Iran’s Hackers Are Opportunistic, Patient, and Fearless
Iranian hackers are dangerous not because they have uniquely sophisticated techniques but because they are increasingly less risk-averse than other cyber actors.
Why has Russia not (yet) launched devastating cyberattacks as part of its military invasion of Ukraine? Why has Tehran not successfully executed a headline-grabbing cyberattack against the United States in the years since the Trump administration imposed substantial sanctions on Iran and killed General Qasem Soleimani, commander of the Islamic Revolutionary Guard Corps Quds Force (IRGC-QF)? The question of why adversaries use and do not use cyberattacks in particular circumstances is important for understanding the role of cyber operations in a nation’s strategic doctrine. In the case of Iran, however, a focus only on the headlines obscures the worrying trend of Tehran’s improving cyber capabilities and may have lulled policymakers into thinking that previous rounds of sanctions and indictments against the regime and its hackers have deterred Iran.
The disparate but sometimes overlapping hacker groups that work at the direction of Iran’s Ministry of Intelligence and IRGC are demonstrating “growing expertise,” the U.S. intelligence community said in February in its annual threat assessment. Iran, the assessment concluded, takes an “opportunistic approach” to cyber operations, particularly those that target U.S. and allied critical infrastructure. For example, experts in industrial control systems (ICS)—that is, computer systems that control critical infrastructure—maintain that Iranian hackers lack ICS-specific capabilities, but that has not stopped these operatives from attempting attacks using other means. As the Russian ransomware attack on Colonial Pipeline nearly a year ago vividly showed, attackers do not need ICS-specific capabilities to cause a massive disruption of critical infrastructure.
Instead, as the U.S., UK, and Australian governments disclosed late last year, Iranian government-sponsored hackers are targeting the unpatched business networks of critical infrastructure operators using vulnerabilities from as many as three years ago and a Microsoft Exchange vulnerability that received front-page headlines in early 2021 for its severity and scale. These hackers “are actively targeting” U.S. healthcare and public health companies and companies in other industries, the three governments concluded, not for a particular strategic reason, but because these companies are low-hanging fruit when they do not mitigate known vulnerabilities in their systems.
Similarly, in early 2022, researchers at cyber threat intelligence firm Checkpoint discovered Iranian hackers working for the IRGC who were exploiting the widely reported Log4j vulnerability to conduct attacks against unspecified victims. They are not the first hackers to take advantage of this vulnerability, but it is so prevalent across thousands of systems that it is a ripe avenue for attack.
That Iranian hackers are opportunistic does not mean that they are not deliberate. In a November 2021 assessment of Iranian cyber capabilities, Microsoft determined that Tehran’s hackers are displaying more patience and persistence, particularly in their social engineering—the first step in many cyber operations. Whereas operatives previously sent bulk unsolicited emails with malicious attachments, they are now using much more time-consuming and individualized—and often successful—tactics to win the trust of victims in order to lead them to click malicious links and install malware. A more patient adversary is a more dangerous one.
Tehran has also become more dangerous as its hackers have attempted cyberattacks that are reminiscent of the operations successfully deployed by other U.S. adversaries. Witnessing the confusion sown by Russian disinformation operations in the 2016 elections, Iran attempted its own operation during the 2020 presidential election. The U.S. Intelligence Community concluded with “high confidence” that Supreme Leader Ali Khamenei likely “authorized the campaign and Iran’s military and intelligence services implemented it,” calling the operation a “whole of government effort.”
Meanwhile, Iran has begun waging cyberattacks on supply chains—a common tactic of Chinese and Russian hackers—in order to penetrate dozens or hundreds of companies. These attacks entail breaching a trusted vendor, managed service provider, or other third party with direct network access to the victim’s systems. In one operation in 2020, Iranian hackers breached a logistics company in Israel, Amital Data, along with other companies in the logistics and import sectors. Then, the hackers used Amital’s list of clients and login information to compromise another forty firms. The combination of the technical details and the lack of ransomware or extortion demands pointed to an Iranian operation aligned with Tehran’s interests, if not directly commissioned by the regime.
Iran’s opportunism and evolving cyber capabilities should prompt greater investment in cyber defense. The United States and its allies must provide Iranian hackers with fewer opportunities to exploit even as Tehran becomes more persistent. But stronger cyber defenses alone may not be sufficient to stop Tehran. The U.S. Intelligence Community warned in February that Iran has a “growing willingness to take risks” in its cyber operations.
As an example, it pointed to an attempted Iranian attack on Israeli water systems in 2020. Yigal Unna, head of Israel’s National Cyber Directorate, speculated at the time that the attempt could mark a “changing point in the history of modern cyber warfare.” This assertion was an overstatement—the attempt was far from the first Iranian effort to attack critical infrastructure, and Russia and China have undertaken numerous operations to compromise U.S. critical infrastructure. Still, Israel took the attempt so seriously that it reportedly responded by launching a cyber operation that knocked a major Iranian port offline.
The regime in Tehran surely understood that Israeli retaliation was inevitable—especially if its hackers had succeeded in causing a public health crisis—but chose to launch the operation, nonetheless. Thus, Iranian hackers are dangerous not because they have uniquely sophisticated techniques but because they are increasingly less risk-averse than other cyber actors.
Underestimating a committed adversary is dangerous, and a misdiagnosis of Tehran’s strategic thinking risks causing an underinvestment not only in cyber defense but also in intelligence gathering about Iranian capabilities and intentions. With intelligence and insights into Tehran’s thinking, the United States and its allies may be able to preempt or disable its hackers’ riskiest and most dangerous activities. The result of underinvestment, however, may be strategic surprise when Tehran exploits an opportunity to launch a devastating attack on the U.S. and its allies.
Annie Fixler is deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. Follow Annie on Twitter @afixler. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.