January 13, 2020
Iranian Offensive Cyber Attack Capabilities
Threat Evolution
internal internet security controls. The NCC is also tasked
Iran’s use of cyberspace has evolved from an internal
with “preparing for a cultural war” between Iran and its
means of information control and repression to more
enemies, according to the 2013 NCC Statute issued by Iran.
aggressive attacks on foreign targets. The regime has been
developing its own cybersecurity software and internet
Islamic Revolutionary Guard Corps (IRGC). A branch
architecture in order to protect and insulate its networks,
of the Iranian Armed Forces, this military force oversees
and it has been developing technological cyber expertise as
offensive cyber activities.
a form of asymmetric warfare against a superior
conventional U.S. military.
IRGC Electronic Warfare and Cyber Defence
Organization. This organization provides training courses
Iran also has a history of using cyberattacks in retaliation
in cyber defenses and denies access to and censors online
against the United States. In 2010, a computer worm known
content and communications.
as Stuxnet was discovered by cybersecurity researchers to
have infiltrated the computers that controlled nuclear
Basij Cyber Council. Considered a paramilitary force,
centrifuges in Iran, causing physical damage and preventing
Basij comprises nonprofessionals, using volunteer hackers
operation. The Stuxnet worm was reported to have been a
under IRGC specialist supervision. These volunteers are
joint effort between the governments of the United States
sometimes referred to as “cyber war commandos.”
and Israel. Following the discovery of the Stuxnet malware,
U.S. assets experienced an increase in the severity and
National Passive Defense Organization (NPDO). Formed
duration of cyberattacks originating in Iran.
for infrastructure protection, one of the NPDO’s main roles
according to analysts is to use “all national cyber and non-
Recent events have heightened interest in Iran’s current
cyber resources to deter, prevent, deny, identify, and
cyberattack capability with respect to U.S. vulnerabilities.
effectively counter any cyberattack against ... Iran’s
national infrastructure by either hostile foreign states or
Iranian Cyber Organization
[domestic] groups supported by them.”
Since the advent of the Stuxnet worm, Iran has been
investing resources in developing its own cyber forces and
Cyber Defence Command. Also known as Cyber
organizations. Some of these entities reside within the
Headquarters in the Iranian military, this group conducts
government and military, while others appear to operate
offensive cyber operations along with the Basij Cyber
more independently. Some focus more on defensive
Council. The command may have been created as a
capabilities but may operate in concert with military units
corollary to the U.S. Cyber Command.
conducting offensive operations. The information below
draws from unclassified sources.
Proxies
Iran has been known to employ proxies to conduct cyber
Government Entities
operations. These range from either patriotic or financially
Iran Cyber Police. A law enforcement unit, the Cyber
motivated individual hackers, to private sector contractors
Police is responsible for tackling what it considers internet
and quasi-governmental organizations. Given the amount of
crimes. To this end, the unit monitors online activity within
control that the Iranian regime exercises over the internet
Iran, including infiltrating websites and email accounts of
activity of its citizenry, one may assume that while the
political dissidents.
actions of individuals may not be state-directed, it is almost
certainly state tolerated or even encouraged. The use of
Ministry of Intelligence and Security (MOIS). Similar to
proxies also allows the regime to maintain plausible
the U.S. National Security Agency, MOIS is responsible for
deniability for the attacks, thereby avoiding escalation.
signals intelligence and collecting information from
However, readily identifiable signatures in the computer
electronic communications.
code suggest that the Iranian government endeavors to take
the credit for attacks on foreign entities as a demonstration
Supreme Council of Cyberspace. Also known as the High
of ability.
Council of Cyberspace, this body coordinates cyberspace
policy for the Iranian government and coordinates between
Mabna Institute. A group of private sector contractors that
offensive and defensive cyber operations.
conduct computer intrusion, wire fraud, and data theft at the
behest of the government of the Islamic Republic of Iran
National Cyberspace Center (NCC). An entity of the
and the IRGC.
Supreme Council of Cyberspace, the NCC is largely
concerned with information content and development of
https://crsreports.congress.gov
Iranian Offensive Cyber Attack Capabilities
Iranian Cyber Army. IT specialists and professional
social media platforms could also be used to coordinate
hackers. The Cyber Army has not been directly linked to
cyberattacks.
the IRGC, but Iranian government officials refer to using it
to hack “enemy sites,” diverting internet traffic, and
Rye, New York Dam. In 2013, an Iranian employed by a
hacking into foreign media sites and social media
company contracted by the IRGC was able to access
platforms.
remotely the supervisory control and data acquisition
(SCADA) systems of the Bowman Dam in Rye, NY. This
Cyberattack Methods
gave access to information regarding the status and
Since at least 2012, Iranian cyberattacks have been
operation of the dam, possibly compromising its
advancing from simple website defacements to denial of
functioning. The Iranian was indicted by the U.S.
service and other disruptive or destructive forms of attack.
