Persian Five of Hearts by Shahab Shiavash

An Introduction To The Implications Of Iran’s Cyber Capabilities For The US

The 2017 Worldwide Threat Assessment produced by the Director of National Intelligence states, “Tehran continues to leverage cyber espionage, propaganda, and attacks to support its security priorities, influence events and foreign perceptions, and counter threats — including against US allies in the region. Iran has also used its cyber capabilities directly against the United States.” The report also cites 2013 and 2014 attacks on US critical infrastructure and businesses.[1] Dir. Coates states “Iran’s leaders are focused on countering what they perceive as a Saudi-led effort to fuel Sunni extremism and terrorism against Iran and Shia communities throughout the region.”[2]

Another scholar stated, “Iran represents a qualitatively different cyber actor, they’re not stealing our intellectual property en masse like China, or using cyberspace as a black market as the Russians do…what Iran does use cyber for, including elevating its retaliatory capabilities abroad, makes it a serious threat.”[3] In April of last year, long before being named Secretary of Defense, James Mattis ominously described the Iranian cyber program this way: “if we’d talked three, four, five years ago, I’d have said it’s not a big threat. Today I will just tell you I would liken it to children juggling light bulbs filled with nitroglycerine. One of these times they’re going to do something really serious and force a lot of foreign leaders to have to take it into account.”[4]

Cyber operations entail less risk and provide Tehran with options not provided by the other legs of its current triad. Iran is considering the battlefield use of cyber to disrupt enemy missile defenses, command and control, aerial and naval unmanned systems, and logistics — which in the United States are hosted on unclassified computer networks.[5] Its network reconnaissance activities seem to indicate that it is developing contingency plans to attack its enemies’ critical infrastructure. It might also target entities that it believes enable U.S. “soft warfare” activities: media outlets, purveyors of popular culture, think tanks seen as hostile to Iran, universities, and U.S. government agencies perceived to be directing these efforts. And it may opt to target culture and media outlets that it believes have mocked or insulted the sensibilities of the country’s leadership.[6]

With the new administration, speculation regarding the Iran deal may have implications for US national security regarding Iranian cyber-attacks. As mentioned, upon the signing of the Iran Nuclear Deal, attacks targeted towards the US decreased (proxy groups still carried out sporadic attacks). Cyber experts say that would change if Trump and Congress abandon the nuclear agreement and reimpose sanctions.[7] Cylance CEO stated, “I personally think they’ll double down their efforts and we’ll start to see a lot more attacks.”[8] “Tehran will be frustrated if the U.S. breaks the agreement, and experts agree the country’s digital warriors can help the regime project influence wherever it chooses to do so.”[9] Cyber specialists have said if the U.S. withdraws from the deal, not only will Iran resume full-scale hacking of American targets, but it will do so with greater discipline and capabilities than last time.[10] Adam Meyers, VP of Crowdstrike, stated, “They’ve developed a more mature way of thinking about establishing offensive cyber capabilities.” Experts expect Iran would use more zero-day exploits which would take advantage of previously unknown security flaws.[11]

