Iran is one of the leading cyberspace adversaries of the United States. It emerged as a cyberthreat a few years later than Russia and China and has so far demonstrated less skill. Nevertheless, it has conducted several highly damaging cyberattacks and become a major threat that will only get worse.
Like Russia and China, the history of Iran’s cyberspace operations begins with its hackers. But unlike these other countries, Iran openly encourages its hackers to launch cyberattacks against its enemies. The government not only recruits hackers into its cyberforces but supports their independent operations.
Putting Iranian hackers on the map
It was clear by the mid-2000s that Iran would become a source of cyberattacks: Its hackers had started taking over websites worldwide and posting their own messages on them, a practice called “defacing.” Often it was just for fun, but some hackers wanted to stand up for their country and Muslims. One prominent group, Iran Hackers Sabotage, launched in 2004 “with the aim of showing the world that Iranian hackers have something to say in the worldwide security.”
The group’s website announced that it provided vulnerability testing and secure hosting services, but it was also known for web defacements. In 2005, the group replaced the U.S. Naval Station Guantanamo home page with one defending Muslims and condemning terrorists. Another of its defacements proclaimed “Atomic energy is our right.” By early 2008, the Zone-H defacement archive listed 3,763 web defacements for the group. The group has since disbanded.
Another prominent group, Ashiyane Digital Security Team, ran a website that offered free hacking tools and tutorials. The site claimed to have 11,503 members in May 2006. Like Iran Hackers Sabotage, Ashiyane provided security services while using its members’ knowledge and skills to deface websites. Their defacements frequently included a map of Iran with a reminder that “The correct name is Persian Gulf” for what some Arab states have called the “Arabian Gulf.”
Ashiyane defaced 500 websites in 2009 during the Israeli incursion into Gaza and 1,000 sites in the U.S., U.K. and France in 2010 for supporting what the group said were anti-Iranian terrorist groups. By May 2011, Zone-H had recorded 23,532 defacements by the group. Its leader, Behrouz Kamalian, said his group cooperated with the Iranian military, but operated independently and spontaneously.
A third group, the Iranian Cyber Army, launched a few years later. It has been implicated in several website attacks, including one against Twitter in 2009 that proclaimed support for Iran’s Supreme Leader Ali Khamenei. Other attack targets were the Voice of America in 2011 after the U.S. supported Iran’s Green movement, and regime opposition websites in 2013 just before the presidential election.
Iran’s cyber military
The Iranian Cyber Army is said by some cybersecurity researchers to operate on behalf of Iran’s Islamic Revolutionary Guard Corps, a branch of the country’s military. The Revolutionary Guards runs a cyber warfare program that in 2008 was estimated to employ about 2,400 professionals. In addition, it connects with independent hacker groups such as Ashiyane and the ICA.
The Revolutionary Guards also command Iran’s voluntary paramilitary militia, known as the Basij Resistance Force. In 2010, the Basij established the Basij Cyber Council, but it focuses more on media and influence operations than on cyberattacks.
Turning to sabotage
By 2012, Iranian cyberattacks had gone beyond simple web defacements and hijacks to ones that destroyed data and shut down access to critical websites. The attackers conceal their government connections by hiding behind monikers that resemble those used by independent hacktivists fighting for justice and human rights.
One such group called itself the Cutting Sword of Justice. In 2012, it launched cyberattacks against the Saudi Aramco oil company, claiming to protest Saudi oppression and corruption financed by oil. The attacks used “wiper” code that overwrote data on hard drives and spread through the company’s network via a virus dubbed Shamoon. More than 30,000 computers were rendered inoperable at Saudi Aramco and Qatar’s RasGas, which was also targeted. U.S. intelligence officials blamed Iran for the attacks.
Iran has deployed wiper malware in other acts of sabotage, most notably the 2014 attack against the Las Vegas Sands Corporation. The attack was thought to be a response to remarks made by Sheldon Adelson, the company’s largest shareholder. Adelson suggested setting off a bomb in an Iranian desert to persuade the country to abandon nuclear weapons. And in 2016, the Shamoon malware resurfaced, wiping data from thousands of computers in Saudi Arabia’s civil aviation agency and other organizations.
Iranian hackers operating on behalf of the government have also conducted massive distributed denial-of-service attacks, which flood sites with so much traffic that they become inaccessible. From 2012 to 2013, a group calling itself the Cyber Fighters of Izz ad-Din al-Qassam launched a series of relentless distributed denial-of-service attacks against major U.S. banks. The attackers claimed the banks were “properties of American-Zionist Capitalists.”
In 2016 the U.S. indicted seven Iranian hackers in absentia for working on behalf of the Revolutionary Guards to conduct those bank attacks, which were said to have caused tens of millions of dollars in losses. The motivation may have been retaliation for economic sanctions that had been imposed on Iran or the Stuxnet cyberattack on Iran’s centrifuges.
One of the seven indictments was of a man who allegedly obtained access to the computer control system for the Bowman Avenue Dam in New York state. The access would have allowed the intruder to “operate and manipulate” one of the dam’s gates had it not been offline for maintenance.
Iran also engages in cyberespionage. One group, which cybersecurity research firm FireEye named Advanced Persistent Threat 33, has invaded computers around the world, with targets in the petrochemical, defense and aviation industries. The group uses code linked to Iran’s wiper malware, possibly in preparation for more destructive attacks. Another group, called Advanced Persistent Threat 34, has been active since at least 2014, targeting companies in the financial, energy, telecom and chemical industries.
Foreign assistance
Iran may be beefing up its cyberwarfare capabilities with the help of foreigners.
According to former Congressman Peter Hoekstra, who chaired the House’s Permanent Select Committee on Intelligence, Iran’s rapid emergence as a major cyberthreat likely stems from its close ties to Russia. Matthew McInnis, a resident fellow at the American Enterprise Institute, believes Iran turned to Russia to level the cyberwarfare battlefield with the U.S. and the West.
Iran may also be looking to Mexico for cyberwarfare support. According to a documentary aired on the Univision television network in 2011, a former Iranian ambassador to Mexico accepted a plan from undercover Mexican students to launch crippling cyberattacks against the U.S. The targets included the White House, the CIA, the FBI and nuclear installations. The documentary also shows Venezuelan and Cuban officials in Mexico expressing interest in the plot.
Strengthening its cyberwarfare program
Iran may view cyberwarfare as a means of overcoming its military disadvantage compared to the U.S. To that end, it will likely continue to improve its cyber capabilities.
Containing Iran’s cyberwarfare program would likely be even more challenging than containing its nuclear program. Computer code is easy to conceal, copy and distribute, making it extremely difficult to enforce controls placed on cyberweapons. That leaves cybersecurity and cyberdeterrence as America’s best options for defending against the Iranian cyberthreat.
Dorothy Denning, Emeritus Distinguished Professor of Defense Analysis, Naval Postgraduate School