Department of Justice in 2016.
These include distributed denial of service (DDOS) attacks
that prevent access to target websites and more destructive
Cyber Data Theft Ring. From approximately 2013 to
attacks that destroy data or disable computers entirely.
2017, cyber thieves associated with the Mabna Institute
targeted intellectual property and other data from 144 U.S.
Website Defacement. Cyberattacks that manipulate data
universities, the U.S. Department of Labor, the Federal
and images on a website or redirect traffic to a new
Energy Regulatory Commission, the State of Hawaii, and
webpage.
the State of Indiana, as well as companies and organizations
outside the United States. The Department of Justice
Data Breach and Theft. Intrusions into computer systems
indicted nine Iranians for these incidents in 2018.
that allow extraction of large amounts of otherwise
protected data.
While there are many reports of Iran’s increasingly
sophisticated cyberattack capability, previous incidents also
Denial of Service. Cyberattacks that flood a computer or
can be attributed to poor security controls of the targets.
network with traffic, rendering it inaccessible to users.
However, discovery of sophisticated malware such as
Stuxnet could allow for reverse engineering, giving Iran its
Destructive Attacks. Cyberattacks that destroy
own destructive capability.
applications and computers within a target network with
damage that could possibly equal that of a kinetic attack.
Possible Iranian Cyber Response to
An example is a “wiper” attack, where an infected
Recent U.S. Action
computer hard drive is overwritten or cleared of data.
On June 22, 2019, Christopher C. Krebs, Director of the
Department of Homeland Security’s (DHS’s) Cybersecurity
Iran-Attributed Incidents
and Infrastructure Security Agency (CISA), issued a
Saudi Aramco. In 2012, wiper malware known as
statement that “CISA is aware of a recent rise in malicious
Shamoon damaged computers and delayed oil production
cyber activity directed at United States industries and
after targeting Saudi Aramco and other energy companies
government agencies by Iranian regime actors and
in the Middle East. U.S. government officials linked the
proxies…. Iranian regime actors and proxies are
attack to Iran.
increasingly using destructive ‘wiper’ attacks, looking to do
much more than just steal data and money.” On January 2,
Sands Casino, Las Vegas. In 2014, destructive attacks
2020, the day IRGC major general Qasem Soleimani was
accessed and destroyed data on the network of the Sands
killed in a U.S. air strike at Baghdad International Airport,
Hotel and Casino, owned by a political donor seen as pro-
Krebs linked back to this statement on his social media
Israel and anti-Iran. The U.S. Director of National
account.
Intelligence attributed this attack to the Iranian government
in a Statement for the Record to the House Permanent
On January 4, the DHS National Terrorism Advisory
Select Committee on Intelligence.
System issued a bulletin warning that “Iran maintains a
robust cyber program and can execute cyberattacks against
U.S. Banks. From 2011 to 2013, DDOS attacks in which
the United States. Iran is capable, at a minimum, of
banks’ websites, including Bank of America and Wells
carrying out attacks with temporary disruptive effects
Fargo, were overwhelmed with internet traffic, preventing
against critical infrastructure in the United States.” The
customer access for a period of time. In March 2016, the
bulletin warned of the potential for cyber retaliation in
U.S. Department of Justice indicted seven Iranian actors
response to the U.S. military strike in Baghdad. Also on this
contracted by the IRGC who were said to have cost the
day, hackers claiming to represent the Islamic Republic of
banks millions of dollars in remediation.
Iran hacked and defaced several U.S. websites. CISA
representatives did not confirm that this attack was
Twitter and Facebook. In 2009, Twitter web traffic was
sponsored by the Iranian government.
redirected to a page for a group claiming to be the Iranian
Cyber Army. In 2018, Twitter announced that it had
In the days following the death of Soleimani, the U.S.
removed 2,617 Iranian accounts that were engaging in
Selective Service System website was disabled due to high
“malicious activity.” In May 2019, Facebook stated that it
volumes of web traffic. Random U.S. citizens had been
had removed Iranian-linked Facebook accounts, pages, and
receiving text messages that indicated a draft had been
groups as well as Instagram accounts. While much of this
reinstated for an imminent war in Iran. The origin of these
activity involved trolling and other influence operations,
text messages is unknown.
https://crsreports.congress.gov
Iranian Offensive Cyber Attack Capabilities
Catherine A. Theohary, Specialist in National Security
Policy, Cyber and Information Operations
IF11406
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11406 · VERSION 1 · NEW