchers then revealed in December 2020 that Iranian hackers had launched cyber attacks involving ransomware, hitting 80 Israeli firms in November and December of 2020. The Iranian operation, known as Pay2Key, appeared to have been the handiwork of a state-sponsored hacking collective known as Fox Kitten, the name given to collaborate between APT33 (Elfin, Magnallium, Holmium, and Refined Kitten) and APT34 (OilRig, Greenbug). The Pay2Key attacks targeted dozens of companies in Israel’s insurance, logistics, and industrial sectors, encrypting data on computers and workstations to make them unusable. Pay2Key also claimed to have penetrated the Israeli Aerospace Industries.

Pay2Key would, in some instances, issue taunting messages to affected firms and threaten to expose their data unless the companies remitted payments in BitCoin. Even after payment, Pay2Key did not turn over decryption keys in several instances and went ahead with leaks of sensitive information. Clear Sky assessed that the campaign’s motives were primarily ideological and designed to incite panic in Israel rather than financial and noted that the wave of attacks caused significant damage to several of the affected companies. These incidents highlight that the Iranian cyber threat adds additional layers of insecurity at a time of international crisis.

The tit-for-tat campaign of sabotage between Iran and Israel escalated further in April 2021, as Israel is believed to have been behind an apparent cyber attack that triggered an explosion that caused a major blackout at the Natanz enrichment complex. The attack reportedly destroyed the power system that runs the facility’s centrifuges and may have set back Iran’s enrichment at Natanz by nine months. The incident occurred shortly after Iran announced the installation of new advanced centrifuges at Natanz and after Iran has begun enriching uranium to 60%, steps taken by Tehran to increase its leverage in negotiations with the Biden administration. At the time of the attack, Iran and the U.S. had just entered negotiations to restore compliance with the JCPOA, a development Israel opposes as it views the JCPOA as leaving Iran a pathway to a nuclear bomb. The attack underscored Israel’s willingness to take matters into its own hands if it is dissatisfied with the direction of diplomatic efforts to resolve Iran’s nuclear program. Iran has referred to the attack as “nuclear terrorism” and vowed reprisals, but Tehran is constrained by its desire to acquire sanctions relief. Its calculus may change, and it may even be compelled to target the U.S., which it views as complicit in Israel’s cyberwarfare, if diplomacy breaks down.

In June 2021, during a critical point in the negotiations to revive the JCPOA, hackers linked to Iran’s government attempted a cyberattack on Boston Children’s Hospital. In revealing the incident a year later, the FBI director called it “one of the most despicable cyberattacks I’ve ever seen.” According to U.S. officials, the hack featured attackers exploiting Fortinet software to control the hospital’s computer network. Earlier, in November, U.S. agencies warned that Iranian hackers had accessed “environmental control networks” at an unnamed children’s hospital, which likely meant Boston Children’s Hospital, which is one of the largest pediatric centers in the United States, and offers cancer treatment and heart surgeries, among many other services. This shows that even in June 2021, when negotiators were reportedly making progress to revive the JCPOA—the actual negotiations themselves adjourned on June 20 for the Iranian presidential election—Iran’s government was trying to attack critical infrastructure in the United States.

Beyond its escalating cyber warfare with Israel, Iran has also recently upped its cyber activities in terms of influence campaigns. U.S. authorities alleged that Tehran engaged in electoral interference during the 2020 U.S. presidential election by obtaining voter registration data and sending spoofed emails designed to intimidate voters and undermine confidence in U.S. democratic institutions. In December 2020, the FBI found that Iran had been behind a website called “Enemies of the People,” which exploited claims of voter fraud in the United States to incite “lethal violence” against the FBI director, a former U.S. cybersecurity official, and state election officials who were involved in refuting the claims. The website posted these officials’ home addresses and other personal information. These incidents demonstrate the growing investment Tehran is making in these kinds of operations, which target the United States.

