Since the Stuxnet attack on Iran's nuclear facilities, Tehran has focused on expanding its cyber operations and digital surveillance capabilities. Iran sees its ally, Hezbollah, as a key part of its enhanced cyber program. The Iranian government has provided cyber training and technology to Hezbollah operatives and recently helped the Lebanese-based Shia terrorist group build its own counterintelligence cyber unit. This is a new development: in 2018, a Carnegie Endowment for Peace report noted how "there has been little prior evidence of direct sharing of [cyber] tools" between Iran and Hezbollah. After the collapse of the Islamic State caliphate, Hezbollah has taken on the mantle of being the most sophisticated and influential Middle Eastern terrorist organization in cyberspace.
Under the direction of the Quds Force of Iran's Islamic Revolutionary Guard Corps, Hezbollah's new cyber unit is primarily tasked with gathering intelligence on Lebanese state institutions and bolstering the cyber defenses of Iran's security apparatus. The Iranian-backed unit also conducts cyberattacks on strategic financial targets, such as gas and oil companies, in the Gulf states. Reports indicate that the unit is likely based in Beirut's southern neighborhood of Dahieh and has computer equipment that is similar to Tehran's Sharif University. Iran has long accepted patriotic hackers, a term used by cybersecurity professionals to describe citizens of a country engaged in cyber measures to advance the strategic interests of their homeland, as part of its overall cyber strategy. The Iran-Hezbollah cyber pact indicates the next step in Iran's cyber program as Lebanese proxies will share highly valuable cyber infrastructure with their allies in Tehran.
Hezbollah's cyber attacks have long been a source of concern for Middle Eastern and Western governments. In January 2021, it was discovered that a Hezbollah-affiliated cyber unit, known as Lebanese Cedar APT, launched attacks for more than a year on telecommunications companies and internet providers in the United States, United Kingdom, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, Palestine, and the United Arab Emirates. Lebanese Cedar cyber agents hacked into the internal networks of companies, such as the U.S-based firm Frontier Communications, to collect sensitive data. Lebanese Cedar's trademark is to use a custom explosive remote access tool (RAT), which allows the group to avoid exposure and remain inside compromised systems for long periods of time. In 2010, the Obama administration described Hezbollah as "the most technically-capable terrorist group in the world." Iran's direct support of a Hezbollah cyber unit will further advance the technological sophistication of the terrorist organization.
Hezbollah's long-established reputation for conducting psychological operations has also moved into cyberspace. During the Covid-19 pandemic, Hezbollah provided cyber education on information warfare to foreign recruits. In an effort to earn much-needed funds, Hezbollah trained young Arabs in the art of spreading propaganda and disinformation through online channels. More importantly, Hezbollah's cyber training is meant to advance Iran’s strategic interests and subvert Tehran's regional enemies, chiefly Israel and Saudi Arabia. Many of Hezbollah's cyber trainees come from Iraq and support the country's pro-Iranian terrorist group, Kata'ib Hezbollah. Hezbollah is using its cyber forces to expand Iran's regional influence by disseminating Tehran's strategic messaging in unstable countries, such as Iraq. According to Mike Wagenheim of Media Line, "In a place like Iraq, where government and media institutions are weak, social media is especially amplified, which makes Hezbollah's training all the more valuable, and more in-demand than ever."
So, why is Iran increasingly utilizing Hezbollah as a cyber proxy? First, it grants Tehran a degree of deniability. By training and enhancing the cyber forces of its Lebanese ally, foreign powers may not retaliate against Iranian targets after a Hezbollah-initiated cyber attack. Since Hezbollah is not a nation-state, its strategic assets are far more limited targets if a foreign government retaliates. Secondly, Iran has recently focused on reuniting its "axis of resistance." This shadowy alliance of Iranian-backed proxy forces, such as Hezbollah and Hamas, and anti-Western governments in the Middle East sees Tehran as the spiritual center of the Muslim world. After the devastating Stuxnet attack, the Iranian government understands that bolstering the cyber capabilities, alongside military power, is an essential part of twenty-first-century warfare. In 2015, it was reported that the Iranian government had enlarged its cybersecurity budget by 1,200 percent in a two-year period. If Tehran aims to be the regional hegemon in the Middle East and supplant U.S-Israeli influence in the region, bolstering the cyber capabilities of pro-Iranian movements and organizations in the Middle East will be a critical asymmetric tool for the Iranian government.
While competition with Russia and China remains the top priority for U.S policymakers and security officials, understanding the cyber threat posed by Hezbollah needs to be taken into greater account. A devastating cyber attack on U.S critical infrastructure could not only imperil U.S financial interests but put the lives of American citizens in danger as well.
Benjamin R. Young is an assistant professor of homeland security and emergency preparedness in the Wilder School of Government and Public Affairs at Virginia Commonwealth University. He is the author of the book Guns, Guerillas, and the Great Leader: North Korea and the Third World, and his writing has appeared in a range of media outlets and peer-reviewed scholarly journals. Follow him on Twitter @DubstepInDPRK