Iranian Cyber Activities

The international community face an unprecedented challenge in the fight against COVID-19. Most of the attention is focused on slowing down the spread of the virus, the introduction of measures to mild consequences of adopted restrictions and how to retrieve the economy on the level prior to the global pandemic. However, all other security concerns in the international community, prior pandemic, are not fading away and are relevant as it has been before. For example, propaganda, the spread of conspiracy theories feeding public within social media may influence public opinion without substance knowledge. Likewise, disinformation, cyber activities, and development of cyber capabilities and retaliatory actions are “on the table” also during the pandemic. While lots of attention has been paid on Chinese cyber activities and espionage within active Chinese groups such as Ke3Chang, APT15 Vixen Panda that attack companies or government institutions; equally, the attention has been paid on Russia’s espionage, intelligence operations, and disinformation campaigns through so-called trolls spreading fake content or message on purpose. Cyber experts identified criminal groups as APT 28,29 Fancy Bear, Sofacy group, Cozy Bear, The Dukes, Office Monkeys, Krypton.

Nevertheless, the attention has been paid less on Iranian cyber activities that have significantly developed its capabilities and may cause severe disruptions. Here is why vigilance and focus should not be shied away from Iranian cyber operations.

The role of Iran in the region

Iran plays a significant role in the Middle East. The country with its area, culture, history, religion, nuclear activity and geopolitical settings is a critical player in the region. Iran wants to show its importance in the region. Forging alliances and growing influence via support of militias or armed groups such as Hezbollah in Lebanon or Shiia groups in Iraq and Yemen make Iran even more important stakeholder in the region. Iran, as as an influential actor, realises the importance of the cyber domain as its integral part of the security and defence. Cyberspace refers to not only ‘all of the computer networks in the world’ but also to ‘everything they connect and control’ [1].  Some people even argue that the unprecedented cyber revolution put states into the arms race and cyber capabilities[2].

Despite the previously reported activity by Iranian patriotic hackers, the significantly growing investment into Iranian cyber capabilities can be dated back to the revelation of highly sophisticated Stuxnet computer worms in 2010. Intelligence agencies from the US and Israel created the Stuxnet intending to control the industrial machinery of uranium centrifuges.[3] Such a cyber attack acted as a wake-up call on Iranian authorities to develop cybersecurity capabilities and infrastructure. Iranian authorities tasked National Centre for Cyberspace (NCCS) with defensive actions, and in 2012 Khamenei’s regime set up Supreme Council of Cyberspace (SCC). According to US authorities, Iranian intelligence operations dramatically increased and it had invested over $1 billion in expanding its cyber capabilities, and it had been carrying out cyber-attacks on media organisations to test its cyber strength.[4]

Although some commentators[5] still do not consider Iranian cyber capabilities as highly sophisticated with fatal consequences for other states; the destructive attacks posed threats and risks of interruption by Iranian hackers should not be underestimated.

Several groups are involved in state-sponsored cyber activities such as espionage or widespread theft of personal information, influence operations, disruptive attacks. The majority of Iranian activities target government institutions, various industries and companies, or NGOs to cause disruptions and trouble their functioning. Equally, within an enhanced surveillance system, some groups target Iranian dissidents.

Who may be behind that then?

 Advanced Persistent Threat groups (APT)

Groups consist of talented university students to highly skilled professionals in information technologies. APTs are not easy to identify as in some instances, they seem to be connected and work together, but at the same time, they present themselves as separated entities. Anderson and Sadjadpour (2018) explain that Iranian APTs are fluid entities that usually disappear once a cybersecurity company reports on them. Disclosed APT groups are dissolved, and their members have reallocated to other groups [6] Some experts believe that groups are linked to Iranian authorities, particularly for common interests. There are several known APT groups.

APT 33

The group attacks the military and commercial aviation sector, also the energy sector linked to petrochemical production. Its main target is mainly Saudi Arabian business as well as South Korea companies doing business with Saudi Arabia petrochemical companies.[7]

APT 34 (Helix Kitten)

The group specialises in cyberespionage campaigns aligned with Iranian government interests. It focuses on the Middle East, Africa and the US. It creates fake personas on social media to build trust among their spear-phishing targets. The group is also known for the reusage of stolen data from previous campaigns in other campaigns. In 2019 the group suffered a leak of secret information when it was detailed the leadership of the group (Three of ten individuals) worked for Iran’s Ministry of Intelligence, while the remaining work for Iranian cybersecurity company Rahacorp.[8]

Charming kitten (APT 35)

The group uses various techniques to steal data from government agencies and companies working in technology, military and diplomacy. The group particularly focus on operations in the US, UK and Israel.[9]

Shamoon group

The group cyber operations date back to 2012 when it targeted energy companies in Qatar and Saudi Arabia. Attacks were carefully focused on oil, gas, energy, telecom and government organisation with a critical impact causing the loss of data and crippling the business operations.[10] In 2018 the group attacked the Italian company doing business with Saudi Arabian Aramco. Some experts believe that Shamoon group is connected to APT 33.

The latest development potential of influence over cyber activities

The first of all, the death of the general Soleimani in January has further escalated tensions between the US and Iran. After the announcement of general’s death, some commentators interpreted Khamenei’s tweet dedicated to Soulemani as the potential beginning of US-Iranian military action.[11] A response by the military reaction includes the security portfolio of cyberspace. Therefore, in coming months there is a potential for growth of several cyber-attacks on US military agencies, energy companies doing business with the US and more significant number of attempts to retrieve sensitive data that could be misused.

