“As a former United States Secret Service Agent and expert in cybersecurity, my duties took me beyond the US borders. I had the honor of protecting figures from around the world including Mahmoud Ahmadinejad, the Former President of Iran. This was a responsibility I took seriously, no matter the global geopolitical tensions, ready to lay down my life without hesitationfor anyone under my protection, friend or foe. This is the unwavering standard of dedication that defines the Secret Service, a testament to a silent vow to safeguard all without bias, with unwavering courage, and impartial valor.”
In the evolving landscape of global cyber warfare, Iran has rapidly emerged as a formidable player, demonstrating sophisticated cyber offensive capabilities that pose a significant challenge to its adversaries. The growth of Iran’s cyber arsenal is a testament to its strategic investment in cyber warfare as a tool for national defense and power projection. This article delves into the structure, strategy, and implications of Iran’s cyber offensive operations.
Iranian geopolitical tensions with the West have been a defining element of international relations for decades, stemming from a complex web of historical, political, and nuclear concerns. The 1979 Iranian Revolution marked a turning point, severing ties with the United States and shifting Iran’s foreign policy towards a stance of resistance against Western influence, particularly that of the U.S. and its allies. Central to the tensions have been Iran’s nuclear program and its regional activities, which Western countries, especially the United States, view with suspicion and concern, fearing the potential for nuclear proliferation and destabilization in the Middle East. Efforts to address these issues through diplomacy, such as the 2015 Joint Comprehensive Plan of Action (JCPOA)1, have seen periods of progress and setbacks, with fluctuations in relations influenced by changes in leadership and policy in both Iran and Western countries. Summary recent geopolitical tensions include but are not limited to the following:
Qasem Soleimani2 was an Iranian military officer who served in the Islamic Revolutionary Guard Corp. The United States military assassinated Soleimani in a targeted drone strike on 3 January 2020 in Baghdad, Iraq.
Iranian government officials publicly mourned Soleimani’s death. Iranian propaganda outlets subsequently represented Soleimani as a national hero.
In retaliation to Soleimani’s death, Iran launched missiles against U.S. military bases in Iraq, wounding 110 American troops.
Tensions continue to escalate. Senior US officials currently believe that an attack by Iran is “inevitable”. The Israel-Hamas war, which has extended to include conflict with Hezbollah, contained Israeli airstrikes which killed top Iranian commanders in Syria. Hezbollah is a Shiite Islamist political party and militant group based in Lebanon, known for its armed wing and political activism. It is significantly backed by Iran in terms of funding, training, and weapons. Iran vowed revenge against Israel and also blamed the United States for the death of it’s top commanders. The United States and Israel are preparing for more significant attacks from Iran.
“We must constantly strive for self-improvement and innovation to keep pace with the modern world.”
Ali Khamenei, Supreme Leader of Iran In Jan. 2024, Khamenei met with Soleimani’s family – showing Soleimani’s continued prominence even after his death.
Cyber Institutional Framework
Iran’s cyber offensive capabilities are centralized under two primary institutions: the Islamic Revolutionary Guard Corps (“IRGC”)3 and the Ministry of Intelligence and Security of Iran4 (“MOIS”) Persian: وزارت اطّلاعات جمهوری اسلامی ایران. Within these bodies, specialized units conduct cyber operations aimed at espionage, disruption, and influence.
IRGC Cyber Defense Command aka Iran’s Islamic Revolutionary Guard Corps Cyber–Electronic Command (“IRGC-CEC”): This unit specializes in offensive cyber operations, including sabotage against critical infrastructure and espionage. It is known for its agility and for employing sophisticated cyber tools. The IRGC was designated as a foreign terrorist organization by the United States in 2019.
MOIS: While primarily focused on intelligence gathering, MOIS also engages in cyber espionage to further Iran’s national interests. It targets foreign governments, critical infrastructures, and opposition groups.
Key Operational Units and Tactics
Iran’s cyber offensive operations are carried out by specialized units, each with its unique focus and tactics:
APT335aka “Elfin” aka “Holmium” (Shamoon)6: Specializes in cyber-espionage and destructive cyber attacks against the energy sector, deploying malware that can wipe data and disrupt operations.
APT34 (OilRig)7: Focuses on cyber espionage with sophisticated phishing campaigns aimed at governmental agencies and industries critical to national interests.
APT35 (Charming Kitten)8: Known for social engineering and phishing attacks aimed at political dissidents, foreign government officials, and international organizations.