On October 11, 2021, Microsoft disclosed disclosed a significant cyber espionage campaign orchestrated by suspected Iranian hackers. These attackers targeted numerous defense technology and maritime transportation firms, breaching a select few since July. According to Microsoft, the hacking campaign focused on entities involved in satellite systems, drone technology, and military-grade radars, many of which collaborate closely with the U.S., European Union, and Israeli governments. The tech giant emphasized that while the perpetrators’ identity wasn’t directly attributed to an Iranian government entity, the nature of the attacks aligns with activities supporting Iran’s national interests. Microsoft’s John Lambert underscored the severity of the breaches, stating, “The goal of releasing information on the intrusions now is to help organizations prepare for follow-on breach attempts.”

The espionage operation extended beyond breaching systems to potentially acquiring sensitive commercial satellite imagery and proprietary shipping plans. This capability could bolster Iran’s satellite program and pose security risks to companies within the maritime sector. Microsoft’s Threat Intelligence Center noted that the hackers attempted to infiltrate approximately 250 organizations, with successful breaches confirmed in fewer than 20 cases. The report highlighted heightened vulnerabilities in the Persian Gulf ports, crucial maritime arteries through which significant global oil shipments pass. The incident underscored ongoing concerns regarding cybersecurity in the maritime domain, with Lambert warning, “Anything related to [shipping] is going to be in the crosshairs and subject to geopolitical dynamics.”

In November 2021, the U.S. Justice Department unsealed an indictment against two Iranian nationals for their involvement in a cyber attack against the United States. Court documents stated that, prior to the 2020 U.S. presidential elections, the two Iranians compromised voter websites, sent out intimidating emails to voters, disseminated a video containing disinformation about purported election vulnerabilities, and gained unauthorized access to a U.S. media company’s computer network. Iran’s cyber operations were largely aimed at discrediting Trump’s reelection campaign, according to a declassified report commissioned by the Director of National Intelligence (DNI).

In May 2022, the Shin Bet uncovered Iranian operations to lure and possibly harm Israeli businessmen and academics outside of Israel and gather intelligence through cyber operations. The Iranian operatives created email accounts with minor differences from the actual email of a trusted person in order to build rapport and extract information. They impersonated academics and journalists in these social engineering tactics and invited their victims to a made-up “conference” outside the country. The Shin Bet foiled the attempts to lure the Israelis out of the country, and none of the Israelis who were targeted in the spear-phishing campaign opened the links sent to them. The Israeli national security agency also warned at the time that the Iranians have recently turned to the internet to recruit agents for intelligence-gathering and terrorist activities.  

On September 7, 2022, Albania, the U.S., and the U.K. governments confirmed allegations made by cyber security firm Mandiant that the IRGC-sponsored cyber espionage group APT 42 conducted a cyber attack against the Albanian government in July 2022. This cyber attack occurred around the time that an Iranian dissident rally in Albania at which former U.S. officials were scheduled to speak had to be canceled due to a terror threat. Following the discovery of the cyber attack, the U.S. government and its private sector partners worked together with the Albanian government to investigate the actors behind the attack. The U.S. and U.K. governments found that critical Albanian infrastructure was the intended target of the Iranian cyberattack. The White House pledged that the U.S. would take action “to hold Iran accountable” for its attack, which violated peacetime norms on “refraining from damaging critical infrastructure that provides services to the public.” The U.S. government supported Albania’s decision to sever ties with the Islamic Republic.

Disrupting Albanian government websites and public services appeared to be a goal of APT 42’s cyber attack, although the group is typically tasked with information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. The attack caused the Albanian government to shut down government websites and suspend public services. The cyber security firm Mandiant identified ransomware called ROADSWEEP used in the attack to encrypt files on a compromised system, and leave a note claiming that the Albanian government was being targeted in a cyber attack.

