Editor's Note: This assessment is the first of a two-part series exploring Iran's intensifying cyber operations against the West. The second part can be found here.

Iran's cyber strategy against the West is becoming increasingly focused and aggressive, though Iran's intentions currently outpace its capabilities; Iran's risk tolerance against the United States will likely remain high if former U.S. President Donald Trump is reelected in November, whereas the election of U.S. Vice President Kamala Harris may offer a slim chance for resumed Western dialogue, which could lead Iran to reevaluate its risk appetite. Recent reports from U.S. intelligence and law enforcement agencies, as well as independent cybersecurity researchers, have alleged that Iran's most recent efforts to influence the 2024 U.S. election in November have emerged as a threat on par with Russian efforts. In particular, the Office of the Director of National Intelligence (ODNI) warned on July 9 that Iran is becoming increasingly aggressive and ambitious in its disinformation efforts. However, Iran's election influence operations are just one component of its broader cyber strategy against the West, which comprises five broad pillars: influence operations, anti-Israel campaigns, efforts to disrupt targets' normal operations, espionage, and efforts to silence criticism of the Iranian regime. 

Iran's cyber strategy against the West is driven by its broader national security strategy that uses various cyber means to apply disruptive pressure to adversaries in ways that fall short of military confrontation and provide a layer of plausible deniability to avoid escalation and deter overt retaliation. Iranian leadership, guided by distrust of Western intentions, sees cyber operations as a way to level the playing field, disrupt Western economic and political systems, and deter overt reprisals. Iran's national security strategy views the United States and its allies as adversaries who have historically sought to undermine Iranian sovereignty through various means, including sanctions, military pressure and diplomatic isolation. As a result, Iran's cyber operations are defined by the current state of its relations with the West and are largely shaped by what it views as U.S. and Western attempts at suppression. Cyberspace is a particularly attractive option for Iranian retaliation as it often provides at least some level of plausible deniability. This is because attribution for cyberattacks is often difficult to prove with complete certainty. Iranian cyber actors will also often include some element of hacktivism to obscure links to the Iranian government by pretending to be operating as an independent actor. Additionally, cyberspace enables Iran to carry out lower-level operations (compared with more escalatory military options that run the risk of causing casualties and/or physical harm), which — combined with the aspect of plausible deniability — helps Iran keep an upper limit on escalation with the West. As such, cyber operations enable Iran to retaliate against perceived threats, collect intelligence and exert influence (such as through operations targeting the U.S. election and efforts to shape pro-Palestinian protests) without engaging in direct military confrontation.

• In a July 9 press release, the ODNI also detailed Iranian efforts to exploit U.S. political tensions over the ongoing Gaza war, including providing direct financial support to pro-Palestinian protesters in the United States, and encouraging such protests by having Iranian hackers pose as activists online.

Influence Operations Targeting the U.S. Election

Increasingly aggressive Iranian influence operations targeting the U.S. presidential election will likely only intensify in the coming weeks as Iran attempts to disparage the Trump campaign and sow chaos, though the same heightened intensity of Iranian influence efforts is unlikely to persist through non-election periods. On Aug. 19, a joint statement from the ODNI, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the Iranian state-backed cyber group Charming Kitten had hacked Trump's presidential campaign, confirming what the Trump campaign first alleged on Aug. 10. The joint statement also cited Iranian attempts to hack Harris' campaign, along with Iranian influence operations targeting the American public and increasingly aggressive Iranian cyber activity intended to influence the U.S. election process. The Trump campaign hack marked Iran's first successful breach of a U.S. presidential campaign, but Iran's other recent cyber tactics — including spreading disinformation and carrying out spear-phishing social engineering attacks — largely mirror its past U.S. election-related operations, albeit demonstrating some greater capability. Iran's latest attempts to influence the U.S. election also demonstrate a shift from its efforts earlier in the election cycle, showcasing a more targeted and focused campaign as opposed to acting as an agent of chaos. Because of Trump's highly vocal desire to pursue a more hard-line approach to Iran, the U.S. election provides a salient opportunity for Iran to shape the election in its favor and avoid further escalation in tensions with the West, which Iranian leadership perceives as a probable outcome in the event of a second Trump presidency. The high stakes of the election from Iran's perspective, coupled with the fact that many undecided American voters make up their minds in only the final weeks or days of the campaign, means that Iranian influence efforts will likely escalate in the final stretch before election day on Nov. 5. However, in non-election periods, while Iran will still carry out some level of influence operations to support its strategic agenda, such as supporting pro-Palestinian protesters, such campaigns will not be as frequent or sophisticated, as Iranian leadership is more likely to devote its cyber resources to supporting its myriad of other ongoing cyber operations.

