This article was written by Jeremy Walker and originally published on Grey Dynamics.

The threat posed by Iranian cyber actors has been a growing concern for the past decade, yet people have yet to see the destructive capabilities these actors could produce. Iran can affect global infrastructure, drag out and disrupt a potential Middle East peace process, and continue implementing restrictions on Iranian citizens’ freedom of information. This ability can and will have consequences to the broader global community. This article will assess how the Iranian state organizes this often forgotten side of warfare, and how it uses the forces at its disposal.

Why Does Iran Need Asymmetric Capabilities?

Iran had to significantly invest in its asymmetric warfare capabilities to assert its influence in the Middle East. Since the creation of the Islamic Republic with the 1979 Revolution, Iran has seen the United States as its main threat. However, Iran always had to play catch up being financially much weaker than the U.S. (For comparison, in 2018 the U.S. spent $623 billion on defense, while Iran reportedly spent $13 billion.)

Iran’s move towards asymmetric capability began around the turn of the last decade. The 2009 Green revolution showed the Iranian leadership that it should take this side of asymmetric capabilities seriously. With the Stuxnet attack on the Iranian nuclear program discovered a year later and the threat posed from internal and external sources realized Iran found itself having to pivot its strategy to confront this danger.

Structural Hierarchy

The hierarchy of Iranian cyber actors is a tricky web to navigate.

The Supreme Leader, Ayatollah Ali Khamenei, has absolute control over the workings of government. President Hassan Rouhani only has paper authority over the Supreme National Security Councilwith the Supreme leader having final jurisdiction on security issues.

There is frequent overlap when it comes to the cyber capabilities of multiple organizations within the national security structure. In practice, the Islamic Revolutionary Guard Corps (IRGC) are independent and often refuse to be subordinate to any other organization outside of the office of the Supreme Leader.

The Ministry of Intelligence and Security and other organizations within the elected government, such as the Ministry of the Interior that runs the law enforcement organizations, also have their independent prerogatives when it comes to cyber operations. The lack of communication and the structural competition between the different entities often result in overlapping duties and conflicts for resources.

State & Proxy Actors

The IRGC maintains control over a large portion of Iran’s cyber operations. It was founded in the aftermath of the Islamic Revolution and its role within the Iranian state is that of protecting Iran against domestic and international threats. Its command structure circumvents the elected government and answers to the Supreme Leader and Supreme National Security Council.

The IRGC controls the most important actors within the Iranian system. Among them the Basij, who are the paramilitary wing of the IRGC. The Basij claim to have over 120,000 civilian “cyber volunteers,” although this number is considered to be an exaggeration.

The growth of Iranian cyber operations can be seen from Operation Saffron Rose in 2013. The operation was undertaken by the Ajax Security Team, ostensibly associated with the IRGC. Since 2010, the group has been known to officials from FireEye for having defaced the frontpages of websites. From then on, the group developed capabilities to steal credentials from targets within the defense industry. To achieve this, it set up Spear phishing campaigns and Watering hole attacks, using two tactics:

  • Firstly, the fake Institute of Electrical and Electronics Engineers (IEEE) conference sign up page, from which users were required to download a phony proxy service to log in, which was in fact malware.
  • Secondly, they set up various pages that looked like legitimate webpages that required security details to log in. If the information were entered it would be sent to the hackers. Pages flouted as valid included Office Outlook Web Access and various VPN services.

Not only is the group graduating from defacing websites to committing cyber espionage, but it has also started to focus on Iranian citizens: It is believed that it masked malware as anti-censorship tools for circumventing Iranian censorship.

Through the Basij, IRGC contacts and recruits proxy organizations that operate on behalf of Iran, one such organization being the Cutting Sword of Justice (CSJ). The CSJ is blamed for one of the most successful assaults over the last decade: In 2012, it used malware (called Shamoon or Disstrack) to destroy or wipe out a reported 35,000 computers of Saudi Aramco, one of the world’s largest oil firms.

Another group, dubbed APT33, which is believed to be operating since 2013, is thought to have been responsible for an attack lasting from mid-2016 through early-2017. Allegedly, the attack was employed to gain intelligence on the structure and capacity of Saudi Arabia’s air forces. Such targets are consistent with the state of the geopolitical situation in the Middle East, where Iran and Saudi Arabia are currently involved in a proxy war in Yemen.

Iran’s IRGC Shows New Underground Missile Base Near the Persian Gulf

Read Next: Iran’s IRGC Shows New Underground Missile Base Near the Persian Gulf

Domestic Enforcement

It is not just within the Middle East and greater international sphere that Iran tries to flex its cyber capabilities. The National Passive Defence Organisation (NPDO), another organization heavily influenced by the IRGC, is led by Brigadier General Gholamreza Jalali Farahani. While not reporting directly to the IRGC, Farahani’s position makes it clear that the IRGC has considerable sway in the dealings of the NPDO. The NPDO undertakes a critical role in the prevention and identification of any cyberattack against the state by foreign or domestic actors.

Along with the NPDO, there are elements within the elected government itself that deal with cyber issues. Iran’s cyber police, or FATA, is a division of the Iranian police service that deals exclusively with “cyber-crime.” In an interview, last December, Colonel Ramin Pashayi, Deputy of Social affairs at FATA, claimed that FATA has 42,000 volunteers from the public and that its approach is policing in a “Society-Based” way.

The results of this approach have shown up in western news sources regularly, with numerous accounts of people being arrested for Instagram posts that go against the religious tolerances of the country. For example, a couple practicing parkour was arrested for posting a picture of themselves kissing on a rooftop in May this year.

To complement the use of police powers, there is the National Information Network project. Through this ambitious undertaking that began in 2012, Iran has been seeking to style its own “intranet” under the control of the Supreme Leader. This is under the leadership of a multitude of agencies, all under the guise of the Supreme Council of Cyberspace (SCC), which is made up of the leadership of both government agencies and the IRGC. SCC has seen a steady implementer of restrictions on internet freedom in the country, from banning Google’s services in 2012 to cutting off the Internet to the vast majority of the population in the 2019 unrests that sparked as a result of rising fuel prices.

Iran has several actors within its system who can successfully and destructively use Cyberwarfare. The IRGC, with its priority to protect and further the Iranian revolution,  has the most significant amount of influence within the Iranian Cyber Command structure. The ability to effectively curb Iranian speech within the state, as well as control regional politics in the Middle East, has made the rise of Iranian cyber capability a severe cause for concern.

Overall, the key outcomes from this assessment of Iran’s cyber actors are the below:

  • The influence of the IRGC is immense. Its influence stems from its control over the Basij, its paramilitary capabilities, and the penetration of former IRGC officers into the political sphere of Iran.
  • While there are many different organizations when it comes to the Iranian intelligence community, there is a track record of overlapping objectives, which results in frustrating efforts when conducting cyber missions.
  • There is a real danger that affects not only governments but also individuals employed within these agencies and businesses.
  • The use of proxy actors is a crucial instrument of asymmetric strategy. This gives Iran plausible deniability while it gains the skills and capabilities that it needs to fend off more substantial powers outside of the Middle East. It also allows it to gain insight into its regional rivals such as Saudi Arabia.