These groups utilize a mix of tactics, including spear phishing, the deployment of custom malware, and exploiting vulnerabilities in software and infrastructure. Their operations demonstrate a strategic approach, aligning with Iran’s broader geopolitical goals.
Recent Operations of Iranian Cyber Groups
Tehran-Based Cyber Group “Black Shadow” Targeting Israeli Hospital
The cyber group “Black Shadow” (“Saye-ye Siah” in Persian), which targeted Ziv Medical Center [32°57′14″N 35°29′34″E] in the northern Israeli city of Safed in November is in fact a tech company which works under the registered name of “Raahkarha-ye Fanavari-e Etela’at-e Jahatpardaz.” The website of the company states that a group of “faithful and committed youth” has launched it in line with “The Second Step of the Revolution9.” (Iran International Newsroom, 2024)
A testament to the global community’s resilience against such threats is the successful thwarting of an Iranian-based cyber attack during the height of the COVID-19 pandemic. Experts at Citanex intervened to protect a healthcare system targeted by an Iranian cyber operation, demonstrating the critical importance of robust cyber defenses in safeguarding essential services. The Citanex Case Study: Securing Healthcare in the Digital Age, underscores the ongoing battle in cyberspace and the necessity of vigilance and advanced security measures to counteract sophisticated cyber threats.
“War is a test of wills.”
Carl von Clausewitz & echoed by several military strategists and leaders throughout history
Loading ...
Strategy and Objectives
Iran’s cyber offensive strategy is multifaceted, aiming not only at direct confrontation but also at achieving strategic depth through cyber espionage, infrastructure disruption, and influence operations. The objectives include:
Disruption of Critical Infrastructure: Targeting critical infrastructure in rival countries, especially in the energy sector, to exert political and economic pressure.
Espionage: Gathering sensitive information from government agencies, industries, and dissidents to inform policy decisions and counteract opposition.
Influence Operations: Spreading propaganda and disinformation to sway public opinion and destabilize adversary states.
Get the latest on Technology, Innovation, and Cyber Threats
Feb. 2024: U.S. Covert Attack on Iran’s Military Spy Ship
(Cyber Attacks on Iran)
In addition to US airstrikes, the U.S. reportedly hacked an Iranian spy ship accused of relaying intelligence to Houthi rebels attacking vessels in the Red Sea. This cyber operation by the U.S. was a countermeasure to an Iranian drone strike in Jordan that resulted in the deaths of three American soldiers, illustrating a direct response from the Biden administration to Iranian aggression.
Dec. 2023: Iran Petrol Stations Hit by Cyberattack
(Cyber Attacks on Iran)
Iran’s Oil Minister Javad Owji confirmed that there was a nationwide disruption of Iran’s petrol stations were caused by a cyber attack. Iran stated that the cyber attacks were related to a hacking group with links to Israel. The cyber attack disrupted services about 70% of the country’s 3,800 petrol stations across Iran.
Nov. 2023: US Municipal Water & Wastewater Systems
(Iran Offensive Cyber Operations)
Iranian group affiliated with the IRGC called the “Cyber Av3ngers” (also known as “CyberAveng3rs”, “Cyber Avengers”) targeted U.S. water systems, such as the Pennsylvania water authority, and multiple other sectors (including healthcare, energy, food and beverage, and manufacturing). “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). The group has often compromised systems using default credentials of “1111” in Unitronics devices. targeted PLCs displayed the defacement message, “You have been hacked, down with Israel. Every equipment ‘Made in Israel’ is Cyber Av3ngers legal target.”
“Effective cybersecurity is established from the top down, exemplified by leadership, and sustained by a culture of accountability. The use of default passwords such as ‘1111’ in today’s cyber threat landscape is not just negligence—it is a clear example of recklessness.“
Matthew D. Ferrante, CISO
CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon10 who claimed to have taken full control of more than 50 servers, 25TB of data, security cameras and smart city management system in the Nevatim Air Base vicinity. The Nevatim Military Air Base [31°12′30.05″N 35°00′44.28″E] was also hacked gaining information about military personnel and their respective family members. Evidence in support of the groups statements was supplied by the hackers providing screenshots, video recordings, and other relevant images of the base.
2022: Albanian Government Cyber Attack
(Iran Offensive Cyber Operations)
Iran was blamed for a cyber attack on Albania’s government network infrastructure in July 2022, which led to the temporary shutdown of numerous public services and government websites. The attack was part of increasing tensions between Albania and Iran, partly due to Albania hosting the Mujahedin-e Khalq (MEK), an Iranian opposition group. In response, Albania severed diplomatic ties with Iran, marking a significant escalation in cyber conflict repercussions.
