A digital illustration shows a binary code overlaying the Iranian flag.
(Getty Images)
A digital illustration shows a binary code overlaying the Iranian flag.

Editor's Note: This assessment is the second installment of a two-part series exploring Iran's intensifying cyber operations against the West. In the first part, we examined Iran's attempts to sway the upcoming U.S. presidential election and heighten anti-Israel sentiments via online influence campaigns and cyberattacks.

Disruptive Activities

Compared with China and even Russia, Iranian cyber operations often embrace a higher risk tolerance to cause operational impediments for critical infrastructure entities and other Western organizations. If former U.S. President Donald Trump is reelected in November, Iran will double down on its aggressive cyber operations, whereas U.S. Vice President Kamala Harris' election would offer at least a narrow opportunity for disruptive activity to lessen. Iran's higher risk tolerance is steeped in the regime's pervasive hostility toward the West and desire to upend the Western-led global and specifically regional order, leveraging cyber as a way to maximize retaliation short of more escalatory measures. China and Russia share elements of this worldview, but comparatively Russia has generally reserved its most aggressive cyber campaigns for non-Western theaters, such as Ukraine, while China has largely prioritized espionage over disruption. To this end, there have been numerous incidents of Iranian-backed groups targeting Western water systems and other critical infrastructure that use Israeli technology, but Iranian attacks on water systems has been a tactic within its disruptive cyber strategy for years. For example, a 2016 U.S. indictment highlighted Iranian attempts to gain entry into a U.S. dam and, in 2021, leaked documents from Iran's Islamic Revolutionary Guard Corps (IRGC) revealed that Iran had been conducting research on how to carry out destructive cyberattacks on the commercial shipping industry and fuel pumps. Iranian cyber threat actors have also incorporated ransomware into their cyber arsenals in efforts to cause disruptions. For example, in November 2021, the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), along with the Australian Cyber Security Centre (ACSC) and the United Kingdom's National Cyber Security Centre (NCSC), issued a joint alert warning that an Iranian threat actor was deploying ransomware attacks against U.S. and Australian organizations. The alert served as one of several reports at the time highlighting that Iranian threat actors were increasingly using ransomware in their attacks — a tactic that has continued to the present day. Recent evidence also suggests Iran collaborates with ransomware gangs to leverage out-of-house tools and obfuscate origins. Iranian desire to utilize ransomware, particularly from affiliates offering ransomware as a service (RaaS), indicates that Iran is taking advantage of existing, external tools to carry out disruptive activity, underscoring that Tehran's intent to cause disruption is likely higher than its capabilities or resources. Nonetheless, Iran will continue to co-opt such tools to overcome hurdles in developing more sophisticated capabilities on its own, particularly in the event of a second Trump presidency, which would likely result in more strong-arm U.S. policy against Iran and thwart any hopes of sanctions relief or dialogue on a nuclear deal with the West. However, newly elected Iranian President Masoud Pezeshkian's focus on improving the country's economic woes does involve aspirations to secure sanctions relief. Though this is an unlikely prospect in the near term, there is more potential for progress if Harris is elected U.S. president. In the low likelihood scenario that engagement with the United States was to occur, Iran may be less likely to pursue disruptive cyberattacks against the West for fear of upending progress in improving relations or prompting a reintroduction of sanctions. 

  • An Aug. 27 joint advisory from CISA, the FBI and the U.S. Defense Department's Cyber Crime Center found that as recently as August 2024, Iranian state-backed group Pioneer Kitten had in large volumes targeted education, finance, healthcare, defense sectors and government entities in the United States, Israel, Azerbaijan and the United Arab Emirates in operations combining intelligence collection and more disruptive efforts. According to the report, a large portion of these campaigns were designed to ''obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware,'' locking victim networks and working with ransomware gangs to strategize on extortion tactics. While the initial intrusion may have been espionage-oriented, the group's decision to then deploy ransomware is likely motivated by an intent to cause disruptions and harm, as well as embarrassment, to the targeted entities. 

