Tensions between the United States and Iran have been escalating since the Trump administration came into office in January 2017 (1) and withdrew from--and in November 2018 began reimposing sanctions lifted pursuant to--the 2015 nuclear agreement, formally known as the Joint Comprehensive Plan of Action (JCPOA). (2) Washington has further escalated sanctions since then, and Iran has responded with violence and destabilizing activities across multiple domains. (3) In total, U.S. sanctions have cost Iran $200 billion in investment and oil revenue, according to President Hassan Rouhani. (4) Inflation is rampant, (5) foreign exchange reserves are rapidly shrinking, and the country has entered a deep recession. (6)
In response, the regime and its Islamic Revolutionary Guard Corps (IRGC) have harassed and even bombed vessels traveling through the Persian Gulf, (7) and downed a U.S. drone in international airspace. (8) State-backed hackers have, among other things, increased targeted phishing attempts (a) against private industry in the United States and around the world (9) and against journalists and activists. (10) Tehran also stands accused of launching drone and missile attacks on Saudi oil giant Saudi Aramco. (b)
While the Trump administration reportedly launched cyberattacks on Iran following the downing of the U.S. drone, (11) the president ordered but then canceled military strikes minutes before their execution. (12) After the Aramco attack, the Trump administration reportedly again used exclusively U.S. cyber tools, this time conducting an attack aimed at degrading Iran's propaganda capabilities. (13) As a result, the U.S. strike that killed General Qassem Soleimani, commander of the IRGC Quds Force, took the world by surprise.
The January 3, 2020, drone strike that killed Soleimani and Abu Mahdi al-Muhandis, commander of the Iranian-backed, U.S.-designated terrorist organization Kata'ib Hezbollah (KH), (14) came in response to rocket attacks by KH that killed a U.S. contractor working on a military base in northern Iraq. (15) The U.S. military first responded with airstrikes on KH targets in Iraq and Syria. (16) Pro-Iranian protestors then attacked the U.S. embassy in Baghdad. (17) A day later, the U.S. military launched its drone strike.
Commentators on both sides of the political spectrum fretted that the United States was on the "brink of war," (18) but the tensions that threatened to boil over have since returned to a simmer. Even as the Iranian regime responded to Soleimani's killing by launching a barrage of missiles at U.S. military bases in Iraq, President Trump proclaimed that Iran "appears to be standing down." (19) Foreign Minister Javad Zarif similarly tweeted that the regime "concluded proportionate measures," indicating that no further escalation was forthcoming. (20)
And yet, the threat that the Islamic Republic poses in cyberspace has not abated. Just as the regime is unlikely to cease its support for terrorism, pursuit of nuclear-capable intercontinental ballistic missiles, and aggressive behavior toward its neighbors, (21) it is unlikely to cease its malicious cyber operations. Indeed, nearly three weeks after Soleimani's death, the FBI urged businesses to remain on alert and review warnings about the conduct of pro-regime cyber operators. (22)
It is well understood that cyber can be an effective asymmetric tool for causing damage to more militarily powerful adversaries, particularly when deployed against the private sector. The U.S. intelligence community assesses that the Iranian regime is "capable of causing localized, temporary disruptive effects" and is constantly preparing cyberattacks against the United States and its allies. (23) There is no indication that Soleimani's death will fundamentally alter the regime's regional ambitions or its modus operandi in the physical and cyber domains. Statements from both Iran's Supreme Leader Ali Khamenei and from Soleimani's successor, Esmail Qaani, have emphasized the continuity of Iranian policy despite the change of leadership. (24)
While Iran is generally considered a less sophisticated cyber actor than other U.S. adversaries, the regime and its hackers tend to be much less risk-averse. (25) A common view held by researchers who follow the activity of Iranian hackers is that they are more likely to engage in destructive or disruptive attacks whereas their counterparts in other countries might be more inclined to quietly collect valuable data and intelligence. (26) (c)
Kiersten Todt, the executive director of the Commission on Enhancing National Cybersecurity under President Barack Obama, explained, "Iran is dangerous because they have the intent, motivation and capabilities. While their cyber capabilities are not on par with Russia and China, they are innovative and can cause both physical and psychological disruption." (27)
This article examines Iran's cyber strategy, including by analyzing two significant operations in order to understand how the regime uses cyber as part of its asymmetric arsenal. The article then examines the malicious cyber activity emanating from Iran since Soleimani's death and the overall cyber threat landscape with regard to Iran to begin to anticipate the type of state-backed, Iranian cyber operations that may occur in the short and medium term. This analysis leads to the conclusion that while the Iranian cyber threat is significant and persistent, Soleimani's death may have little impact on the trajectory.