Ransomware is typically used for extortion, but on this occasion, the attack appears to have been politically-motivated. The ROADSWEEP ransomware dropped a ransom note including the text “why should our taxes be spent on the benefit of Durres terrorists?” Durres is a county in which the town of Manez is located; Manez was scheduled to host the World Summit of Free Iran conference on July 23-24 before it was canceled due to terrorist threats. The Iranian dissident group Mujahedeen-e-Khalq (MEK) organized this summit in opposition to the Iranian regime, so it falls squarely within the purview of the IRGC’s mandate to neutralize foreign and domestic adversaries. Tensions increased between Iran and Albania when the latter decided to accept up to 3,000 Iranian MEK dissidents at the request of the U.S. in 2013. A front group by the name of “Homeland Justice” claimed responsibility for the cyber attacks, posting on their Telegram page a video of the ransomware being executed along with purported government documents and residence permits of members of the MEK.

This was not the first cyber attack launched by APT 42. Mandiant noted in a report on the group that it has often relied on the tactic of rapport-building with their victims, sometimes conversing for weeks to months pretending to be a journalist or other trusted person, before sending a link that allows them to access personal information. Between March and June 2021, the group compromised an email account of a U.S.-based think-tank employee with the intention of targeting other think-tanks, academic institutions, and U.S. officials working on Iran policy. It was unclear which U.S. government agencies were targeted, or whether the attacks on the U.S. government were successful. These efforts underscore the fact that the IRGC relies upon cyber operations for intelligence gathering, influence operations, and surveillance. UANI has been similarly targeted by the Iranian government via phishing attempts.

On December 3, 2023a top White House national security official emphasized the urgency for U.S. utilities and industries to bolster their cybersecurity defenses following recent cyber-attacks by Iranian hackers. Deputy National Security Adviser Anne Neuberger highlighted that the attacks, carried out by the Iranian hacker group “Cyber Av3ngers,” were “unsophisticated” but still managed to breach multiple American organizations, including a small municipal water authority in Aliquippa, Pennsylvania. The breaches began on November 22 and targeted organizations using programmable logic controllers by the Israeli company Unitronics. Neuberger underscored that these incidents demonstrated the persistent threat from hostile countries like Iran and criminals, stating, “We need to be locking our digital doors.” She noted that basic cybersecurity practices could have significantly mitigated the impact of these attacks.

Additionally, Neuberger pointed to recent ransomware attacks on the healthcare industry as further evidence of the need for enhanced cybersecurity measures. One notable incident involved Ardent Health Services, which operates 30 hospitals across six states and was forced to divert patients and postpone elective procedures following a November 23 cyberattack. The administration had previously introduced a comprehensive cybersecurity plan, which included holding software companies accountable for failing to meet basic standards. Despite this, a federal appeals court decision in October led the EPA to rescind a rule requiring U.S. public water systems to include cybersecurity testing in their audits, a move Neuberger criticized as potentially leaving vulnerabilities unaddressed. She urged state and local governments and private companies to implement recommended cybersecurity measures promptly.

On December 18 2023, i24NEWS reported that the Israel National Cyber Directorate undertook an investigation following an attempted cyber-attack on Ziv Hospital in Safed, located in northern Israel. The attack, thwarted by a collaborative effort involving the National Cyber System, the Israel Defense Forces (IDF), and the Shin Bet internal security agency, was attributed to hackers affiliated with Iran and Hezbollah. According to the National Cyber Directorate, the AGRIUS cyber attack group, linked to the Islamic Republic’s Ministry of Intelligence, orchestrated the assault in late November 2023 amid tensions related to the ‘Iron Swords’ conflict. “The attack aimed to disrupt the hospital’s regular operations,” stated the Directorate, highlighting the joint efforts that prevented significant disruption and potential harm to civilians relying on medical treatment at Ziv Hospital.

The investigation revealed that the cyber operation involved Hezbollah’s cyber unit, identified as Lebanese Cedar and led by Muhammad Ali Marai, in collaboration with Iranian intelligence services. Despite attempts to compromise sensitive medical data stored within the hospital’s systems, swift action from Israeli security forces and hospital staff curtailed the attackers’ objectives. “The attackers managed to access materials from the hospital, which were subsequently disseminated on social media channels,” noted the National Cyber Directorate. 