In the event of a large-scale cyber attack, the United States may not be ready to take on attacks directed towards critical infrastructure, such as ones modeled after the dam attacks in New York City. Cyber attackers have repeatedly targeted U.S. critical infrastructure. Iran, for example, may have a limited but potentially increasing ability through cyber tools — indigenous, purchased, or transferred — to conduct catastrophic attacks on U.S. critical infrastructure. The dependence of the United States on modern ICT and ICS to facilitate every aspect of our lives — to operate the government, all of our critical infrastructures (e.g., energy, water, and financial sectors), and our general business and citizen enterprises — has made these systems attractive targets to a wide spectrum of adversaries, including Iran.[12] U.S. industrial control systems were threatened by cyber-attacks at least 245 times over a 12-month period, according to a 2014 report from the ICS-CERT. Despite the increasing frequency of cyber-attacks targeting critical infrastructure, these otherwise highly-regulated industries have few protocols in place to protect against cyber security breaches.[13] According to a report from the Government Accountability Office, nearly all the critical infrastructure industries lack adequate cyber security metrics.[14] The Defense Science Board Task Force on Cyber Deterrence issued a report this year stating “regional powers (e.g., Iran and North Korea) have a growing potential to use indigenous or purchased cyber tools to conduct catastrophic attacks on U.S. critical infrastructure. The U.S. Government must work with the private sector to intensify efforts to defend and boost the cyber resilience of U.S. critical infrastructure to avoid allowing extensive vulnerability to these nations. It is no more palatable to allow the United States to be held hostage to catastrophic attack via cyber weapons by such actors than via nuclear weapons.”[15] The report goes on to say, “The United States could — and must — aim to deny North Korea and Iran the ability to undertake catastrophic attacks on U.S. critical infrastructure via cyber, just as the United States aims to deny them the ability to attack with nuclear weapons. Indeed, the United States should pursue this objective aggressively. It is unpalatable to leave the United States vulnerable to catastrophic or coercive attack when it is avoidable — and it is avoidable vis-à-vis North Korea and Iran. The U.S. capability to impose costs is essential but (as in deterring nuclear attack) should be additive to denial.”[16]

Iran’s history of cyber espionage also puts the US at risk. In the ODNI threat assessment, officials state, “Iran will continue to develop capabilities to disrupt military communications and navigation, and Iran will attempt to penetrate US national decision-making apparatus and the intelligence community. They will also be targeting US companies and research institutions to circumvent sanctions and acquire dual-use technologies.”[17] One example of this occurred in 2014, a report issued by iSIGHT Partners discovered a group by the name “Newscaster,” which iSIGHT called, “the most elaborate net-based spying campaign organized by Iranian hackers using social media.” The report mentions Iranian Hackers used a network of fake accounts on principal social media to spy on US officials and political staff worldwide. “At least 2,000 people/targets are, or have been, caught in the snare and are connected to the false personas.”[18] Models of Iran’s activity monitoring through social media and other platforms follow trends Iran uses on its citizens, which makes great use of phishing and social engineering to monitor the activities and opinions of Iranian citizens and to identify opponents of the regime and opposition activists, it is no wonder they can carry out these same activities externally as well.

Most recently this year, the Newscaster group, which is also known by the name “Charming Kitten,” has been linked to the hacking of HBO which took place in 2017. [20] “Charming Kitten — also tracked under various codenames such as Newscaster, NewsBeef, Flying Kitten, and the Ajax Security Team — was one of the most active Iran-based cyber-espionage units at the time, but once the FireEye report went public, the group dismantled its infrastructure and went dormant. Subsequent research published by Iran Threats and ClearSky show that parts of the old Charming Kitten infrastructure, such as malware and credential theft resources, have been reused by another Iranian cyber-espionage unit named Rocket Kittens, and possibly more. Various experts have pointed out that most of these groups are most likely operating under the protection and guidance of Iranian military, hence the reason why some resources are used not by one or two, but multiple APTs.”[21]

On December 7, FireEye published a report stating, “Hackers linked to the Iranian government have conducted a long-term cyber espionage operation against government and industry in Israel, Kuwait, Lebanon, Qatar, Saudi Arabia, Turkey, and the United Arab Emirates.”[22] “The mostly Middle Eastern targets include government agencies and private industries, including financial, energy, chemical, and telecommunications sectors.”[23]

Based on the evidence, Iran’s activities here in the US as well as in the Middle East are active and directed towards advancing the Iranian agenda and undermining opposition. If the US does not take appropriate actions to continue to stay ahead of Iranian cyber activities, there may be negative impacts that could give the US a strong disadvantage geopolitically and strategically. The US should consider being more proactive in developing policies and steps to protect, defend, and counter whatever action may be taken against us.


