October 28, 2022 | CEEW Monograph

The Dangers of Iran’s Cyber Ambitions

October 28, 2022 | CEEW Monograph

The Dangers of Iran’s Cyber Ambitions


Tehran has not engaged in spectacular cyberattacks against the United States over the past four years — even after the Trump administration imposed devastating sanctions on Iran and launched a drone strike that killed Major General Qassem Soleimani, commander of the Islamic Revolutionary Guard Corps (IRGC) Quds Force.1 This is a puzzling departure from precedent and obscures the broader trend of Tehran’s improving cyber capabilities.

Iran’s 2011–2013 campaign of DDoS attacks against the U.S. financial system — in which hackers took down bank websites by flooding them with traffic — marked one of the earliest examples of CEEW by any nation.2 Since then, Tehran appears to have recalibrated its tactics to mirror some of the more successful operations of other U.S. adversaries. The Islamic Republic now engages in disinformation operations, conducts supply chain attacks, and penetrates U.S. critical infrastructure. Some of these activities may constitute CEEW, while others position Iran for future attacks.

Washington should not assume that Tehran’s tactical changes indicate the United States has deterred Iran from launching destructive attacks. Deterrence is not static. It requires regular maintenance. Underestimating a committed adversary is dangerous, and a misdiagnosis risks underinvestment in intelligence gathering, leading to strategic surprise. It is possible that U.S. sanctions, indictments, and counter-cyber operations have deterred Iran from further attacks.3 It is also possible that Iranian hackers are attempting dramatic attacks but failing.

Alternatively, the regime may have elected not to expend limited resources on destructive attacks but to maintain the capability to employ them later on. After all, cyber-espionage can always be a steppingstone to more aggressive operations, and it can be difficult to parse motive from a few lines of code. In late 2019, for example, Microsoft warned that Iranian hackers were trying to breach industrial control systems (ICS) — that is, computer systems that control critical infrastructure — to conduct physically disruptive attacks in the United States.4 Other private security researchers cautioned that reconnaissance and espionage were equally likely motivations.5 Given the uncertainty, the United States cannot afford to dismiss the Iranian cyber threat.

Iran’s hackers are persistent. For example, in 2018, the Department of Justice charged the Iranian government with sponsoring a multi-year campaign to pilfer data from hundreds of universities, companies, and government entities in the United States and around the world.6 The following year, researchers discovered the same hackers using the same tactics and network infrastructure to target more than 60 universities in the United States.7

Iranian hackers have repeatedly caused damage despite their less sophisticated capabilities compared to America’s other cyber adversaries. And Tehran’s skills are improving. The Islamic Republic is demonstrating a “growing expertise” in its cyber operations, the U.S. intelligence community concluded in its February 2022 annual threat assessment.8 Likewise, Microsoft observed a “gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran” throughout 2021.9

In recent years, Tehran has demonstrated improvements in its social engineering and technical skills that raise concerns for future Iranian cyber operations, CEEW or otherwise. Rather than focus exclusively on thwarting or deterring current Iranian operations, the United States and its allies must take steps to prevent Iran from becoming a more capable adversary in the future.

Domestic Repression as a Cyber Training Ground

The Islamic Republic’s cyber capabilities were born in reaction to the mass protests following the fraudulent 2009 Iranian presidential election.10 The protesters’ use of the internet and social media for mobilization and information sharing was the regime’s first brush with the power that cyberspace provided to the Iranian people.

Iran’s Ministry of Intelligence has thus “recruited highly educated people and turned their cyber talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the regime,”11 according to FBI Director Christopher Wray. This development threatens the United States because the techniques deployed against Iranian dissidents “foreshadow the tactics and tools that will be employed against other targets,” scholars Collin Anderson and Karim Sadjadpour concluded in a study four years ago. They noted that “most victims of Iranian cyber operations are in Iran or the large Iranian diaspora,” but the Advanced Persistent Threat (APT) groups responsible for internal surveillance are often also responsible for global espionage.12

In September 2020, Washington imposed sanctions on Iran’s APT39 and its front company Rana Intelligence Computing Company, which were operating on behalf of the Iranian Ministry of Intelligence. The U.S. Treasury Department explained that Rana’s operations were “both internal to Iran and global in scale,” with its victims comprising “hundreds of individuals and entities from more than 30 different countries across Asia, Africa, Europe, and North America,” including 15 U.S. companies.13

Like the line between domestic and internationally focused APTs, the distinction between espionage-focused APTs and destructive APTs may also be blurring. Private cybersecurity firms have warned that Iranian APTs associated with espionage maintain destructive malware in their arsenal.14

The overlap between those engaged in domestic and international operations is not surprising. The tactics needed to surveil or harass domestic opponents can apply to international espionage targets. For example, the Department of Justice indicted two Iranian hackers in September 2020 for a “coordinated cyber intrusion campaign — sometimes at the behest of the government of the Islamic Republic of Iran.” These hackers “brazenly infiltrated computer systems” around the world, explained then-U.S. Attorney for the District of New Jersey Craig Carpenito. They sought to steal sensitive data while also attempting “to intimidate perceived enemies of Iran, including dissidents fighting for human rights in Iran and around the world.”15

Tehran clearly seeks to shape the domestic information environment. For example, to prevent activists from organizing and sharing information, the regime has repeatedly throttled internet connectivity during protests.16 In November 2019, Tehran ordered internet service providers to disrupt internet access across the country as demonstrations against fuel price spikes spiraled into political protests against the regime.17 Similarly, Iran’s Khuzestan Province experienced internet disruptions in July 2021 during protests sparked by water shortages.18 In both cases, Tehran aimed to limit the ability of protestors to share information with the outside world about the regime’s suppression of dissent.

Human rights and digital rights organizations attribute Tehran’s ability to cut internet access to Iranian efforts over the past decade to filter web content and to build a sovereign internet infrastructure known as the National Information Network, or SHOMA in Persian.19 In March 2021, the IRGC announced yet another initiative to purge the internet of “vulgarities.”20 The effort implemented Supreme Leader Ali Khamenei’s instructions that the internet “should not be put at the discretion of the enemy.”21

Advancements in Disinformation Operations

Tehran has long engaged in online influence operations to “launder information and push distorted narratives, especially with respect to Iran and Saudi Arabia,” the congressionally mandated Cyberspace Solarium Commission concluded in December 2021.22 The Commission noted that Iranian disinformation operations have become more frequent, but “its tactics remained technically unsophisticated.” Indeed, Iran’s skills do not match those of Russia, but over the past four years, Tehran’s hackers have demonstrated a growing understanding of the U.S. information environment and the social engineering needed to target Americans.