Intelligence Collection

Iran's cyber strategy will also persist in its efforts to collect intelligence related to its national security and conduct corporate espionage to foster its own domestic industries, both of which threaten Western companies in sensitive industries. Iranian state-backed actors frequently target sectors such as aerospace, aviation and defense in foreign countries, driven by numerous motives. First, Iran seeks to collect intelligence on neighboring countries and adversaries' defense capabilities to best plan for escalatory scenarios. Espionage on these industries, as well as satellite, communications equipment and government sectors, also helps Iran collect intelligence to carry out its own offensive cyberattacks, identifying which specific technologies various organizations use and identifying potential vulnerabilities, for example. Additionally, espionage against these sectors is part of Iran's attempts to steal technology and trade secrets to develop its own capabilities. Such espionage could enable Iran to access cutting-edge capabilities in its defense systems, further enhancing the military threat that Iran and its proxies pose to the region, including by enabling Iran to pressure Western businesses with regional operations, thereby raising the stakes of potential Western involvement in regional conflicts. Espionage targeting Western defense or related sectors — such as satellite communications, aerospace, nuclear power, chemical, manufacturing or other critical industry sectors — will likely intensify during periods of heightened tensions with the West, key diplomatic initiatives and crises with Western militaries. Beyond defense sectors, corporate espionage from Iranian threat actors threatens a loss of intellectual property, trade secrets or other proprietary products or information from targeted Western organizations. In the likely scenario that Iranian economic woes continue as the country faces subsisting sanctions, corporate espionage will remain a key component of Iran's cyber strategy against the West, targeting Western technologies to boost domestic economic growth and increase foreign sales, in conjunction with campaigns intended to modernize military forces. 

  • A Microsoft report published in September 2023 found that Iranian nation-state threat actor Peach Sandstrom had successfully compromised dozens of entities globally, exfiltrating data from targeted organizations in the satellite, defense and pharmaceutical sectors. The campaign began in February 2023, targeting thousands of organizations with password spray attacks, where attackers attempt one known password against a list of usernames. 
  • A 2018 report from the U.S. National Counterintelligence and Security Center on foreign economic espionage in cyberspace cited numerous examples of Iranian actors hacking into U.S. networks for the purpose of stealing proprietary software, intellectual property and other data for use for Iranian universities, military and government entities. Notable examples include hacks on energy sector companies for the purpose of improving Iranian petrochemical production and technology, breaches of U.S. academic institutions, and a campaign against HBO's corporate systems, as well as attacks on biotechnology, environmental protection, high-end manufacturing and IT industries. 

Efforts to Silence Critics

Finally, Iran will persist in carrying out espionage against dissidents and critics abroad via spyware, doxxing and harassment, posing physical safety risks for targeted individuals. Iranian espionage also includes an element of spying on dissidents, along with certain journalists, NGOs and others abroad in efforts to silence criticism of the regime. Such campaigns include use of spear-phishing tactics to obtain access to email accounts or messenger services, spyware, and other information-stealing malware. Information obtained in these campaigns helps inform Iranian cyber spies of individuals' whereabouts or builds a pattern of life analysis to doxx and harass individuals in attempts to silence criticism or enable physical attacks. Iranian efforts to silence critics through intimidation and harassment target both dissident expats, along with citizens of other countries, such as journalists. Among many other incidents, in January 2023, a leaked audio file published by the Voice of America Farsi service revealed Iranian government officials threatening an Iranian activist living in France, saying that if she does not stop acting against the regime, her parents and other family members will be imprisoned. In other cases, Western authorities have uncovered plots to kidnap or even kill journalists and other individuals living in places like the United States and the United Kingdom who Tehran sees as enemies of the regime. Despite new Iranian President Pezeshkian's more moderate stances, security policy will continue to be set by the hard-line IRGC, meaning Iran's targeting of dissidents abroad will persist as a pillar in its cyber strategy against the West. Even on the off chance that the prospect of resumed negotiations with the West prompts Iranian leadership to reassess its risk calculus, dissidents are still likely to be victims of Iranian espionage, though Iran remains unlikely to conduct actual assassinations on Western soil for fear of further harming prospects of improved relations and prompting further Western action against Iran. Instead, Iran may attempt to use digital targeting and pattern of life analysis to lure targets out of Western countries into third countries for the purpose of kidnapping. Iran previously opted for this tactic in October 2020 by luring Ruhollah Zam, who ran a dissident media outlet, out of France and into Iraq where he was captured and subsequently executed. 

  • In September 2021, the U.S. government announced sanctions and charges against several members of Iranian intelligence services for alleged plots to kidnap a U.S. journalist and human rights activist from New York City. The perpetrators had conducted surveillance on the target to identify travel routes, personal residences, and other key information for carrying out the planned abduction. The statement also noted Iranian targeting of dissidents not only in the United States but also in the United Kingdom, Canada and the United Arab Emirates as part of a widespread campaign to silence critics. 
  • On Aug. 10, 2023, the German domestic intelligence agency issued a statement warning that Iranian dissidents living in Germany may be targeted by Iran-backed cyberespionage group Charming Kitten. The following day, New Zealand's domestic intelligence agency warned that the Iranian government had engaged in ''societal interference'' by ''monitoring and providing reporting on Iranian communities and dissident groups'' in New Zealand. The report noted that while such activity has historically been low in New Zealand, intelligence agencies perceived a heightened threat due to Iran's ''increasingly aggressive behavior internationally.''
RANE
SUBSCRIBERS ONLY

Expert analysis when it matters most.

Get access to RANE's decision-grade geopolitical intelligence.

Subscribe now