• On Aug. 9, Microsoft released a report on Iranian targeting of the U.S. election through various means, including AI-enhanced disinformation campaigns and spear-phishing attempts against presidential campaigns. While U.S. intelligence agencies had only weeks before described Iran as acting as an agent of chaos in its influence activities targeting the U.S. election, the Microsoft report noted a marked shift in Iranian operations to favor one candidate over the other by disparaging the Trump campaign while spreading content more favorable to the Harris campaign (and formerly the Biden-Harris campaign). The report also claimed that some Iranian groups may go as far as doxxing, intimidation and incitement of violence in efforts to influence the U.S. election, underscoring just how far Iran is willing to go in terms of more aggressive targeting.
• On Aug. 12, The Washington Post reported that the phishing emails to the Trump campaign were sent to officials from longtime Republican and Trump adviser Roger Stone's email account. On Aug. 13, CNN reported that the Iranian hackers had compromised Stone's email and then used his account to ''try to break into the account of a senior Trump campaign official.'' 
• In addition to spear-phishing, Iranian actors have carried out an array of influence operations targeting the 2024 U.S. presidential election, including impersonations of political activists and dissemination of content on emotionally-charged issues such as racial tensions, economic disparities, LGBTQ+ rights and gender issues. Beyond disinformation and spear-phishing, Iran has also attempted to use physical means to more directly impact the U.S. election, including by allegedly providing some level of support for a plot to assassinate Trump, as well as organizing and financially supporting pro-Palestinian protests — a key issue in the election cycle. 

Anti-Israel Campaigns Against the West

As long as the Israel-Hamas war persists, and likely still thereafter, Iran will continue to frequently and aggressively target Israeli-linked entities as part of its broader pressure campaign against Israel, posing risks of potential operational disruptions and reputational threats to targeted entities. The goal of Iran's operations is to promote its anti-Israeli sentiments and cause disruptions to targets that support Israel, which Tehran views as an enemy to not only Iran but Islam. Since the outbreak of the Israel-Hamas war on Oct. 7, Iran has conducted a long list of cyberattacks directly against Israeli entities using tactics ranging from pseudo-hacktivist activity with low-level distributed-denial-of-service attacks and website defacements, to more aggressive attempts to disrupt critical infrastructure. In its attacks against the West, Iran has prioritized targeting organizations with ties to Israel or those that operate Israeli-made technologies, in addition to directly supporting pro-Palestinian protests and social movements. For example, on Nov. 25, a cyber actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), operating under the persona Cyber Av3ngers carried out an attack on the Municipal Water Authority of Aliquippa in Pennsylvania, gaining control of a pumping device that regulates water pressure for over 7,000 people. Once compromised, operators were forced to resort to manual operations. The Municipal Water Authority of Aliquippa also reportedly saw their computer screens defaced with an image that read ''You have been hacked. Down with Israel. Every equipment 'made in Israel' is a Cyber Av3ngers legal target.'' In December 2023, Cyber Av3ngers also targeted a water utility in western Ireland that used Israeli-made equipment. The attack resulted in a two-day water outage for around 8,000 people. Devices used by a water company in Romania and a factory in the Czech Republic, as well as a brewery control system in the U.S. city of Pittsburgh and a system controlling mineral water drinking fountains in the Czech Republic, were also compromised. As the West and the United States, in particular, continue to support Israel, Iran will keep targeting Western organizations with ties to Israel, resulting in heightened risks of disruptions from Iranian-backed cyber threat actors throughout the duration of the conflict in Gaza. In their bids for the U.S. presidency, both Harris and Trump have expressed overt support to Israel, and Israeli President Benjamin Netanyahu as recently as Sept. 5 stated ''there is not a deal in the making'' in reference to a cease-fire and hostage deal in Gaza. A lack of progress on such negotiations and persistent U.S. support for Israel will incentivize Iran to maintain its ongoing campaign in response to Western actions in support of Israel. Even if there is an eventual cease-fire, Iran's broader and increasingly overt conflict with Israel will likely incentivize Tehran to sustain a high tempo of aggressive attacks against a wide array of Israeli targets.

• In response to the attack on the Municipal Water Authority of Aliquippa, the FBI and partners released in December 2023 a joint advisory on IRGC-affiliated cyber actors operating under the persona Cyber Av3ngers, saying this group has been actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs), which are commonly used in water and wastewater systems, as well as systems used in the energy, healthcare and food and beverage sectors. 
• A December 2023 report from U.S.-Israeli cybersecurity firm Check Point examined Iranian hacktivist proxies opportunistically targeting U.S. entities that use Israeli technology, claiming a narrative of retaliation for the war in Gaza by simultaneously victimizing both the United States and Israel. In addition to CyberAv3ngers, the report highlights hacktivist groups likely affiliated with Iran, including Haghjoan (which defaced the websites of a number of U.S. organizations and also claims to have leaked their data), CyberToufan (which claims to have breached U.S.-based Berkshire eSupply for its use of Israeli IT infrastructure), and YareGomnam (a pro-Iranian hacktivist group claiming to have carried out cyberattacks on U.S. infrastructure, including pipeline and electrical systems and allegedly hacking CCTV cameras of more than 50 U.S. airports).

In the second part of this assessment, we explore Iran's attempts to steal information, silence critics, and disrupt Western critical infrastructure and organizations via damaging cyberattacks and espionage campaigns.