Cyber threats are already challenging public trust and confidence in global institutions, governance, and norms, while imposing costs on the US and global economies. Cyber threats also pose an increasing risk to public health, safety, and prosperity as cyber technologies are integrated with critical infrastructure in key sectors. These threats are amplified by our ongoing delegation of decision making, sensing, and authentication roles to potentially vulnerable automated systems. This delegation increases the likely physical, economic, and psychological consequences of cyber-attack and exploitation events when they do occur. Many countries view cyber capabilities as a viable tool for projecting their influence and will continue developing cyber capabilities. Some adversaries also remain undeterred from conducting reconnaissance, espionage, influence, and even attacks in cyberspace.”[24]

Iran’s cyber program falls directly under the description listed in the Threat Assessment Report and has developed extensively since it began in 2005. From a small unit of the IRGC to now becoming a major global cyber power, the activities carried out will likely increase as technology advances and the cyber realm inches toward becoming a norm for non-conventional warfare. Iran’s cyber capabilities have brought Iran into the upper ranks of worldwide cyber threats, joining Russia, China, and, to a lesser extent, North Korea.[25] The 2010 National Security Strategy discusses Iran in the context of its nuclear program, support of terrorism, its influence in regional activities, and its internal problems. There was no mention of Iran’s cyber capability and a threat to US interests. Today, it has become a pillar to US strategy towards Iran.

According to Carnegie nuclear expert Mark Hibbs, “If Tehran aimed to divide the P5+1 and aggravate Israel and Western countries, it might do things not expressly forbidden by the JCPOA, but that would not be in the spirit of the accord.” Iran may retaliate against increased pressure in areas other than its nuclear and regional activities, including in cyberspace, which has become the newest frontier in the four-decade-long U.S.-Iranian cold war. Perhaps more than any other government in the world, Iran has been the target of uniquely destructive cyber -attacks by Washington and its allies. As a result, Tehran has itself become increasingly adept at conducting cyber espionage and disruptive attacks against Iranian critics at home and abroad. Cyber warfare has become a credible retaliatory threat for Iran against the political and economic institutions of its adversaries, most notably the United States, Israel, and Saudi Arabia.[26] Offensively, the cyberspace strategy is part of the doctrine of asymmetrical warfare, a central principle in the Iranian concept of the use of force. Cyberspace warfare, like other classical asymmetrical tactics such as terrorism and guerilla warfare, is viewed by Iran as an effective tool to inflict serious damage on an enemy with military and technological superiority. In a case of escalation between Iran and the West, Iran will likely aim to launch a cyber-attack against critical infrastructures in the United States and its allies, including energy infrastructures, financial institutions, transportation systems, and others.[27]

As mentioned, in 2012, the SCC announced its long-term goals for cybersecurity: improving cyber security and defense, improving cyberspace infrastructures support for state-backed, and independent online activists, and development projects for science, research, culture and strategic studies. In hindsight, Iran has accomplished each of those goals. Based on the growing number of attacks and the scale they have been carried out, it is safe to say they have improved their cyber security and defense. Beginning with the Green Movement and the attack on Twitter and opposition websites, to highly complex attacks on US and ally critical infrastructures, such as electrical grids and dams, it is safe to say Iran has improved. After the Stuxnet attack, Iran was able to dissect the virus and bolster its defenses, at the same time, the regime engaged in actively recruiting and increasing its “cyber-army” through proxy groups such as the Basij paramilitary group, Hezbollah, and other rogue groups such as CharmingKitten, APT33, etc.[28] As quoted by the deputy commander of ground forces in the IRGC, “We have armed ourselves with new tools, because a cyber war is more dangerous than a physical war.”[29]

