Nation-state Hacker Profile: Iran

Key Takeaways

  • Iran increased investment in cyber since 2010 and now engages in a large volume of social engineering attacks that are becoming increasingly sophisticated

  • Iran mostly targets government agencies and defense contractors in the U.S., Israel, Saudi Arabia, and UAE

  • The U.S. has attacked Iran’s oil and nuclear infrastructure, while Iran has disrupted U.S. banks and attempted to meddle in our elections 

Iran’s cyberwarfare capabilities

It is very difficult to compare the cyber capabilities of one country against those of another as most of the programs are so highly classified only a few people know about their full capabilities. However, Russia and China are considered Tier 2 cyber aggressors and very close behind them comes Iran in tier 3, then North Korea. The U.K. and Israel are the West’s Tier 2 countries with sophisticated capabilities from both a defensive and offensive perspective. The U.S. is the sole tier 1 cyber country in the world.

Iran started heavily investing in its cyber operations program following the Stuxnet attack (malware that sabotaged the machinery running nuclear enrichment centrifuges) in 2010. Since then, Iran has become a very sophisticated cyber threat able to target critical national infrastructure, financial institutions, education establishments, manufacturers and more.

On the lower end of the skills spectrum, Iran has a large community of hackers active on underground forums. Some of their members engage in politically motivated, disruptive operations such as distributed denial of service attacks, generally considered to be rather unsophisticated, against Iran's adversaries in the Middle East.

Iran is also known to invest considerable effort in developing more elaborate social engineering personas on LinkedIn and Facebook in order to persuade targets to open malicious links or attachments. A large-scale Iranian operation that targeted U.S. military members by posing as technical recruiters or attractive women was just uncovered by Facebook. 

We tend not to see zero-day exploits used by Iranian groups, although there has been a history of using SQL injection attacks and web exploits to good effect, which shows increasing technical capabilities.

Iran’s Targets

Government agencies and defense contractors are top targets for Iranian threat actors because successful breaches can yield political and military intelligence, along with high-value intellectual property. According to threat intel firm IntSights, four countries stand out as prime targets for state-sponsored Iranian attacks: the US, Israel, Saudi Arabia, and the UAE.

The US and Israel are top targets due to their longstanding adversarial relationships with the current Iranian government dating back to their support for the former Iranian monarchy and persisting into the present day with their efforts against Iran’s nuclear program.

Saudi Arabia is a chief regional adversary of Iran due to a variety of political, economic, sectarian, and ethnic factors, including their participation in a regional proxy war in Yemen. The UAE is a target due to a wider range of factors, including diplomatic and economic tensions, the roles of Dubai and Abu Dhabi as global business and transportation hubs, and the presence of many Iranian expatriates in the UAE.

Iranian Threat Actors

Iran’s primary cyber operations are conducted by the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), along with affiliated contractors and front companies. The IRGC is a powerful paramilitary organization that’s said to be responsible for disruptive and destructive attacks. The MOIS is a civilian intelligence service focusing on the clandestine acquisition of intelligence.

IRGC and MOIS employees often outsource attacks to non-employees, including Iranian hacktivists and criminals that they have recruited via coercion, compensation, or both. Some Iranian threat groups operate almost as businesses that sell compromised data to Iranian public sector organisations or have organized themselves as ‘institutes’.

The Iranian Cyber Army is a black-hat hacker group that is not recognized by their government but clearly hacks for Iranian interests

U.S. attacks on Iran

Sustained U.S. cyber activities against Iran are widely traced to a covert campaign code-named Operation Olympic Games. Started in 2006 under the Bush administration, the program targeted Iranian nuclear capabilities. President Obama expanded Olympic Games to include the use of offensive cyber weapons against Iran’s nuclear enrichment facilities. In September 2018, President Trump reportedly granted the CIA more authority to conduct cyberattacks on civilian infrastructure.

The most famous alleged American cyberattack on Iran was the unleashing of the Stuxnet virus on the Natanz enrichment facility, which damaged nearly 1,000 centrifuges and infected 30,000 computers. Iran was forced to take tens of thousands of computers offline. Unlike other viruses that preceded it, Stuxnet was able to cause physical damage to the equipment the target computers controlled, marking a new style of cyberattack. Other cyberattacks—including the Flame and Wiper, viruses reportedly part of Operation Olympic Games—targeted Iran’s oil infrastructure

In June 2019, the United States conducted a cyberattack on Iran after it downed a U.S. drone near the Strait of Hormuz. The attack wiped clean an IRGC database used to plan attacks against tankers in the Persian Gulf.

 

Iranian attacks on U.S.

Iranian cyberattacks against the United States date back to 2009, when the so-called “Iranian Cyber Army” defaced Twitter’s homepage in response to the Green Revolution protests over alleged fraud in the reelection of President Mahmoud Ahmadinejad. 

In September 2012, Iranian hackers directed a Distributed Denial of Service (DDoS) attack against U.S. banks including Bank of America as well as the New York Stock Exchange and NASDAQ. The campaign, nicknamed Operation Ababil, blocked access to the websites of major financial institutions by overwhelming their servers with web traffic. The attacks cost Western firms millions in lost business, according to a Department of Justice indictment

In December 2018, the Department of Justice indicted two Iranian hackers for a ransomware attack that had crippled Atlanta’s city government in March of that year. The attack locked the files of 8,000 municipal employees and took offline local government operations for nearly a week.

Iranian hackers targeted U.S. citizens in the lead up to the 2020 U.S. presidential election. In October 2019, Microsoft warned that an Iranian-government hacker group had tried to breach e-mail accounts associated with journalists, current and former U.S. government officials and a U.S. presidential campaign. And in June 2020, Google said that Iran tried and failed to breach e-mail accounts associated with President Donald Trump’s reelection campaign.

Other Notable Attacks from Iran 

Iran has been accused of perpetrating a number of cyber-assaults. One of the most well known is the attack on the Saudi Aramco oil company in 2017 utilizing the Shamoon virus–which was so devastating that the network had to be rebuilt almost from scratch.

Before Israel’s election in March 2019, Benny Gantz, leader of the Blue and White party, reportedly had his phone hacked by Iranian intelligence.

Iran was responsible for a cyberattack on the British Parliament lasting 12 hours that compromised around 90 email accounts of MPs. The motive for the attack is unknown but experts suggested that the Islamic Revolutionary Guard Corps could be using cyberwarfare to undermine the Iran nuclear deal

Conclusion

Because of increased investment in both offensive and defensive cyber capabilities, Iran is a growing cyber threat for the U.S. and countries in the Middle East with Western leanings. Iran has already been behind a number of cyber attacks that defaced American websites and shut down U.S. banks. For now, the U.S. and its allies far outgun Iran, but they are not an actor to be ignored, especially if they are acting as a proxy for Russian or Chinese backed attacks.