The Islamic Republic's Cyber Strategy
Cyber operations are a key pillar of Iran's strategy, which relies on asymmetric capabilities to battle its more powerful adversaries. (28) Following the killing of Soleimani, retired Lieutenant General Vincent Stewart, former deputy commander at U.S. Cyber Command, testified before Congress that the regime views its cyber capabilities as a "vital tool of statecraft and internal security" and a "low cost" way to retaliate against its enemies. (29)
Like many nation states, Iran uses cyber operations to collect intelligence and conduct espionage, and like all authoritarian governments, the regime uses cyber to "silence and weaken" its internal opposition, according to a 2018 U.S. State Department report. (30) In fact, most victims of regime cyber operations are Iranian citizens and expatriates, scholars Collin Anderson and Karim Sadjadpour have noted. (31)
When targeting the United States and its allies, the Iranian regime often directs its cyber operations against private industry, which is generally less well defended than U.S. government networks. As a result, Tehran is able to target the soft underbelly of its more powerful foes. These cyber-enabled economic warfare operations appear to be Iran's attempts to warn its adversaries that just as the United States can cause economic damage to its enemies by using financial sanctions, Tehran can undermine the strategic capabilities of its enemies by targeting their economies with cyberattacks. (32)
Externally, Saudi Arabia has borne the brunt of Iranian malicious cyber operations in recent years. Even when Iranian operatives target numerous government and private entities over the course of a campaign, private cybersecurity firms consistently find that the plurality of victims are Saudi. (33) This is likely because the two states are bitter regional rivals and because Saudi cyber defenses are weaker than those of Iran's other primary foes, Israel and the United States. (34) For example, after Israel's Cyber Defense Directorate detected an Iranian attempt in 2017 to infiltrate and possibly corrupt its home front missile alert system, the division was able to quickly excise the hackers, assess what they had accessed, and reinforce network defenses. (35)
In contrast, despite suffering substantial losses when the Shamoon computer virus hit state-owned oil company Saudi Aramco in 2012 (discussed later), Riyadh's systems were insufficiently reinforced such that four years later, hackers working on behalf of the Iranian regime were able to use a new variation of the virus to corrupt computers at more than a dozen Saudi government agencies and businesses. (36)
There are two other explanations related to the comparative weakness of Riyadh's defenses that are worth mentioning. Iranian hackers may be practicing against an easier target to hone their skills before pivoting to attacking the United States or Israel. Or, these hackers may be attempting to attack the United States, Israel, and Saudi Arabia with the same frequency but because U.S. and Israeli defenses are stronger, these two nations are able to suppress threats quickly and quietly whereas attacks on Saudi Arabia are more likely to be reported.
To understand how cyber capabilities fit into Tehran's asymmetric toolbox, it is worth examining two of the regime's first forays into offensive cyber operations: the regime's 2012 attack against Saudi Aramco and 2011-2013 distributed denial of service (DDoS) attacks against U.S. financial institutions. Iranian hackers have since conducted numerous campaigns, in particular since the Trump administration came into office. (See Table 1.) In more recent campaigns, hackers have targeted dozens or hundreds of companies and individuals, not always for the same reason. For example, cybersecurity firm FireEye found that one Iranian Advance Persistent Threat (APT) group targeted aviation and energy companies in Saudi Arabia, South Korea, and the United States. FireEye hypothesized that "the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea's recent partnerships with Iran's petrochemical industry as well as South Korea's relationships with Saudi petrochemical companies." (37) In contrast, the two early cases have discrete targets attacked over a limited timeframe, and therefore it is easier to extrapolate the...