Fortunately, the four Iranians responsible for a 2014–2015 cyber-espionage operation targeting U.S. intelligence officials appear to have had limited success because of their poor English-language skills.23 The hackers worked with a former U.S. counterintelligence agent (whom the Justice Department later charged with espionage) and were therefore presumably valuable Iranian operatives. But their grammar revealed them as imposters.

By contrast, when Microsoft revealed a 2020 Iranian operation targeting more than 100 people planning to attend the Munich Security Conference, a prestigious gathering in Germany, the company noted the attackers used “perfect English.”24 One may infer Iranian hackers now have a better command of the English language.

Two Facebook operations highlight Iran’s growing understanding of how to leverage social media platforms.25 Social engineering can convince a target to download malware, hand over credentials, or believe a false narrative. In 2018, Facebook shut down accounts for “coordinated inauthentic behavior” when Iranian hackers tried to convince victims to follow pages and consume disinformation.26 Three years later, Facebook revealed another operation involving “sophisticated fake online personas” with “profiles across multiple social media platforms to make them appear more credible.”27

Microsoft also observed that Iranian threat actors are displaying more persistence.28 Whereas actors previously sent bulk unsolicited emails with malicious attachments, they are now using much more time-consuming and individualized tactics.29

These improvements were evident in a disinformation operation during the 2020 U.S. presidential election. Having witnessed Russia’s success at sowing discord during the 2016 election, Iranian hackers attempted a combined hacking and disinformation operation against American citizens, according to U.S. government statements and a Justice Department indictment.30 The indictment does not directly attribute the operation to the Iranian government and only alleges that the hackers worked for a company that provides services to the Iranian regime. However, a U.S. intelligence community assessment concluded with high confidence that Supreme Leader Khamenei likely authorized a “whole of government effort” to interfere in the U.S. election.31

Director of National Intelligence John Ratcliffe arrives to a closed-door briefing on election security for the Senate Select Committee on Intelligence on September 23, 2020, in Washington, DC. (Drew Angerer/Getty Images)

Because of the hackers’ mistakes, American law enforcement quickly uncovered an effort to intimidate registered Democrats by impersonating the Proud Boys, a right-wing extremist group.32 The subsequent Justice Department indictment revealed, however, that the operation was more sophisticated than early reporting indicated. The hackers first attempted to compromise voter registration websites in multiple states. Successfully breaching one, the hackers downloaded 100,000 voter records. They then used the information to target registered Democrats with the voter intimidation emails.33 These emails included the name and address of the recipient and did not contain grammatical errors that compromised their credibility. The hackers also sent messages and videos to Republican lawmakers and members of the media, again pretending to be Proud Boys volunteers, claiming that Democrats were hacking election records and creating fraudulent ballots.34

The operation revealed an understanding of the fissures in American society. “The message to Republicans echoed baseless claims Trump had already voiced — that Democrats were prepping to steal the election. The message to Democrats was that thuggish Trump supporters were trying to bully their way to victory,” The Washington Post explained.35

In addition to Tehran’s own disinformation operations, the convergence of Iranian, Russian, and Chinese disinformation campaigns provides an avenue for the Islamic Republic to achieve an outsized impact.36 As scholar Clint Watts has observed:

By opportunistically reinforcing each other’s information manipulation efforts, the cumulative sum of their [Russia, Iran, and China] efforts is greater than its individual parts. It also allows each country to concentrate on its comparative advantages. Russia’s tremendous capacity for content production and programming in multiple languages offers China and Iran cost savings and extended reach. China’s Twitter attacks on America provide the Kremlin an information warfare proxy. Iran’s haughty, aggressive anti-American claims allow Russia and China to advance narratives they’d rather not put forth under their own names.37

This amplification of each other’s messages does not prove coordination. However, the potency of mutually reinforcing disinformation efforts by adversaries is concerning. If U.S. adversaries recognize the benefits of “opportunistically reinforcing” each other’s operations, they may begin to apply it to CEEW campaigns. 

Lessons From Attacks on Iran’s Neighbors

Iranian cyber operations against its regional adversaries “could be a testing ground for attacks against U.S. targets,” as The Washington Post put it, citing Adam Meyers of cybersecurity firm CrowdStrike.38 As U.S. sanctions intensified and tensions soared in the Persian Gulf in the summer of 2019,39 Iran launched cyberattacks against Bahrain. While Tehran’s animosity toward Manama pales in comparison to its rivalries with Riyadh and Jerusalem, Bahrain is home to the U.S. Navy’s Fifth Fleet and Naval Forces Central Command. Among other targets, Iranian hackers hit Bahrain’s Electricity and Water Authority, Aluminum Bahrain, and national oil company Bapco. The attacks disrupted the operation of these critical-infrastructure entities by destroying (or “wiping”) data vital to their function.40 A few months later, IBM’s threat researchers disclosed a destructive Iranian campaign targeting industrial and energy firms across the Middle East.41 Saudi Arabia detected similar activity.42

Data destruction has no intelligence value but can have a strategic or psychological value. For example, in late 2020, the Israeli cybersecurity firm ClearSky observed an Iranian APT conducting what appeared to be criminal ransomware operations against Israeli targets.43 The firm concluded, however, that because the hackers leaked data and posted threatening messages, they were engaged not in ransomware but in information operations aimed at sowing fear in the Israeli public.44

Separately, the hacker group MuddyWater — which the U.S. government subsequently called “a subordinate element within the Iranian Ministry of Intelligence and Security”45 — launched a series of ransomware attacks on Israeli companies in the fall of 2020.46 ClearSky assessed that the attack did not aim to extract a ransom for locked data. Rather, the operation resembled Russia’s 2017 NotPetya attack on Ukraine, in which hackers disguised their wiper malware (which destroys data) as ransomware (which merely encrypts the data until the victim pays a ransom).47

Using ransomware to disguise espionage, destruction, or influence operations helps obscure the attackers’ motivation. It may also hinder attribution by creating the impression that the attackers are criminals operating independently from a nation state.

Learning from other hackers, Iranian APTs have also begun experimenting with supply chain attacks against Iran’s neighbors. In such attacks, the hacker penetrates dozens or hundreds of companies by breaching a trusted vendor, managed service provider, or other third party with direct network access to the victim’s systems.

In one operation, Tehran breached a logistics company in Israel, Amital Data, along with other companies in the transportation, logistics, and import sectors. From there, the hackers used Amital’s list of clients and login information to breach another 40 firms.48 While the attack’s financial cost remains unclear, targeting the transportation sector is worrisome from a strategic perspective because a military cannot move troops and supplies if the nation’s transportation sector is compromised.

