August 11, 2016

TSG IntelBrief: Iran’s Growing Cyber Capabilities

• Iran has developed significant cyber capabilities to further external strategic and internal security objectives.

• Iran has used cyberattacks as part of its strategy against its enemies, including Saudi Arabia and Israel.

• U.S. technological capabilities remain far superior to those of Iran, making it unlikely Iranian cyberattacks could cripple critical infrastructure for prolonged periods.

• The multilateral nuclear agreement will likely limit Iran’s use of cyberattacks against the U.S. or European countries, as Iran does not want to jeopardize sanctions relief.


Over the past several years, Iran’s security apparatus has developed advanced cyber capabilities that can be adapted to different missions. The extensive use of social media by participants in the 2009 ‘Green Movement’ uprising in Iran convinced the regime it needed additional capabilities to control and monitor the public’s use of the Internet. International sanctions escalated dramatically in 2010, largely shutting off Iran from receiving Western information technology and skills. As a result, Iran was forced to develop its information technology capacity domestically. Adding to the Iranian government’s sense of urgency for developing its cyber capabilities was a 2010 joint U.S.-Israeli cyberattack known as ‘Operation Olympic Games.’ The attack, which targeted Iran’s nuclear infrastructure, used the famous ‘Stuxnet’ virus to destroy approximately 20% of Iran’s operational uranium enrichment centrifuges by causing them to spin too fast.

Iran’s cyber operations began in earnest as part of the government effort to suppress the Green Movement by monitoring the Internet usage of opposition activists and then arresting them. When the uprising was defeated in 2012, the regime directed its growing capabilities outward to its regional and international adversaries. Iran first formalized the structure of its cyber-related initiatives as the ‘Iranian Cyber Army’—led by the IRGC—to operate under a ‘Supreme Council of Cyberspace,’ created by Supreme Leader Grand Ayatollah Khamenei in early 2012. Later, Iran’s cyber strategy was put under the command of IRGC Brigadier General Behrouz Esbati, reporting to the Armed Forces General Staff. That staff, which nominally commands both the regular army and the IRGC, is led by an IRGC officer, Mohammad Bagheri, appointed by Khamenei in June.   

The IRGC’s external cyber operations started slowly, focusing initially on cyber-espionage against a wide range of regional and Western targets. Encouraged by the ease of penetrating adversary networks and the deniability of its intrusions, the IRGC began conducting actual attacks as a tool of its regional strategy. The 2011 Arab uprisings widened the split between Iran and its Shi’a allies on one side, and Saudi Arabia, its Persian Gulf allies, and other Sunni powers on the other. As Iran and Saudi Arabia contested for control over the destiny of several countries racked by violence, Iran conducted cyberattacks on Saudi Arabia’s state-owned oil company Saudi Aramco and the Saudi power grid, Qatar’s Ras Gas natural gas conglomerate, and Israel’s power grid. For Iran, the cyberattacks were meant to send a message to its regional adversaries that they had underestimated Iranian technological prowess. Iran hoped to demonstrate that Saudi Arabia, Israel, and Western powers were vulnerable, and that Iran could expand its arsenal beyond conventional warfare or warfare by proxy.  

Iran has also launched cyberattacks against the United States. In early 2016, after a long investigation, U.S. prosecutors indicted seven Iranians ‘sponsored by the IRGC’ for conducting ‘distributed denial of service’ (DDoS) attacks during December 2011 through May 2013. The attacks targeted a total of 46 U.S. banks (including Bank of America, J.P. Morgan Chase, Wells Fargo, and Citigroup) as well as the Bowman dam in upstate New York. Iran likely conducted these attacks to demonstrate its ability to harm the U.S. economy in retaliation for U.S. efforts to cripple Iran’s economy through sanctions related to Iran’s nuclear program. 

Iran’s cyber capabilities have brought Iran into the upper ranks of worldwide cyber threats, joining RussiaChina, and, to a lesser extent, North Korea. Iranian cyberattacks have also exposed significant vulnerabilities in the security of the information networks of the U.S. and its key regional allies. However, Iran’s cyber capabilities should be kept in perspective. None of Iran’s cyberattacks have crippled any critical infrastructure of the targeted countries, and the disruptions caused by Iran’s attacks were of relatively short duration. Some Iranian cyberattacks were wholly unsuccessful, attacking decoy infrastructure rather than the intended targets. Although Iran’s information technology prowess was substantially underestimated until recently, Iran’s capabilities are nowhere near those of the U.S. or its major allies, including Israel. Collectively, the U.S. and its partners have sufficient skills with which to detect and defeat Iranian cyberattacks.      

The 2015 multilateral nuclear agreement with Iran serves as a further deterrent to Iran’s use of cyberattacks. Under the nuclear agreement, sanctions relief for Iran’s major economic sectors is linked solely to Iran’s compliance with its nuclear commitments. The agreement does not preclude the imposition of new sanctions on Iran for its sponsorship of terror groups, development of missiles, human rights abuses, or aggressive activities such as cyberattacks. Any new sanctions on Iran would further complicate the return of international businesses to the Iranian market and reduce the economic benefits of the nuclear deal for the Iranian people. This might explain why Iran has been hesitant to launch any significant new cyberattacks over the past two years. Still, if new sanctions are imposed on Iran for any reason, the Iranian response is likely to include new and more sophisticated cyberattacks.


For tailored research and analysis, please contact:


Subscribe to IB