On February 2, 2024, in response to cyber-attacks on American water plants in late 2023, the U.S. imposed sanctions on six officials from the Islamic Revolutionary Guard Corps (IRGC), attributing to them responsibility for cyber-attacks on American water plants in late 2023. The sanctions targeted the IRGC’s Cyber-Electronic Command (IRGC-CEC) members, including Hamid Reza Lashgarian, the head of the cyber organization and a commander in the IRGC-Quds Force, Iran’s overseas operations arm. Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence, stated, “The deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act.” The U.S. Cybersecurity & Infrastructure Security Agency (CISA) emphasized the vulnerability of America’s water systems, with executive Assistant Director for Cybersecurity Eric Goldstein highlighting the potential “life-safety impact” of such cyber-attacks. Following the attacks, Pennsylvania Senators Bob Casey and John Fetterman, along with Congressman Chris Deluzio, urged Attorney General Merrick Garland to “conduct a full investigation and hold those responsible accountable.” CISA warned that Iran, along with countries like China, Russia, and North Korea, continues to enhance its cyber capabilities, posing significant threats to U.S. cybersecurity.

On February 14, 2024, Microsoft stated in a blog post that Iran and other hostile nations such as North Korea, Russia, and China had begun to utilize generative artificial intelligence to mount or organize offensive cyber operations. In collaboration with OpenAI, Microsoft detected and disrupted numerous threats that leveraged A.I. technology, although the techniques were described as “early-stage” and not “particularly novel or unique.” The Islamic Revolutionary Guard was highlighted for using large-language models to assist social engineering, troubleshoot software errors, and study how intruders might evade detection in compromised networks. Examples included generating phishing emails, such as one posing as an international development agency and another attempting to lure prominent feminists to an attacker-built website on feminism. The A.I.’s role in these activities was to accelerate and enhance the production of such malicious content. Microsoft provided detailed instances of Iran’s AI-assisted cyber activities, emphasizing the need to expose these early attempts publicly. The blog post noted that all generative A.I. accounts and assets linked to these groups were disabled. 

On April 3, 2024, Iran International reported a significant increase in cyber assaults originating from Iran and Hezbollah targeted at Israel throughout 2023. According to a report by Israel’s National Cyber Directorate, the country experienced a notable surge of 43% in cyber attacks compared to the previous year. The report highlighted a period of escalated cyber warfare tactics following the October 7 invasion by the Islamic Republic-backed Hamas, extending until the end of 2023. The attacks totaled 3,380 documented incidents, including 800 deemed “significant potential for damage” by the Directorate. The report underscored a notable shift in tactics from information threats to more disruptive and damaging actions aimed at destabilizing essential organizations and influential companies within supply chains.

Throughout the year, the National Cyber Directorate recorded 13,040 verified cyber attack reports, marking a substantial increase primarily driven by the Gaza conflict, which coincided with 68% of these incidents. The attacks targeted various sectors, with 41% directed at social networks, 25% involving phishing attempts, and 13% exploiting vulnerabilities in computer systems. Additional methods included malware attacks, operational continuity disruptions, and communication disruptions. The report emphasized the collaboration between Iran and Hezbollah in executing these cyber operations, particularly noting their focus on hospitals as critical targets and their efforts in intelligence gathering to undermine the war effort. 

On June 14, 2024, Microsoft President Brad Smith revealed that the company was actively detecting an alarming 300 million cyberattacks per day targeting its customers, with a significant majority originating from hostile nations such as the Islamic Republic and other hostile regimes, including China, North Korea, and Russia. During his testimony before the House Committee on Homeland Security, Smith emphasized the scale and origin of these threats, stating, “A majority of these attacks come from nations like Iran.” He pointed out the escalating sophistication and aggressiveness of cyber adversaries from these countries, stressing the critical need for bolstered cybersecurity measures across the board. Smith highlighted Tehran’s growing cyber capabilities, echoing concerns raised in the 2023 Annual Threat Assessment by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).