The Iranian government’s most headline-grabbing cyber operations over the past four years targeted Israeli water facilities.49 While a June 2020 attack appears to have hit a small agricultural facility with no real-world effects, an unsuccessful April 2020 attack targeting Israel’s drinking water could have resulted in a public health crisis.50 Israel took the operation so seriously that it reportedly responded by launching a cyber operation that knocked a major Iranian port offline.51

By launching cyberattacks against its neighbors, Tehran may also be trying to exacerbate tensions between the United States and its allies. For example, when the United States is in delicate nuclear negotiations with Iran, Washington has largely ignored Iranian cyberattacks in the Middle East. The absence of an American response may worsen friction between the United States and its Israeli and Arab allies, which already see Washington as too accommodating to Tehran.

Leveraging Common Techniques Against U.S. Critical Infrastructure

The U.S. intelligence community has repeatedly assessed that Iran can “conduct attacks on critical infrastructure.”52 In November 2021, a joint advisory from the FBI, the U.S. Department of Homeland Security, the UK’s National Cyber Security Centre, and the Australian Cyber Security Centre warned that “Iranian government-sponsored APTs” are targeting the U.S. transportation and healthcare sectors.53

Cybersecurity firm Dragos has observed two Iranian APTs attempting to compromise the ICS of U.S. utilities.54 Dragos concluded, however, that because Iran lacks “ICS-specific capabilities,” the hackers were likely focused “exclusively on information gathering at this time.”55

Yet Iran does not need ICS-specific capabilities to disrupt critical infrastructure. When U.S. pipeline operator Colonial Pipeline suffered a ransomware attack on its information technology systems in May 2021 at the hands of a Russian ransomware gang, the company “proactively disconnected” components of its gas pipeline “to ensure the systems’ safety,” explained the Department of Homeland Security.56 Colonial Pipeline’s CEO later testified before Congress that responders “halt[ed] operations throughout the pipeline … to help ensure that malware did not spread to the Operational Technology (OT) network, which controls our pipeline operations.”57 Ransomware effectively shut off a pipeline providing nearly half of all fuel to the East Coast.

Iranian hackers use common tools to conduct their operations, wielding an “opportunistic approach” to cyber operations, the U.S. intelligence community concluded last year.58 They are attempting, for example, to exploit the widely reported Log4j vulnerability to gain access and exfiltrate data.59 They are not the first hackers to do so, but the vulnerability is so prevalent across thousands of systems that it is a ripe avenue for attack.

The November 2021 U.S.-UK-Australian joint advisory noted that Iranian APTs are exploiting vulnerabilities as many as three years old and target systems that have not patched a severe vulnerability in Microsoft Exchange.60 This vulnerability earned headlines in 2021 for its severity and scale.61 In July 2021, Sky News, a British television station, obtained a cache of documents that purported to be assessments by IRGC hackers of possible cyber targets, including Western cargo ships, fuel pumps, building management systems, and maritime communications networks. The hackers “appeared to rely on open source research rather than any privileged information,” Sky News reported. Private cybersecurity firm Mandiant concluded that the Iranian hackers focused on “simple, opportunistic attacks.”62

Using unsophisticated techniques that are easy to spot does not mean an APT group is amateur. For example, Microsoft noted that the Iranian APT group was “deliberate” and “operationally, very sophisticated.”63 The group may not need to use custom malware or sophisticated techniques to be successful because its victims have weak defenses. In a separate report, Microsoft revealed that Iranian hackers had used “password spraying” — attempting multiple guesses of predictable passwords to break into an account — against U.S. and Israeli defense companies. The report noted that basic security measures can protect against this technique.64

Iranian hackers are dangerous because they are opportunistic, adopt the successful strategies and tools of other hackers, and exploit the weak defenses of their targets.

Right-Sizing Concerns About Cooperation With Other U.S. Adversaries

In November 2018, the Department of Justice indicted two Iranian hackers for a nearly three-year ransomware campaign that generated $6 million in revenue and cost victims — including the cities of Atlanta and Newark, the Port of San Diego, and six hospitals and other healthcare-related companies — more than $30 million.65 More recently, in May, researchers linked an Iranian government-backed group to financially motivated data exfiltration, ransomware, and extortion.66 It is not clear, however, if the hackers were raising funds for the government or themselves. Tehran could learn from these experiences and begin using ransomware not only to disguise other motives but also to raise funds to bankroll a range of malign activity.

The North Korean regime provides an example of this phenomenon. As the North Korea chapter of this monograph explains, financially motivated cyberattacks lie at the core of Pyongyang’s cyber strategy and have enabled the regime to remain solvent despite robust U.S. and UN sanctions. Were Iran to face a severe economic recession, Tehran could mimic Pyongyang’s strategy, acquire North Korean malware, and learn best practices through bilateral agreements.

However, this strategy poses risks for the Islamist regime. A study at Columbia University concluded that Tehran is unlikely to launch financially motivated attacks against global financial institutions, because doing so would “damage Iran’s credibility as an economic partner.”67

Russia and Iran, meanwhile, have signed several cybersecurity cooperation agreements over the past five years.68 In January 2021, the two countries signed an accord to coordinate their cyber activities, exchange technology, cooperate on training, and coordinate within international institutions.69 Iran’s Foreign Ministry said the agreement covers cooperation on detection of cyber intrusions and coordination “to ensure national and international security.”70

Previous cyber cooperation agreements between Tehran and Moscow have not led to any observable tactical coordination on offensive operations. But because Iranian hackers are far less skilled than their Russian counterparts, any knowledge transfer would improve Tehran’s cyber capabilities.

Still, recognition of Russia and Iran’s history of mutual suspicion and the enduring tension between them should temper handwringing about Russian and Iranian cooperation, although the two powers appear to be growing closer following Moscow’s invasion of Ukraine.71 While Russia finally delivered its S-300 air defense system to Iran after the implementation of the 2015 Iran nuclear deal,72 Moscow has not sold Tehran its more advanced S-400 system despite making it available to Turkey and other buyers.73 In the cyber realm, distrust at the operator level — that is, among the actual hackers — may also be high after reports that Russian hackers commandeered Iranian cyber-espionage infrastructure to launch their own operations.74

By contrast, Beijing and Tehran have historically recognized the value of a strong bilateral relationship.75 As a significant purchaser of Iranian crude oil and a critical trade partner,76 China has provided Iran with telecommunications and surveillance equipment, often in defiance of U.S. sanctions. Chinese telecommunications giants Huawei and ZTE have provided surveillance equipment to the Iranian government to monitor texts, calls, and emails for nearly a decade.77 Washington has penalized companies for sanctions evasion and obstruction of justice related to these sales.78 However, prior agreements, high-level visits, goodwill gestures, and even equipment sales between the two countries appear not to have led to a change in Iranian offensive cyber activities.79

Finally, it is worth noting that Iran has long shared China’s and Russia’s goal of challenging norms of a free and open internet, although coordination between these countries is loose at best.80 The Islamic Republic, along with human rights abusers such as Belarus, Myanmar, Syria, and Venezuela, cosponsored a 2019 UN resolution proposed by Russia and China that would legitimize domestic repression.81 Within the Chinese- and Russian-led Shanghai Cooperation Organization, which last year granted Iran full membership,82 Tehran seeks cooperation to combat the influence of foreign social media organizations.83 And within the annual Caspian Media Forum, Iran is working with other members to combat “imposed external values alien to” the region.84 This collaboration in international forums sets the stage for further cooperation.