October 2020: Cyber attack on US. Presidential Election
(Iran Offensive Cyber Operations)
An attempt by Iranian hackers to interfere in the U.S. presidential election was thwarted. They sought to access voter registration data and spread misinformation. Reference is made to US Department of Justice criminal indictment (shown below).
May 2020: Cyber Attack on Iran’s Port of Shahid Rajaee [27.1142°N 56.0615°E]
(Cyber Attacks on Iran)
An attack on Iran’s port of Shahid Rajaee, causing widespread logistical disruptions, was attributed to Israeli cyber operators. This was reportedly in retaliation for an attempted Iranian cyber attack on Israel’s rural water distribution systems.
June 2019: US Covertly Launches Cyber Operations Against Iran’s Missile and Rocket Launch Systems
(Cyber Attacks on Iran)
A cyber operation wiped data from Iranian servers, affecting multiple sectors. This attack, by U.S. Cyber Command (USCYBERCOM)11 and in coordination with U.S. Central Command (USCENTCOM)12, was in retaliation for Iranian attacks on commercial shipping and a downed U.S. reconnaissance drone. Although the officials declined to provide specific details about the cyberattacks, one said they were deemed “very” effective. (Youssef, 2019)
March 2019: Microsoft Outlook Email Accounts Hackingvia “Holmium” aka APT33
(Iran Offensive Cyber Operations)
Microsoft announced that a state-sponsored actor originating from Iran, named “Holmium” by Microsoft and also known as APT33, had targeted more than 200 companies over the past two years, including those involved in satellite and maritime industries, aerospace, and petrochemical production. This campaign involved massive password spraying attacks13 to compromise email accounts. The hackers were able to access accounts for months, which included account login credentials for Microsoft customer support agent.
“Education is the key to unlocking the potential of our youth.”
Iranian hackers, known as the MABNA hackers, conducted cyber espionage operations targeting universities worldwide, stealing intellectual property and academic resources. Over 320 universities across 22 countries were affected. The U.S. Department of Justice charged several Iranians in connection with this operation, alleging ties to the Islamic Revolutionary Guard Corps (IRGC).
Reference is made to US Southern District of New York Criminal Indictment (Available Below)
Operation Cleaver was a cyber espionage campaign that targeted critical infrastructure entities worldwide, including in the United States, Israel, China, and Saudi Arabia. The attackers, believed to be linked to Iran, reportedly gained access to control systems of airports, airlines, and other critical infrastructure facilities, raising concerns about potential sabotage.
May 2014: Operation Newscaster
(Iran Offensive Cyber Operations)
Operation Newscaster was a cyber espionage campaign that involved the creation of a fake news organization, known as NewsOnAir.org, to conduct phishing attacks against U.S. and Israeli military targets. The attackers, linked to Iran, used social engineering to steal credentials and gather sensitive information.
2013: Attack on U.S. Dam
(Iran Offensive Cyber Operations)
In 2013, Iranian hackers gained access to the control system of a dam in Rye, New York. Although the breach was not publicly disclosed until 2015, it underscored the vulnerabilities of critical infrastructure to cyber attacks and the potential for significant physical consequences.
2012 – 2013: U.S. Financial Sector DDoS Attacks
(Iran Offensive Cyber Operations)
Between 2012 and 2013, a series of distributed denial-of-service (DDoS)14 attacks targeted the online banking services of several major U.S. banks, including J.P. Morgan Chase, Bank of America, and Citigroup, as well as the New York Stock Exchange. The attacks, dubbed by the hackers as “Operation Ababil15“, were attributed to the Izz ad-Din al-Qassam Cyber Fighters aka Qassam Cyber Fighters16 which were later linked to Iranian interests. The attacks were believed to be retaliation for economic sanctions and other pressures from the U.S.
Aug. 2012: Saudi Aramco Attack
(Iran Offensive Cyber Operations)
One of the most destructive cyber attacks attributed to Iran was the Shamoonvirus attack aka Disttrack17 on Saudi Aramco, the Saudi Arabian national petroleum and natural gas company which has a market cap of $1.955 Trillion USD. The attack wiped the data from over 30,000 computers and replaced it with an image of a burning American flag. This cyber sabotage was seen as part of the broader geopolitical tensions in the Middle East, as well reflecting the escalating trend of cyber warfare and espionage.
2012: Iranian Oil Ministry Computers
(Cyber Attacks on Iran)
An attack using the Flame malware, considered more complex than Stuxnet, targeted Iranian oil ministry computers, causing significant data loss.
