Iran's Cyber Capabilities

Stuxnet as Catalyst

Iran's cyber capabilities were born from vulnerability. The Stuxnet attack in 2010 demonstrated that Iran's critical infrastructure could be destroyed by code — a humiliating revelation for a regime that prided itself on self-sufficiency. The Supreme Leader responded by establishing the Supreme Council of Cyberspace and dramatically increasing investment in offensive and defensive cyber capabilities.

Within a few years, Iran had developed from a cyber novice into what US intelligence agencies ranked as one of the top five cyber threats globally, alongside Russia, China, North Korea, and non-state criminal groups. The transformation was rapid but uneven — Iran's capabilities are sophisticated in some domains (destructive malware, influence operations) and less developed in others (zero-day exploit development, hardware implants).

Iran's cyber program operates through a combination of state agencies (the IRGC's cyber command, the intelligence ministry) and outsourced contractor groups that provide deniability. Groups tracked by cybersecurity firms under names like APT33, APT34, APT35, and MuddyWater conduct espionage and destructive operations against targets in the Gulf states, Israel, the United States, and Europe.

Offensive Operations Abroad

Iran's most significant offensive cyber operations have targeted critical infrastructure and strategic adversaries.

In 2012, the Shamoon malware wiped data from over 30,000 computers at Saudi Aramco, the world's most valuable company, replacing files with an image of a burning American flag. The attack demonstrated Iran's willingness to target economic infrastructure. A second wave of Shamoon attacks hit Saudi targets in 2016-2017.

Iranian hackers have conducted espionage operations against US defense contractors, universities, and government agencies. In 2018, the US Department of Justice indicted nine Iranians linked to the Mabna Institute for stealing $3.4 billion worth of intellectual property from 144 US universities and 176 universities in 21 other countries.

Iran has also deployed cyber capabilities for influence operations. During the 2020 US presidential election, Iranian actors sent threatening emails to voters while impersonating the Proud Boys, and breached a US municipal election website. These operations were less sophisticated than Russia's but showed growing ambition in information warfare.

The National Information Network and Domestic Control

Iran's cyber capabilities face inward as well as outward. The regime has built one of the world's most extensive internet censorship and surveillance systems, second perhaps only to China's Great Firewall.

The centerpiece is the National Information Network (NIN, or 'Shoma'), a project to create a domestic intranet that can be isolated from the global internet at the regime's command. During the 2019 fuel price protests and the 2022 Mahsa Amini protests, authorities imposed near-total internet shutdowns lasting days or weeks — cutting tens of millions of Iranians off from the outside world.

The regime also deploys deep packet inspection to monitor and throttle specific applications (Instagram, WhatsApp, Telegram, and VPNs), employs a network of paid cyber monitors to track social media activity, and uses mobile phone data to identify and locate protesters. Iranians have become sophisticated users of VPNs and encrypted messaging — an arms race between citizens seeking information and a state determined to control it.

The economic cost of internet shutdowns is substantial — one estimate put the cost of the 2019 shutdown at $1.5 billion. The regime has judged this an acceptable price for political control, a calculation that reveals how existential it considers the threat of an informed, connected citizenry.