FDD’s 2018 monograph on Iranian CEEW offered policymakers 10 recommendations to better understand the Iranian cyber threat, strengthen U.S. and allied defense capabilities, and impose costs on Tehran for its malicious cyber activities.85 Washington has still not done enough on these three fronts.

2018 Recommendations


  1. Analyze Tehran’s cyber escalatory ladder.
  2. Analyze Tehran’s cyber investments, industrial base, and partnerships with other rogue actors in order to target these assets as needed.


  1. Bolster information sharing with U.S. allies to improve allied defenses.
  2. Develop a joint R&D agenda with U.S. allies to address common threats from Iran and other malicious cyber actors.
  3. Conduct joint cyber wargames with allies in the Middle East to demonstrate U.S. resolve to defend allies.
  4. Announce that the United States will defend its key allies from significant Iranian cyberattacks.


  1. Sanction key Iranian leaders for authorizing cyberattacks.
  2. Use cyber-enabled information warfare capabilities to exploit and sharpen divisions between the regime and the Iranian public.
  3. Hold at risk Iranian assets using cyber and kinetic means.

While punishing Iran remains important, it will always be a reactive policy to address Tehran’s capabilities. The maturation of Iranian cyber capabilities over the past four years requires greater attention to understand the trajectory of the Iranian cyber threat. The Islamic Republic has demonstrated its intent to attack American allies. The United States should take the following steps to prevent Tehran from becoming a more capable cyber power.

1. Undermine Tehran’s control over the Iranian people’s access to information. Capabilities that the regime deploys against its own citizens can quickly present a threat to U.S. national security. Protests in Iran against government policies and against the theocracy itself continue.86 Thus, the regime will likely resort to violence and even sever access to the global internet. This presents an opportunity for the United States to help the Iranian people evade censorship. For example, Washington should devise a land-based or satellite solution as an alternative to SHOMA so the Iranian people have better access to information.87 This could serve as a test case for supplying freedom of information to other oppressed people, including in China, Russia, and North Korea.

2. Sow divisions between hackers working for different parts of the Iranian government. The structure of the Iranian hacker community is one of a loose contractor model in which quasi-independent hacker groups take commissions from the Iranian government to conduct operations. The cybersecurity firm Recorded Future reports that feuds between the IRGC and the Ministry of Intelligence are likely causing hackers to align more closely with one faction or the other. Infighting between regime factions may present its adversaries with an opportunity to undermine Iranian capabilities. Unconfirmed reports indicate that other Iranian hackers were responsible for a leak about an Intelligence Ministry-affiliated group,88 forcing it to “re-tool and focus on new campaigns going forward, potentially delaying any current or planned hacking efforts,” according to the business and technology news site ZDNet.89
Washington should exploit divisions within Iran’s intelligence agencies and hacker community to instigate internecine fighting. Tactics might include posing as one group to leak the tools of another or spreading disinformation about how Khamenei favors one group over another. The goal would be to exacerbate rivalries so that the hackers betray their own.

3. Sanction Iranian universities and cyber centers of excellence. Just as Washington has sanctioned Iranian universities that recruit promising students into science and technology departments, thereby feeding Tehran’s nuclear and missile programs, Washington should sanction academic institutions that support Iranian cyber capabilities, such as Shahid Beheshti University and Sharif University of Technology.90 Such measures can undermine or restrain the systems that produce the next generation of malicious Iranian cyber actors. The sanctions would damage the institutions’ reputations and could even hamper their ability to recruit students and engage in cutting-edge scientific research. 

4. Enhance intelligence sharing with Israel and Iran’s Arab neighbors and increase global cyber diplomacy. Understanding the tactics Iran deploys against its neighbors would provide insights into future attacks against America. Therefore, Washington should continue and, where possible, increase intelligence cooperation with regional allies, particularly Israel, which is the most capable cyber actor in the Middle East. Greater diplomatic engagement with all U.S. allies about cybersecurity and norms would complement enhanced intelligence sharing, undermine Iranian efforts to use cyber operations to divide U.S. allies, and enhance the deterrent capabilities of U.S. partners.

5. Analyze cooperation, technology transfer, and training between Iran and its allies. The United States should study the collaboration between Iran and other U.S. adversaries and whether Iranian capabilities are improving thanks to help from other cyber powers. While Tehran will eagerly announce diplomatic exchanges, memoranda of understanding, and multi-year investment deals with other countries, Iranian cyber cooperation requires further study. This should be a priority of the U.S. intelligence community.


There is no shortage of steps Congress and the administration must take to enhance U.S. resilience and to thwart and deter cyberattacks. However, defense alone is insufficient. Similarly, deterrence is insufficient. The United States and its allies must actively prevent their adversaries from becoming more capable cyber actors whom they cannot combat or deter.