2010: Stuxnet
(Cyber Attacks on Iran)
A highly sophisticated computer worm, targeted and damaged Iranian nuclear facilities. It’s one of the first known worms designed to spy on and subvert industrial systems. Iran stated, “We have no intentions to escalate anything,” said Alireza Miryousefi, the head of the press office at Iran’s United Nations mission. “On cyber capabilities, Iran’s policy and strategy is purely defensive, especially against malware and cyber attacks, as Stuxnet, emanating from the U.S. or others.”
Global Implications
The global implications of Iran’s cyber offensive capabilities are profound, necessitating a concerted effort to bolster cyber defenses worldwide. The potential for disruption of critical infrastructure underscores the urgency of addressing cybersecurity as a matter of national and international security.
Conclusions
Iran’s cyber offensive capabilities have established it as a significant force in the realm of cyber warfare, influencing global cybersecurity dynamics with strategic operations. Citanex is committed to sharing a series of case studies, drawing on our expert’s firsthand accounts from the government and the private sector. These studies underscore the ongoing necessity for strong leadership, robust strategies, advanced cyber defenses, and global collaboration to counteract the threats posed by nation-states in cyberspace, affecting various industries. Grasping the nuances of Iran’s cyber strategy is crucial for devising effective countermeasures and safeguarding critical digital infrastructure from sophisticated cyber threats. Reach out to Citanex to discover how you can implement leading technology and proven cyber strategies endorsed by industry-leading experts.
Joint Comprehensive Plan of Action (JCPOA) is an international agreement aimed at ensuring Iran’s nuclear program remains exclusively peaceful. Signed in 2015 by Iran and the P5+1 (the five permanent members of the UN Security Council—China, France, Russia, the United Kingdom, the United States—plus Germany) along with the European Union, the JCPOA involves Iran agreeing to limit its nuclear activities and allow international inspections in exchange for the lifting of economic sanctions. ↩︎
Qasem Soleimani, as the commander of Iran’s Quds Force, was implicated in organizing, supporting, and overseeing various military operations and proxy wars throughout the Middle East, as well as involved in orchestrating the deaths of American troops in Iraq. This includes activities in Iraq, Syria, Lebanon, and Yemen, involving support for Hezbollah, the Assad regime, and various militia groups. His role was pivotal in shaping Iran’s foreign policy and military strategy, leading to significant influence and, in many cases, direct involvement in conflicts that have had profound regional impacts. Polling data routinely showed Soleimani rated more favorably than other Iranian public figures, according to the Center for International Studies at the University of Maryland. (Nasser Karimi and Jon Gambrell, 2024) ↩︎
Islamic Revolutionary Guard Corps (“IRGC”) was conceived as the principal defenders of the 1979 revolution. w/approximately 190,000 troops under it’s command and allegedly another 600k Basij voluntary paramilitary force. The Islamic Revolutionary Guard Corps has evolved into an institution with vast political, economic, and military power. The IRGC has become one of the most powerful paramilitary organizations in the Middle East. It has provided assistance to militant groups in Afghanistan, Iraq, Lebanon, the Palestinian territories, Syria, and Yemen. The IRGC’s ties to armed groups in the region, such as Hezbollah in Lebanon and Hamas in the Palestinian territories, help Iran project influence and power. The guards were conceived as a “people’s army,” helping consolidate the revolution as Khomeini instituted a state based on the concept of velayat-e faqih, or guardianship of the jurist. (CFR.org Editors, 2024) ↩︎
The Ministry of Intelligence and Security of Iran, often abbreviated as MOIS, is the primary intelligence agency in Iran. It’s involved in gathering information, conducting espionage operations, both domestically and internationally, and ensuring the security of the state against various threats. The MOIS plays a crucial role in Iran’s national security apparatus, dealing with a wide range of activities from counterintelligence to internal security, often operating in a highly secretive manner. ↩︎
APT stands for Advanced Persistent Threat. It refers to a group or campaign that uses sophisticated hacking techniques to gain unauthorized access to a system and remain inside for a prolonged period, often targeting specific entities for espionage or data theft purposes. APTs are characterized by their stealth, persistence, significant resources, and complex strategies to infiltrate and maintain access to targeted networks, often sponsored or conducted by nation-states or large criminal organizations. ↩︎
APT33 is often associated with the Shamoon malware, a destructive cyber tool used in targeted attacks primarily against energy sector organizations. Shamoon is known for its capability to wipe data from infected computers, rendering them unusable. While APT33 conducts various cyber espionage and sabotage operations, the linkage with Shamoon suggests a focus on causing significant disruption and damage to critical infrastructure, aligning with strategic interests or retaliatory objectives. ↩︎