Secondly, Iran was hit hardly by the pandemic of COVID 19 with almost 90 000 cases (to 26th April) and in effort to slow down the rise of incidents, Iranian authorities called for the alleviation of sanctions that were imposed in 2018. Some human rights groups even claim that restrictions put on finance in combination with the sharp depreciation of the Iranian currency limit Iranian companies and hospitals to get essential medicine and medical equipment to provide medical care to citizens and cope with the virus.[12] These difficulties can act as a catalyst in retaliation actions in cyberspace by both patriotic cyber groups and groups somehow linked to the regime. Groups may target particularly US companies and also as retaliation actions, Iranian patriotic groups may target US health service providers, banking sector or entities connected to them.

Thirdly, the recent victory of hardlines in parliament elections may affect cyber warfare to some extent. Despite the fact that parliament has limited power over the foreign policy, and it is the president who has a nominal rule over the ministry of intelligence and security; the win of radical conservatives in recent elections may emphasise the ideals of the Islamic revolution and the ideology. Emphasising Iranian independence and resistance in the region can push Iranian groups of patriotic hackers in increasing various cyber activities, focused mainly on Saudi and US and increase in a number of malware, or theft activities.[13]

Additional tension between the US and Iran, and recent US accusation of conducted „dangerous and harassing“ manoeuvres close to the US navy in the Persian Gulf. The constant tensions between both actors will spill over into all areas of security, including cyber. The intelligence officers and IT experts may be employed by an increased number of cyber activities on navy.[14]

The risky side of cyber tensions

The growing dependency on information infrastructure raises awareness of cybersecurity and potential attribution for attacks on government bodies, companies or hospitals. These attacks illustrate the potentially enormous stakes at play – and the attribution for serious attacks may result in an open conflict between states.

The attribution of a state for executed cyber-attack is not an easy process, however, in some instances, consequences of attributed cyber-attack may even resort to the use of force in self-defence under the Article of 51 of the UN Charter, when it satisfies the requirement of an „armed attack“.[15] States are held accountable for an attack if an attack was committed by organs of a state, acknowledgement of a state to adopt conduct as its own if the state does not prevent or stop a cyber-attack from its territory. Lastly, cyber-attacks may also be attributed to countries if perpetrators of an attack acted on instructions of the effective direct control of that state.[16]

The investigation of cyber-attacks and set high standards for attribution make attribution complex. Moreover, Iranian groups characterised as fluid entities, frequently dismissing or changing groups are not easy to unequivocally identify. Also, attacks on the government agencies or NGOs do not amount to the requirement of an „armed attack“ in International law. On the other hand, confirmation of a severe attack t supported by Iranian regime may lead to severe consequences and thus support and posed a risk should not be entirely abandoned.

Written by Andrea Prokeszová

About the Author: Andrea Prokeszova completed the master‘s degree in International Law at the University of Westminster in London. She is particularly interested in security issues and in her dissertation, she focused on the concept of the use of force in International law. She also holds a bachelor‘s degree in International Relations and European Studies from Metropolitan University Prague. During her undergraduate studies, she has developed her passion for the Middle East, and in her thesis, she researched on the Arab Spring in the Maghreb. During her studies, Andrea has participated in several UN and North Atlantic Council session models and several NATO related educational trainings. She was also involved as a volunteer for charities in Lebanon, London and Prague.


[1] (Valeriano and Craig, 2016)

(Clarke and Knake 2010, p.70)

[2] (Valeriano and Craig, 2016)

[3] Fruhlinger, J., 2020. What Is Stuxnet, Who Created It And How Does It Work?. [online] CSO Online. Available at: <> [Accessed 27 April 2020].

[4] Valeriano, B. and Craig, A., 2016. Conceptualising Cyber Arms Races. NATO CCD COE Publications, Tallinn.

House of Representatives, 2012

[5] Lewis, J., 2020. Iran And Cyber Power. [online] Available at: <> [Accessed 27 April 2020].

[6] Baezner, Marie (2019): Hotspot Analysis:

Iranian cyber-activities in context of regional rivalries and international tensions, May 2019, Center for Security Studies (CSS), ETH Zürich

[7] Kovacs, E., 2017. Iranian Hackers Target Aerospace, Energy Companies | Securityweek.Com. [online] Available at: <> [Accessed 27 April 2020].

[8] Ingham, L., 2020. Iran APT Groups: An Overview Of The Country’S Key Cyber Warfare Actors. [online] Verdict. Available at: <> [Accessed 27 April 2020].

[9] Ibid

[10] Mundo, A., Roccia, T., Saavedra-Morales, J. and Beek, C., 2020. Shamoon Returns To Wipe Systems In Middle East, Europe | Mcafee Blogs. [online] McAfee Blogs. Available at: <> [Accessed 27 April 2020].

[11] Euronews. 2020. Reactions To US Drone Strike That Killed Iran’s Top Military Official. [online] Available at: <> [Accessed 27 April 2020].

[12] Human Rights Watch. 2020. US: Ease Sanctions On Iran In COVID-19 Crisis. [online] Available at: <> [Accessed 27 April 2020].

[13] Al-Monitor. 2020. How Iran’S Next Parliament Will Affect Foreign Policy. [online] Available at: <> [Accessed 27 April 2020].

[14] 2020. Trump Threatens To Shoot Iranian Gunboats. [online] Available at: <> [Accessed 27 April 2020].

[15] Charter of the UN (1945)

[16] Clement Guitton & Elaine Korzak (2013) The Sophistication Criterion for

Attribution, The RUSI Journal, 158:4

Case Concerning The Military and Paramilitary Activities in and Against Nicaragua [1986] (ICJ).