  1. Annie Fixler, “The Cyber Threat from Iran after the Death of Soleimani,” CTC Sentinel, February 2020. (https://ctc.usma.edu/cyber-threat-iran-death-soleimani)
  2. U.S. Department of Justice, Press Release, “Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conduction Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector,” March 24, 2016. (https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged); Annie Fixler and Frank Cilluffo, “Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare,” Foundation for Defense of Democracies, November 9, 2018. (https://www.fdd.org/analysis/2018/11/06/evolving-menace)
  3. Ellen Nakashima and Paul Sonne, “U.S. Military Carried Out Secret Cyberstrike on Iran to Prevent it from Interfering with Shipping,” The Washington Post, August 28, 2019. (https://www.washingtonpost.com/national-security/us-military-carried-out-secret-cyber-strike-on-iran-to-prevent-it-from-interfering-with-shipping/2019/08/28/36202a4e-c9db-11e9-a1fe-ca46e8d573c0_story.html)
  4. Kate O’Flaherty, “Iranian Hackers Are Going After A Disturbing New Physical Target,” Forbes, November 21, 2019. (https://www.forbes.com/sites/kateoflahertyuk/2019/11/21/iranian-hackers-could-be-going-after-a-disturbing-new-physical-target/?sh=62e5fa137d2a)
  5. Nicole Lindsey, “Iranian Hackers APT33 Now Threatening ICS Security,” CPO Magazine, December 5, 2019. (https://www.cpomagazine.com/cyber-security/iranian-hackers-apt33-now-threatening-ics-security)
  6. U.S. Department of Justice, Press Release, “Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps,” March 23, 2018. (https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary)
  7. Sean Lyngaas, “‘Cobalt Dickens’ Group is Phishing Universities at Scale Again, Researchers Say,” CyberScoop, September 11, 2019. (https://www.cyberscoop.com/cobalt-dickens-iran-universities-hacking-secureworks). The exact number of successful breaches remains unclear.
  8. Office of the Director of National Intelligence, “Annual Threat Assessment of the U.S. Intelligence Community,” February 7, 2022, page 15. (https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report.pdf)
  9. “Evolving Trends in Iranian Threat Actor Activity — MSTIC Presentation at CyberWarCon 2021,” Microsoft, November 16, 2021. (https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021)
  10. Collin Anderson and Karim Sadjapour, Iran’s Cyber Threat: Espionage, Sabotage, and Revenge (Washington, DC: Carnegie Endowment for International Peace, 2018), pages 10–12. (https://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf)
  11. U.S. Department of the Treasury, Press Release, “Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry,” September 17, 2020. (https://home.treasury.gov/news/press-releases/sm1127)
  12. Collin Anderson and Karim Sadjapour, Iran’s Cyber Threat: Espionage, Sabotage, and Revenge (Washington, DC: Carnegie Endowment for International Peace, 2018), pages 9 and 39. (https://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf)
  13. U.S. Department of the Treasury, Press Release, “Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry,” September 17, 2020. (https://home.treasury.gov/news/press-releases/sm1127)
  14. Andy Greenberg, “Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount,” Wired, June 28, 2019. (https://www.wired.com/story/iran-hackers-us-phishing-tensions)
  15. U.S. Department of Justice, Press Release, “Two Iranian Nationals Charged in Cyber Theft Campaign Targeting Computer Systems in United States, Europe, and Middle East,” September 16, 2020. (https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-theft-campaign-targeting-computer-systems-united-states)
  16. Matt Burgess, “Iran’s Total internet Shutdown is a Blueprint for Breaking the Web,” Wired, July 10, 2020. (https://www.wired.co.uk/article/iran-news-internet-shutdown); “Iran: Tightening the Net 2020,” Article19, September 2020. (https://www.article19.org/wp-content/uploads/2020/09/TTN-report-2020.pdf); Isabel Debre, “Iran Shut Down Internet in Southeast Province Amid Protests, Harsh Crackdown,” The Times of Israel (Israel), February 28, 2021. (https://www.timesofisrael.com/iran-shuts-down-internet-in-southeast-province-amid-protests-harsh-crackdown)
  17. “Internet Disrupted in Iran Amid Fuel Protests in Multiple Cities,” Netblocks, November 15, 2019. (https://netblocks.org/reports/internet-disrupted-in-iran-amid-fuel-protests-in-multiple-cities-pA25L18b); Delia Paunescu, “Why did Iran Shut Off the Internet for the Entire Country?” Recode, November 21, 2019. (https://www.vox.com/recode/2019/11/21/20975920/iran-internet-protests-reset-podcast)
  18. “Mobile Internet Disrupted in Iran Amid Khuzestan Water Protests,” Netblocks, July 21, 2021. (https://netblocks.org/reports/mobile-internet-disrupted-in-iran-amid-khuzestan-water-protests-1yPjK9AQ)
  19. Lily Hay Newman, “How the Iranian Government Shut Off the Internet,” Wired, November 17, 2019. (https://www.wired.com/story/iran-internet-shutoff)
  20. “IRGC Forms Group to Monitor Internet in Iran,” Al-Monitor, March 25, 2021. (https://www.al-monitor.com/originals/2021/03/irgc-forms-group-monitor-internet-iran)
  21. Adena Nima, “What Khamenei’s Nowruz Message Means for Iran,” Eurasia Review, March 25, 2021. (https://www.eurasiareview.com/25032021-what-khameneis-nowruz-message-means-for-iran-oped); “IRGC Forms Group to Monitor Internet in Iran,” Al-Monitor, March 25, 2021. (https://www.al-monitor.com/originals/2021/03/irgc-forms-group-monitor-internet-iran)
  22. U.S. Cyberspace Solarium Commission, “Countering Disinformation in the United States: CSC White Paper #6,” December 2021, page 8. ( https://cybersolarium.org/white-papers/countering-disinformation-in-the-united-states/)
  23. U.S. Department of Justice, Press Release, “Former U.S. Counterintelligence Agent Charged with Espionage on behalf of Iran; Four Iranians Charged with a Cyber Campaign Targeting her Former Colleagues,” February 13, 2019. (https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber); U.S. Department of Justice, Press Release, “Two Iranians Charged for Cyber-Enabled Disinformation and Threat Campaign Designed to Influence the 2020 U.S. Presidential Election,” November 18, 2021. (https://www.justice.gov/opa/pr/two-iranian-nationals-charged-cyber-enabled-disinformation-and-threat-campaign-designed)
  24. Zach Whittaker, “Microsoft says Iranian Hacker Targeted ‘High Profile’ Conference Attendees,” TechCrunch, October 28, 2020. (https://techcrunch.com/2020/10/28/microsoft-iran-hackers)
  25. Annie Fixler, “Iran’s Social engineering Capabilities Mature,” Foundation for Defense of Democracies, July 23, 2021. (https://www.fdd.org/analysis/2021/07/23/irans-social-engineering-capabilities-mature)
