Iran’s attempts to achieve cyber dominance both within the MENA region and around the world have been well documented, particularly its efforts to spread pro-Iranian messaging and “tell Iran’s story.” This strategy is shaped by the challenging international context facing Tehran, which is suffering economically under U.S. sanctions and largely constrained from purchasing weapons under a recently expired U.N. arms embargo. To maintain pressure on its rivals despite these limitations, Iran has often relied on strategies described by many as “soft war”: less regulated, non-kinetic means of achieving its goals abroad by sustaining low-level conflicts for extended periods of time. One of Iran’s primary strategies in this regard is cyber warfare, including numerous attacks — with varying degrees of success — against both public and private sector targets in rival countries.
Iran’s cyber strategies and targets are far from
The world is now preparing for potential large-scale shifts in Iran’s relationship to the global community, as President Joe Biden signals a return to diplomacy and negotiation. But to prepare adequately for a new era in relations with Iran, the international community must first have a clear understanding of Tehran’s evolving capabilities and the threat it poses in cyberspace, especially with an eye to crafting future cyber defense policies.
Attacks against elections and political campaigns
Election meddling is a relatively new arena within international relations. This is partially because only a handful of countries possess — and know how to effectively utilize — the technological toolbox necessary to impact the outcome of elections abroad. But unlike Russia, which has attempted election interference in numerous countries, including the U.S. and European democracies, Iran’s election interference attempts are less well understood. Iran has carried out attacks on election systems in the United States, although at present there is no evidence of it doing so elsewhere. This does not necessarily mean that Iran-linked actors have never tried to do so, nor does it mean that Iran has never cooperated with Russia on cyber operations, as the two have been known in the past to pursue similar goals. Iran is by no means a weak or low-capacity cyber actor. While its election meddling track record may not be quite as extensive as that of Russia, it is no less of a potential threat, and should be treated accordingly.
Iran’s most recent election engineering attempt occurred during the 2020 U.S. elections. Voters in several states, including Alaska and Florida, received emails purportedly from the far-right American extremist group the Proud Boys, threatening “We will come after you” to anyone who did not vote for President Trump. The emails even contained personal information, including the home addresses of some recipients, indicating the senders had obtained American voter registration data. But U.S. government analysts were able to determine the true affiliation of the hackers through mistakes made in a video allegedly posted by the Proud Boys to brag about the phishing campaign. The hack was easily attributed as Iranian in origin, and the Proud Boys affiliation was declared a false flag.
As is often the case, the motivations for the attack remain murky. Then-National Intelligence Director John Ratcliffe argued that the false flag operation was an attempt to damage Trump’s chances in the 2020 election by galvanizing progressive rage against his embrace of fringe right-wing groups. However, then-Senate Minority Leader Chuck Schumer argued that the target was not President Trump at all, but rather democracy itself, and that the attack’s true intention was to portray American democracy as threatened by identitarian extremists.
But regardless of the attack’s specific intentions, Iranian operators evidently
The bottom line is that election interference now has a place within Iran’s international relations playbook, and the U.S. would do well to prepare for future election-related operations coming from Iranian cyberspace. Furthermore, Iran’s self-perception as a confident global cyber actor has broad implications for other regions and countries, particularly in Europe, where there is a high concentration of electoral democracies, some of which are already experiencing the strain of politically divided societies and ascendant strongmen leaders. These elections may be no less of a target for Iranian interference.
Intellectual property theft
Iran’s strained position under international sanctions also motivates another form of cyberattack: The coordinated theft of intellectual property from other countries. Iran’s efforts in this area have grown increasingly complex as Tehran has built up its cyber capabilities over the past decade. The most notable IP theft campaign conducted by Iranian actors in recent years was uncovered and pursued by American attorneys in a case referred to by one lawyer as, “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice.” The case concerned the Mabna Institute, an Iranian organization subcontracted by the Islamic Revolutionary Guard Corps to conduct a massive spear phishing campaign that targeted the email accounts of 144 U.S.-based universities, 176 non-U.S.-based universities, and over 100,000 professors located all over the globe. The total value of the IP stolen from the U.S.-based universities alone amounted to more than $3.4 billion — a stunning 31.5 terabytes of academic data. The case’s nine defendants were all indicted by the Department of Justice.