Iran understands it cannot match the United States and its allies directly and therefore must strengthen its asymmetric toolset to counterbalance this gap.[30] Iran’s cyber capabilities have developed not only within the country but through proxies throughout the world. INSS reported the IRGC makes the country one of the best and most advanced nations when it comes to cyberwarfare. In a case of escalation between Iran and the West, Iran will likely aim to launch a cyber-attack against critical infrastructures in the United States and its allies, including energy infrastructures, financial institutions, transportation systems, and others.[31] Moreover, Iranian cyberattacks have exposed significant vulnerabilities in the security of the information networks of the U.S. and its key regional allies. However, Iran’s cyber capabilities should be kept in perspective. None of Iran’s cyberattacks have crippled any critical infrastructure of the targeted countries, and the disruptions caused by Iran’s attacks were of relatively short duration. Some Iranian cyberattacks were wholly unsuccessful, attacking decoy infrastructure rather than the intended targets. Although Iran’s information technological capability was substantially underestimated until recently, Iran’s program is nowhere near that of the U.S. or its major allies, including Israel. Collectively, the U.S. and its partners have sufficient skills, with which to detect and defeat Iranian cyberattacks.[32] With this, Iran is no doubt working hard to elevate its standing as a world-class cyber power. It is taking full advantage of U.S. foreign policy issues to foster relationships with U.S. adversaries such as China and Russia that will help advance Iran’s cyber capabilities.[33] General Martin Dempsey, Chairman of the Joint Chiefs of Staff, stated in an interview in January 2013 that, “there are reports that destructive cyber tools have been used against Iran…whoever’s using those can’t assume that they’re the only smart people in the world.” This still applies today, as the US advances in cyber technology, it is safe to say the adversary will be doing so too. The evolution of the Iranian Cyber Program has direct implications for US National Security and will continue to pose a threat for many years to come. The Iranian cyber threat, just as Russia and China’s, is something that cannot go ignored as Iran will likely carry out operations they believe they can get away with. For the IRGC and the proxy groups associated, the possibilities are endless in the ungoverned cyberspace frontier.

[1] “2017 Worldwide Threat Assessment,” Director of National Intelligence, May 2017.

[2] Ibid.

[3] Mark Clayton, “Cyber-war: In Deed and Desire, Iran Emerging as a Major Power,” The

Christian Science Monitor, March 16, 2014

[4] “The Rising Iranian Cyber Threat”

[5] “Cyber: Iran’s Weapon of Choice”

[6] “Cyber: Iran’s Weapon of Choice”

[7] Breaking nuclear deal could bring hacking onslaught from Iran”

[8] Ibid

[9] Ibid.

[10] Ibid.

[11] Ibid.

[12] Department of Defense Science Board Task Force on Cyber Deterrence Report. February 2017.

[13] “Cyber Attacks Against Critical Infrastructure Are No Longer Just Theories,” FireEye, April 29, 2016.

[14] Ibid.

[15] Department of Defense Science Board Task Force on Cyber Deterrence Report. February 2017.

[16] Ibid. Page 12.

[17] “Worldwide Threat Assessment.”

[18] “Past and Present Iran-Linked Cyber Espionage Operations,” Infosec Institute, February 20, 2017.

[19] “Iranian Cyber Espionage: A Troubling New Escalation,” INSS, June 16, 2014.

[20] “HBO Hacker Was Part of Iran’s “Charming Kitten” Elite Cyber-Espionage Unit,” BleepingComputer, December 6, 2017.

[21] Ibid.

[22] “Iran-sponsored hackers have targeted Israel, Saudis, Turkey since 2014,” NBC News, December 7, 2017.

[23] Ibid.

[24] “Worldwide Threat Assessment” Page 1

[25] “Iran’s Growing Cyber Capabilities,” The Soufan Group, August 11, 2016.

[26] “Contain, Enforce, and Engage: An Integrated U.S. Strategy to Address Iran’s Nuclear and Regional Challenges,” Carnegie Endowment for International Peace, October 26, 2017.

[27] “Iran Cyber Warfare” INSS, October 15, 2012.

[28] “Past and Present Iran-Linked Cyber Espionage Operations,”

[29] “Iran Sees Cyber Attacks As a Greater Threat Than Actual War.” Reuters, September 25, 2012.

[30] “Iran’s Emergence as a Cyber Power”

[31] Dr. Majid Rafizadeh, “Iran Attacks Americans on American Soil.” Huffington Post. Accessed December 3, 2017.

[32] “Iran’s Growing Cyber Capabilities,” The Soufan Group, August 11, 2016.

[33] Ibid.

Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.



Cybersecurity Intelligence Analyst — Twitter: @chrisolsen97

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store