APT34, also known as OilRig, is an Iranian cyber espionage group known for its sophisticated cyber attacks primarily against entities in the Middle Eastern region, particularly focusing on industries related to government, energy, and telecommunications. This group employs a range of tools and techniques, including spear-phishing emails, web shells, and custom malware, to infiltrate organizations, extract sensitive information, and maintain long-term access to compromised networks. ↩︎
APT35, also known as Charming Kitten, is an Iranian cyber espionage group known for its phishing campaigns and cyber-espionage activities targeting individuals and entities that are of strategic interest to Iran, including government officials, journalists, and activists, particularly those involved in Iranian political opposition. This group employs various sophisticated techniques, including social engineering and spear-phishing emails, to steal sensitive information and gain unauthorized access to networks. ↩︎
“The Second Step of the Revolution” is a strategic vision articulated by Iran’s Supreme Leader, Sayyid Ali Khamenei, in February 2019, marking the 40th anniversary of the Iranian Revolution. It aims to deepen the Islamic Republic’s ideological goals, focusing on the “Islamization of the system” across its various branches of government. This directive seeks to further integrate Iran’s version of Shiism into the social and political fabric of the country, targeting especially the youth and future generations to continue the revolution’s objectives. This initiative is viewed as a call to solidify Iran’s Islamic revolutionary principles and adapt them to contemporary challenges, ensuring the revolution remains vibrant and influential in shaping Iran’s future. ↩︎
Soldiers of Solomon is a group long engaged in Information Warfare operations on behalf of Palestine. ↩︎
U.S. Cyber Command (USCYBERCOM) is a unified combatant command of the U.S. Department of Defense tasked with planning, coordinating, and conducting operations in cyberspace. Established to address national security threats and protect U.S. information systems, it operates with the aim of denying adversaries the ability to compromise American cyber infrastructure, while ensuring the United States maintains a strategic advantage in cyberspace. USCYBERCOM works closely with various governmental agencies, military branches, and international partners to enhance cybersecurity and cyber warfare capabilities. ↩︎
U.S. Central Command (USCENTCOM) is one of the eleven unified combatant commands of the U.S. Department of Defense, responsible for American military operations in the Middle East, North Africa, and Central Asia, covering 20 countries. It plays a crucial role in overseeing and coordinating U.S. military efforts in some of the world’s most volatile regions, aiming to promote stability, cooperation, and deter aggression through its strategic presence and partnerships with regional allies. ↩︎
Password spraying is a cyber attack method where attackers use a common password against many user accounts before trying a new password. This approach helps avoid account lockouts that typically occur after multiple failed login attempts, making the attack less detectable. It targets the common practice of using simple and widely used passwords, exploiting the weakest link in security: the human element. ↩︎
Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of traffic. These can include computers and other networked resources such as IoT devices. The massive amount of traffic can overwhelm the target, causing a denial of service to normal traffic. ↩︎
“Ababil” refers to a term mentioned in the Quran, specifically in the context of the Surah Al-Fil (The Elephant), which recounts the story of how God protected Mecca from an invading army led by Abraha, who intended to destroy the Kaaba with an army that included elephants. According to Islamic tradition, God sent small birds called “Ababil” carrying clay stones in their beaks and claws, which they dropped on the invading army, leading to its defeat. The term “Ababil” is often associated with divine intervention and protection in Islamic lore. ↩︎
Izz ad-Din al-Qassam Cyber Fighters aka Qassam Cyber Fighters is a group known for claiming responsibility for cyber attacks, particularly those targeting financial institutions in the United States. They have been active since around 2012 and are named after Izz ad-Din al-Qassam, a preacher and militant leader who is a significant figure in Palestinian nationalism. The group’s attacks are often described as politically motivated, focusing on issues related to the Middle East. ↩︎
Shamoon aka Disttrack is a computer virus characterized by its ability to spread across networks, overwrite files on infected computers with random data, and then trigger the master boot record (MBR) to render the computer unable to boot. It also has a reporting feature that communicates the success of the infection back to the attacker. The virus was notable for its political motives and targeted attack against specific entities. Shamoon resurfaced with new variants in subsequent years, indicating ongoing development and deployment by its creators. ↩︎
Iran International Newsroom. (2024, 01 27). Iran International Reveals Tehran-Based Cyber Group Targeting Israeli Hospital. Retrieved from Iran International: https://www.iranintl.com/en/202401267648
Loading ...