  26. Nathaniel Gleicher, “Taking Down More Coordinated Inauthentic Behavoir,” Meta, August 21, 2018. (https://about.fb.com/news/2018/08/more-coordinated-inauthentic-behavior)
  27. Mike Dvilyanski and David Agranovich, “Taking Action Against Hackers in Iran,” Meta, July 21, 2021. (https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran)
  28. “Evolving Trends in Iranian Threat Actor Activity — MSTIC Presentation at CyberWarCon 2021,” Microsoft, November 16, 2021. (https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021)
  29. Bill Toulas, “Microsoft Warns of the evolution of Six Iranian Hacking Groups,” Bleeping Computer, November 16, 2021. (https://www.bleepingcomputer.com/news/security/microsoft-warns-of-the-evolution-of-six-iranian-hacking-groups/?&web_view=true)
  30. Ellen Nakashima, Amy Gardner, Isaac Stanley-Becker, and Craig Timberg, “U.S. Government Concludes Iran was behind Threatening Emails sent to Democrats,” The Washington Post, October 22, 2020. (https://www.washingtonpost.com/technology/2020/10/20/proud-boys-emails-florida); U.S. National Intelligence Council, Intelligence Community Assessment, “Foreign Threats to the 2020 US Federal Elections,” March 10, 2021. (https://www.intelligence.gov/assets/documents/702%20Documents/declassified/ICA-declass-16MAR21.pdf); U.S. Federal Bureau of Investigation, “Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad,” January 26, 2022. (https://www.ic3.gov/Media/News/2022/220126.pdf)
  31. U.S. National Intelligence Council, Intelligence Community Assessment, “Foreign Threats to the 2020 US Federal Elections,” March 10, 2021, page 6. (https://www.intelligence.gov/assets/documents/702%20Documents/declassified/ICA-declass-16MAR21.pdf)
  32. Christopher Bing and Jack Stubbs, “‘Dumb Mistake’ Exposed Iranian Hand Behind Fake Proud Boys U.S. Election Emails — Sources,” Reuters, October 22, 2020. (https://www.reuters.com/article/us-usa-election-cyber-iran-exclusive/exclusive-dumb-mistake-exposed-iranian-hand-behind-fake-proud-boys-u-s-election-emails-sources-idUSKBN2772YL)
  33. Tonya Riley, “State Department Offers $10M for Information on Iranian Election Interference,” CyberScoop, February 2, 2022. (https://www.cyberscoop.com/state-department-offer-10-million-information-iranian-election-interference)
  34. United States of America v. Seyed Mohammad Hosien Mousa Kazemi and Sajjad Kashian, 21 Cr. 644 (S.D.N.Y. filed 2021). (https://www.justice.gov/opa/press-release/file/1449226/download)
  35. Joseph Marks, “Four Takeaways from the Iranian Election Interference Indictments,” The Washington Post, November 19, 2021. (https://www.washingtonpost.com/politics/2021/11/19/four-takeaways-iranian-election-interference-indictments)
  36. Jessica Donati, “U.S. Adversaries Are Accelerating, Coordinating Coronavirus Disinformation, Report Says,” The Wall Street Journal, April 21, 2020. (https://www.wsj.com/articles/u-s-adversaries-are-accelerating-coordinating-coronavirus-disinformation-report-says-11587514724); Andrew Whiskeyman and Michael Berger, “Axis of Disinformation: Propaganda from Iran, Russia, and China on COVID-19,” Fikra Forum, February 25, 2021. (https://www.washingtoninstitute.org/policy-analysis/axis-disinformation-propaganda-iran-russia-and-china-covid-19); Michael Lupin, Liyuan Lu, Behrooz Samadbeygi, and Mehdi Jedinia, “Iran, China Amplify Each Other’s Allegations of US Coronavirus Culpability,” Voice of America, March 24, 2020. (https://www.voanews.com/middle-east/voa-news-iran/iran-china-amplify-each-others-allegations-us-coronavirus-culpability)
  37. Clint Watts, “Triad of Disinformation: How Russia, Iran, & China Ally in a Messaging War against America,” Alliance for Securing Democracy, May 15, 2020. (https://securingdemocracy.gmfus.org/triad-of-disinformation-how-russia-iran-china-ally-in-a-messaging-war-against-america)
  38. Joseph Marks, “Four Takeaways from the Iranian Election Interference Indictments,” The Washington Post, November 19, 2021. (https://www.washingtonpost.com/politics/2021/11/19/four-takeaways-iranian-election-interference-indictments)
  39. For more information on the summer 2019 tensions, see: Behnam Ben Taleblu, “Making Sense of Iranian Escalation,” FDD’s Long War Journal, May 20, 2019. (https://www.longwarjournal.org/archives/2019/05/making-sense-of-iranian-escalation.php)
  40. Catalin Cimpanu, “New Iranian data wiper malware hits Bapco, Bahrain’s national oil company,” ZDNet, January 9, 2020. (https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company); Bradley Hope, Warren P. Strobel, and Dustin Volz, “High-Level Cyber Intrusions Hit Bahrain Amid Tensions With Iran,” The Wall Street Journal, August 7, 2019. (https://www.wsj.com/articles/high-level-cyber-intrusions-hit-bahrain-amid-tensions-with-iran-11565202488)
  41. Limor Kessem and IBM Security X-Force Team, “New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East,” IBM Security Intelligence, December 4, 2019. (https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east)
  42. Jenna McLaughlin, “Saudis Warn of new Destructive Cyberattack that Experts Ties to Iran,” Yahoo! News, January 7, 2020. (https://news.yahoo.com/days-before-suleimani-strike-saudis-warned-of-new-destructive-cyber-attack-013125981.html)
  43. “Pay2Kitten — Fox Kitten 2,” ClearSky Cybersecurity, December 17, 2020. (https://www.clearskysec.com/pay2kitten)
  44. “2021 Global Threat Report,” CrowdStrike, 2021, page 43. (https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf)
  45. U.S. Cyber Command, Press Release, “Iranian intel cyber suite of malware uses open source tools,” January 12, 2022. (https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools)
  46. “Cybersecurity Groups: Iranians Targeted Top Israeli Firms in Ransomware Attack,” The Times of Israel (Israel), October 16, 2020. (https://www.timesofisrael.com/cybersecurity-groups-iranians-targeted-top-israeli-firms-in-ransomware-attack)
  47. “Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli Organizations,” ClearSky Cybersecurity, October 2020. (https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf). In May 2021, SentinelOne similarly disclosed that it had discovered data-destroying malware targeting Israel that an APT had disguised as ransomware. See: Amitai Ben Shushan Ehrlich, “From Wiper to Ransomware: The Evolution of Agrius,” Sentinel Labs, May 25, 2021. (https://labs.sentinelone.com/from-wiper-to-ransomware-the-evolution-of-agrius); Dan Goodin, “A Never-Before-Seen Wiper Malware is Hitting Israeli Targets,” Wired, May 27, 2021. (https://www.wired.com/story/never-before-seen-wiper-malware-hitting-israeli-targets)
