What’s Next for Iran’s Cyber Actors?


The country has grown as a talented, and destructive, network threat over the last several years.

Expect more network-enabled spying and possibly destructive cyberattacks in the wake of the killing of Iran’s most important military commanders, experts said.

“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere,” said John Hultquist, director of Intelligence Analysis at FireEye, in a Friday statement.

Like a lot of smaller state actors, Iran has been growing its cyber capacity over the last several years. Clumsy distributed-denial-of-service attacks and website defacements in 2009 led four years later to the manipulation of search query commands in an attack on the Navy Marine Corps Intranet. In 2013, an Iranian national allegedly breached the control system of a dam in Rye, New York. Two years later, Iran actors used wiper malware to delete files from some 35,000 computers owned by Saudi Aramco, one of the most disruptive attacks to date.  

Iranian cyber actions spiked ahead of the 2015 signing of the multinational deal that limited Iran’s nuclear activities. Targets included U.S. financial organizations and even the Sands casino in Las Vegas. Owned by outspoken conservative Sheldon Adelson, who had argued publicly against the deal, the casino’s networks were wiped clean, doing a reported $40 million in damage.

Iranian cyber activity dropped off somewhat after the signing of the nuclear deal. But in 2017, a threat group that FireEye dubbed APT33 attacked aerospace and petrochemical targets across the United States, Saudi Arabia, and South Korea. The group created domain names to send convincing emails pretending to be from Boeing, Northrop Grumman, and various joint ventures. The methods — targeted spear-phishing and domain-name squatting — suggest that the intent was industrial espionage, not destruction. And in December 2018, a series of dramatic wiper attacks targeted Italian, Saudi and UAE oil interests in the Middle East, attacks that experts have attributed to Iran.

What’s Next

The past year brought various warnings of a new spike in malign network activity. A January 2019 report indicated that Iran had been attacking domain name service providers, aiming to set up fake domain names that could facilitate a new wave of spearphishing operations. 

The following month, Crowdstrike’s 2019 annual threat report noted that despite “some short-term gaps in attributable incidents this year, Iran based malicious cyber activity appeared to be fairly constant in 2018 — particularly involving incidents targeting other countries in the [Middle East and North Africa] region...Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.”

In June, Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security, said in a statement: “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.”