In 2016, the industrial computer security firm MalCrawler conducted an experiment: It created an elaborate network to observe the actions and gauge the intentions of malicious cyber operators. The firm concluded that hackers from different countries typically exhibit distinct behaviors. Chinese hackers pilfered “anything that looked like novel technical information.” Russians penetrated systems, “mapping them and implanting hard-to-find backdoor access for potential future use.” In contrast, Iranian hackers sought to do “as much damage as possible.”1 This is consistent with Iranian cyber behavior: Over the past decade, the Islamic Republic has shown it will exploit deficient cyber defenses to wreak havoc on its adversaries’ networks. The regime is now bolstering its capacity to cause even greater harm in the future.
Comparatively lacking in conventional forms of military, economic, and geopolitical power, the Islamic Republic leverages asymmetric capabilities to wage war against the United States and its allies. These methods include sponsorship of terrorists and militia forces, hostage taking, overseas assassinations, ballistic missiles, and – potentially – nuclear weapons. The latest additions to this asymmetric toolkit are cyber capabilities and, specifically, cyber-enabled economic warfare – a strategy involving cyber attacks against an adversary’s economic assets in order to reduce its political and military power.2Consistently, the evidence reveals that the Iranian regime and its Islamic Revolutionary Guard Corps (IRGC) are sponsoring these malicious Iranian cyber operations.
The Islamic Republic accelerated its pursuit of offensive cyber capabilities in 2009-2010 after falling prey to the Stuxnet virus, reportedly engineered by the U.S. and Israel.3 Less than two years later, the Islamic Republic retaliated against U.S. economic sanctions with cyber attacks on American banks, along with a costly attack against regional rival Saudi Arabia.4
After those two operations, the Islamic Republic’s cyber activities appeared to shift. As Tehran sought to negotiate relief from U.S. sanctions, its malicious cyber activity focused primarily – although not exclusively – on its regional adversaries, and simultaneously, the regime also expanded its cyber infiltration operations around the world. Through these campaigns, Iranian hackers are able to hone their skills on soft targets and pre-position assets for future conflicts, both cyber and otherwise.5
Those battles may be around the corner. The U.S. has reinstated its sanctions on Iran after withdrawing from the controversial 2015 nuclear accord in May. These sanctions threaten to further destabilize an economy whose currency is already in free fall and appears headed for a deep recession. Reeling from sanctions, and already inclined to aggressive and destructive cyber and non-cyber related malign activities, the desperate regime may become a more aggressive actor both in the virtual and physical worlds.
To counter the Islamic Republic’s malicious cyber activity, Washington must be prepared to impose significant costs on the leadership in Tehran and to use cyber and kinetic means to hold at risk the Islamic Republic’s most valuable assets. Simultaneously, Washington must work with its allies and the private sector to bolster defenses so that Iranian operations are less likely to succeed. While the Islamic Republic’s capabilities do not match those of China and Russia, its cyber capabilities are dangerous to U.S. national security and rapidly maturing.