  48. Stuart Winer, “Cyberattack Hits Israeli Companies, with Iran Reportedly the Likely Culprit,” The Times of Israel (Israel), December 13, 2020. (https://www.timesofisrael.com/israels-supply-chain-targeted-in-massive-cyberattack); Meir Orbach and Golan Hazani, “Israel’s Supply Chain Targeted in Massive Cyberattack,” CTech, December 13, 2020. (https://www.calcalistech.com/ctech/articles/0,7340,L-3881337,00.html)
  49. “Cyber Attacks again hit Israel’s Water System, Shutting Agricultural Pumps,” The Times of Israel (Israel), July 17, 2020. (https://www.timesofisrael.com/cyber-attacks-again-hit-israels-water-system-shutting-agricultural-pumps); Joby Warrick and Ellen Nakashima, “Foreign Intelligence Officials say Attempted Cyberattack on Israeli Water Utilities Linked to Iran,” The Washington Post, May 8, 2020. (https://www.washingtonpost.com/national-security/intelligence-officials-say-attempted-cyberattack-on-israeli-water-utilities-linked-to-iran/2020/05/08/f9ab0d78-9157-11ea-9e23-6914ee410a5f_story.html)
  50. Mehul Srivastava, Najmeh Bozorgmehr, and Katrina Manson, “Israel-Iran Attacks: ‘Cyber Winter is Coming,’” Financial Times (UK), May 31, 2020. (https://www.ft.com/content/3ea57426-40e2-42da-9e2c-97b0e39dd967)
  51. Joby Warrick and Ellen Nakashima, “Officials: Israel Linked to a Disruptive Cyberattack on Iranian Port Facility,” The Washington Post, May 18, 2020. (https://www.washingtonpost.com/national-security/officials-israel-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html)
  52. Office of the Director of National Intelligence, “Annual Threat Assessment of the US Intelligence Community,” April 9, 2021, page 14. (https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf)
  53. Sean Lyngaas, “US warns that Iranian government-sponsored hackers are targeting key US infrastructure,” CNN, November 17, 2021. (https://www.cnn.com/2021/11/17/politics/us-iran-hackers-warning/index.html); U.S. Cybersecurity and Infrastructure Security Agency, “Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities,” November 17, 2021. (https://www.cisa.gov/uscert/sites/default/files/publications/AA21-321A-Iranian%20Government-Sponsored%20APT%20Actors%20Exploiting%20Vulnerabilities%20FINAL.pdf)
  54. “North American Electric Cyber Threat Perspective,” Dragos, January 2020. (https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf)
  55. “Magnallium,” Dragos, accessed June 15, 2022. (https://www.dragos.com/threat/magnallium)
  56. U.S. Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation, Joint Cybersecurity Advisory, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” AA21-131A, May 11, 2021. (https://us-cert.cisa.gov/ncas/alerts/aa21-131a)
  57. Joseph Blount, “Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure,” Testimony Before the House Committee on Homeland Security, June 9, 2021. (https://homeland.house.gov/imo/media/doc/2021-06-09-HRG-Testimony-Blount.pdf)
  58. Office of the Director of National Intelligence, “Annual Threat Assessment of the US Intelligence Community,” April 9, 2021, page 15. (https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf)
  59. Ravie Lakshmanan, “Iranian Hackers Exploit Log4j Vulnerability to Deploy PowerShell Backdoor,” The Hacker News, January 13, 2020. (https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html)
  60. U.S. Federal Bureau of Investigation, U.S. Cybersecurity and Infrastructure Security Agency, Australian Cyber Security Centre, and UK National Cyber Security Center, “Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities,” November 17, 2021. (https://www.cisa.gov/uscert/sites/default/files/publications/AA21-321A-Iranian%20Government-Sponsored%20APT%20Actors%20Exploiting%20Vulnerabilities%20FINAL.pdf)
  61. U.S. Cybersecurity and Infrastructure Security Agency, “Remediating Microsoft Exchange Vulnerabilities,” 2021. (https://www.cisa.gov/uscert/remediating-microsoft-exchange-vulnerabilities); Kristine Phillips, “Biden Administration Blames China for Microsoft Hacking as DOJ Indicts Chinese Nationals in Cyberattacks,” USA Today, July 19, 2021. (https://www.usatoday.com/story/news/politics/2021/07/19/microsoft-exchange-hack-january-came-china-us-says/8011021002)
  62. Deborah Haynes, “Iran’s Secret Cyber Files,” Sky News (UK), July 26, 2021. (https://news.sky.com/story/irans-secret-cyber-files-on-how-cargo-ships-and-petrol-stations-could-be-attacked-12364871)
  63. Sean Lyngaas, “APT33 has Shifted Targeting to Industrial Control Systems Software, Microsoft says,” CyberScoop, November 22, 2019. (https://www.cyberscoop.com/apt33-microsoft-iran-ics)
  64. Maggie Miller, “Microsoft Reports Iranian Hackers Targeting US, Israeli Defense Companies,” The Hill, October 11, 2021. (https://thehill.com/policy/cybersecurity/576250-microsoft-reports-iranian-hackers-targeting-us-israeli-defense-companies)
  65. U.S. Department of Justice, Office of Public Affairs, Press Release, “Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses,” November 28, 2018. (https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public)
  66. AJ Vicens, “Analysis of Well-Known Iranian Hacking Group Points to More Purely Financial Attacks,” CyberScoop, May 12, 2022. (https://www.cyberscoop.com/iranian-hacking-cobalt-mirage-phosphorous-charming-kitten-ransomware)
  67. Erika Banuelos, Clara Brackbill, Kirill Buskirk, Haakon Husoy, Jiwon Ma, Meg Mannix, Daniel Sorek, and Sam Weaver, “Assessing Iran’s Cyber Strategy: Risks to the Financial Sector,” Columbia University School of International and Public Affairs, April 2021. (https://www.sipa.columbia.edu/academics/capstone-projects/why-and-when-do-states-target-financial-institutions)
  68. John Hardie and Annie Fixler, “Russia-Iran cooperation poses challenges for US cyber strategy, global norms,” C4ISRNET, February 8, 2021. (https://www.c4isrnet.com/thought-leadership/2021/02/08/russia-iran-cooperation-poses-challenges-for-us-cyber-strategy-global-norms)
  69. “Russia, Iran Sign Agreement on Cyber Security Cooperation,” TASS (Russia), January 26, 2021. (https://tass.com/politics/1248963); “МИД раскрыл детали соглашения Ирана и России об информационной безопасности [The Ministry of Foreign Affairs revealed the details of the agreement between Iran and Russia on information security],” Izvestia (Russia) January 26, 2021. (https://iz.ru/1116475/2021-01-26/mid-raskryl-detali-soglasheniia-irana-i-rossii-ob-informatcionnoi-bezopasnosti)
  70. Islamic Republic of Iran Ministry of Foreign Affairs, “Iran, Russia Sign Information Security Cooperation Pact,” January 26, 2021. (https://en.mfa.ir/portal/NewsView/625777)