Iran is far from the only state with a track record of IP theft — including China, and even the U.S., long ago — but it is still worth asking why this form of theft is important to Iran today. The answer mainly goes back to the international constraints it faces. As it suffers under sanctions and the resulting limitations on academic and scientific exchange, Iran’s ability to pursue scientific and technological advancements on its own is significantly curtailed. Stealing research from universities and other organizations effectively allows Iran to circumvent sanctions and boost its struggling economy through an influx of stolen knowledge.
Iranian operators may also perceive IP theft as a method to build upon its narrative and image-making goals in relation to its rivals abroad. For example, another cyberattack in 2020 targeted employee information at an Israeli defense firm called Elta, which is a subsidiary of state-owned Israeli Aerospace Industries. The attack was claimed by Pay2Key, an Iran-linked group that specializes in ransomware and purports to be pursuing its financial self-interest. However, cybersecurity firm ClearSky suspects that the group is actually a strategically positioned Iranian entity developed to target Israel rather than an independent actor. The attack underscores the fact that when Iran steals data, it is often aimed in part at building upon its soft power image. While the objective financial value of stolen intellectual or corporate property may vary, the very fact that it is stolen from a high-security Israeli company such as Elta demonstrates its subjective narrative value because it proves, in a sense, that Iran is capable of doing so. Iranian operators still typically work behind a veil of anonymity and secrecy, mainly to protect themselves from retribution or prosecution, but this does not necessarily mean that Iran wants to hide its cyber supremacy from the world. Rather, its cyber prowess is a key part of its ability to substantiate its self-made image as a strong and confident adversary to its global rivals.
IP theft is not a new soft power strategy in Iran and Tehran has been pursuing it since at least 2018, if not earlier. However, the international climate grew increasingly adversarial under the Trump administration, especially as the U.S. sought to expand sanctions, reaching nearly every sector of its economy. Iran has few options to develop its knowledge economy, and much of the country runs on aging infrastructure that often dates back to before the Iranian Revolution of 1979, when many countries stopped doing business with Iran. Stealing academic and corporate information from around the globe allows it to renew infrastructure and build technologies that it simply cannot purchase abroad, ranging from weaponry to airplane parts.
In general, IP theft is relatively rarely discussed because, even though it may involve the theft of billions of dollars in knowledge, it typically occurs over an extended period of time and is generally classified as a long and slow effort. Yet this fits perfectly within Iran’s soft power strategy and is likely to prove an essential cyber-tactic for Iran in the coming years. It can be difficult to write attention-grabbing headlines about IP theft in the same way that one can write about more “traditional” cyberattacks — and that is precisely part of the problem when it comes to establishing norms of defense in cyberspace. The implications of Iran investing in IP theft are very wide-ranging because almost any institution can become a target, in both the private and public sectors. Universities, state and local governments, firms of all sizes, and research institutions ought to prepare for potential intrusions from Iranian cyberspace.
A need for quick action
The fact that Iran currently lacks a cyber track record as long as that of Russia does not mean that it is any less capable in cyberspace. Moreover, Iran’s cyber ambitions are always changing and adapting, meaning that the tactics outlined above are only a small part of Tehran’s cyber future. Preparing for Iranian cyberattacks in the medium and long term will take significant effort, time, and financial investment, but it is necessary if the many potential targets are to properly protect themselves. Acting early and with great speed is critical as Iran advances its global cyber capabilities.
Leo Hochberg is Graduate Research Fellow with the MEI Cyber Division and a Masters student in Conflict Studies and Human Rights at Utrecht University. His research focuses include refugees and human (in)security, transitional justice, and MENA regional cyber threats. The views expressed in this piece are his own.
The author thanks Steph Shample for her support and commentary on this article.
Photo by ATTA KENARE/AFP via Getty Images