  71. “The Iran-Russia Cyber Agreement and U.S. Strategy in the Middle East,” Council on Foreign Relations, March 15, 2021. (https://www.cfr.org/blog/iran-russia-cyber-agreement-and-us-strategy-middle-east); Zeke Miller and Josh Boak, “White House: Iran set to deliver armed drones to Russia,” Associated Press, July 11, 2022. (https://apnews.com/article/russia-ukraine-biden-iran-jake-sullivan-4a9f1b2749893d8f1ed9f039869cf119)
  72. For a history of the S-300 sale, see: Patrick Megahan and Behnam Ben Taleblu, “Making Sense of Iranian S-300s,” The Hill, June 3, 2015. (https://thehill.com/blogs/congress-blog/homeland-security/243784-making-sense-of-iranian-s-300s)
  73. “Iran Placed No Order to Buy Russia’s S-400 Missile System: Advisor,” Tehran Times (Iran), November 14, 2020. (https://www.tehrantimes.com/news/454624/Iran-placed-no-order-to-buy-Russia-s-S-400-missile-system-advisor)
  74. Jack Stubbs and Christopher Bing, “Hacking the Hackers: Russian Group Hijacked Iranian Spying Operation, Officials Say,” Reuters, October 21, 2019. (https://www.reuters.com/article/us-russia-cyber/hacking-the-hackers-russian-group-hijacked-iranian-spying-operation-officials-say-idUSKBN1X00AK)
  75. Scott W. Harold and Alireza Nader, “China and Iran: Economic, Political, and Military Relations,” RAND Corporation, May 2, 2012. (https://www.rand.org/pubs/occasional_papers/OP351.html); U.S.-China Economic and Security Review Commission, Staff Research Report, “China-Iran Relations: A Limited but Enduring Strategic Partnership,” June 28, 2021. (https://www.uscc.gov/sites/default/files/2021-06/China-Iran_Relations.pdf)
  76. Erika Holmquist and Johan Englund, “China and Iran — an Unequal Friendship,” Swedish Defense Research Agency, May 2020. (https://www.foi.se/rest-api/report/FOI-R–4976–SE)
  77. Steve Stecklow, “Special Report: Chinese Firm Helps Iran Spy on Citizens,” Reuters, March 22, 2012. (https://www.reuters.com/article/us-iran-telecoms-idUSBRE82L0B820120322); Steve Stecklow, “Exclusive: Newly Obtained Documents Show Huawei Role in Shipping Prohibited U.S. Gear to Iran,” Reuters, March 2, 2020. (https://www.reuters.com/article/us-huawei-iran-sanctions-exclusive-idUSKBN20P1VA)
  78. James Vincent, “ZTE Receives Record $1.2 Billion Fine for Breaking US Sanctions,” The Verge, March 8, 2017. (https://www.theverge.com/2017/3/8/14852182/zte-embargo-iran-north-korea-record-fine); Arthur Cyr, “China’s Huawei Faces a Showdown, in Court,” Chicago Tribune, April 8, 2020. (https://www.chicagotribune.com/suburbs/lake-county-news-sun/opinion/ct-lns-cyr-china-shutdown-st-0411-20200408-5axthwyj7zdv3cpo6otqeoeuwm-story.html)
  79. Islamic Republic of Iran Presidential Administration, “Full Text of Joint Statement on Comprehensive Strategic Partnership between I.R. Iran, P.R. China,” January 23, 2016. (http://president.ir/en/91435); “Iran, China to Expand ICT Cooperation,” Financial Tribune (Iran), June 15, 2015, (https://financialtribune.com/articles/sci-tech/18983/iran-china-to-expand-ict-cooperation); Zak Doffman, “Cyber Warfare Threat Rises as Iran and China Agree ‘United Front’ Against U.S.,” Forbes, July 6, 2019. (https://www.forbes.com/sites/zakdoffman/2019/07/06/iranian-cyber-threat-heightened-by-chinas-support-for-its-cyber-war-on-u-s/?sh=b82162b42ebd)
  80. James Marchant and Bronwen Robertson, “Chaos & Control: The Competing Tensions of Internet Governance in Iran,” Internet Policy Observatory, January 2015, page 46. (https://repository.upenn.edu/cgi/viewcontent.cgi?article=1014&context=internetpolicyobservatory): UN General Assembly, “Countering the use of information and communications technologies for criminal purposes,” A/C.3/74/L.11/Rev.1, November 5, 2019. (https://undocs.org/en/A/C.3/74/L.11/Rev.1); Justin Sherman and Mark Raymond, “The U.N. Passed a Russia-Backed Cybercrime Resolution. That’s Not Good News for Internet Freedom,” The Washington Post, December 4, 2019. (https://www.washingtonpost.com/politics/2019/12/04/un-passed-russia-backed-cybercrime-resolution-thats-not-good-news-internet-freedom); Shannon Vavra, “The U.N. Passed a Resolution that gives Russia Greater Influence over Internet Norms,” CyberScoop, November 18, 2019. (https://www.cyberscoop.com/un-resolution-internet-cybercrime-global-norms)
  81. Justin Sherman and Mark Raymond, “The U.N. passed a Russia-backed cybercrime resolution. That’s not good news for Internet freedom.” The Washington Post, December 4, 2019. (https://www.washingtonpost.com/politics/2019/12/04/un-passed-russia-backed-cybercrime-resolution-thats-not-good-news-internet-freedom)
  82. Bradley Bowman, Ryan Brobst, and Zane Zovark, “Iran Joining the Shanghai Cooperation Organization,” Foundation for Defense of Democracies, September 22, 2021. (https://www.fdd.org/analysis/2021/09/22/iran-joining-shanghai-cooperation-organisation)
  83. “Iran Calls for International Cooperation against Cyber Terrorism,” Iran Front Page (Iran), June 9, 2018. (https://ifpnews.com/iran-calls-for-international-cooperation-against-cyber-terrorism)
  84. “Astrakhan to Host 1st Caspian Media Forum,” Republican Information Agency (Russia), September 2, 2015. (https://www.riadagestan.com/mobile/news_en/society/astrakhan_to_host_1st_caspian_media_forum_)
  85. Annie Fixler and Frank Cilluffo, “Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare,” Foundation for Defense of Democracies, November 9, 2018. (https://www.fdd.org/analysis/2018/11/06/evolving-menace)
  86. Saeed Ghasseminejad, Behnam Ben Taleblu, and Eliora Katz, “Evolution Toward Revolution: The Development of Street Protests in the Islamic Republic of Iran,” Columbia Journal of International Affairs, October 29, 2020, Volume 73, Issue 2, pages 147–161. (https://jia.sipa.columbia.edu/evolution-toward-revolution-development-street-protests-islamic-republic-iran)
  87. For how the United States can effectively aid protestors, see: Behnam Ben Taleblu and Saeed Ghasseminejad, “Towards a Bipartisan Iran Protest Policy Playbook,” Radio Farda, November 21, 2019. (https://en.radiofarda.com/a/towards-a-bipartisan-iran-protest-policy-playbook/30284555.html)
  88. Insikt Group, “Despite infighting and Volatility, Iran Maintains Aggressive Cyber Operations Structure,” Recorded Future, April 9, 2020, page 5. (https://go.recordedfuture.com/hubfs/reports/cta-2020-0409.pdf)
  89. Catalin Cimpanu, “New Leaks of Iranian Cyber-Espionage Operations Hit Telegram and the Dark Web,” ZDNet, May 8, 2019. (https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web)
  90. For more on the role of these universities in support of Iran’s cyber capabilities, see: Annie Fixler and Frank Cilluffo, “Evolving Menace: Iran’s Use of Cyber-Enabled Economic Warfare,” Foundation for Defense of Democracies, November 9, 2018. (https://www.fdd.org/analysis/2018/11/06/evolving-menace)


Cyber Cyber-Enabled Economic Warfare Iran Iran Global Threat Network