U.S. government charges levied against seven Iranian hackers in March over cyber-attacks against 46 financial institutions and the infiltration of the computer control system of a New York dam has renewed concerns about Iran’s engagement in cyber-terrorism against the United States (Al Jazeera, March 25).
Those attacks date back to 2013, but there have been a range of cyber-attacks originating from Iran, of varying seriousness, targeting industrial facilities, bank websites and the personal websites of American, Israeli, and Arab officials (Gulf News, May 14, 2013; Al-Jazeera, December 18, 2009). In one of the most high-profile attacks, the so-called Iranian Cyber Army targeted Twitter in 2009, months after the microblogging site was used by anti-government activists to foment street protests following that year’s disputed presidential election (The Jerusalem Post, February 6, 2010).
Since 2009—and particularly in response to Stuxnet in 2011—Iran’s cyber-campaigns have combined a mixture of defensive and offensive strategies, and have been conducted either directly or through proxies assigned specific tasks by state actors.
Iran’s Cyber Campaigns
The primary actors are most likely a faction of the Iranian Revolutionary Guard Corps (IRGC) tasked with carrying out cyber-attacks, as well as preventing reciprocal attacks against Iran’s key institutions. They command a growing network that operates with the intent of disrupting U.S. communication and information systems, and may have been behind the alleged “takeover,” as Iran claims it, of a U.S. RQ-170 unmanned drone in northeastern Iran in December 2011 (Fars News, December 8; Al Jazeera, December 4 2012).
Through private companies, many of which have ties to the IRGC, this cyber network also aims to curtail American-led cyber-attacks, to which ends it has had —if one is to believe the IRGC-affiliated Gerdab website—considerable success (Gerdab, April 29 2012).
The second group is made up of “hacktivists” who operate as proxies with the support of the Iranian state. Their activities are limited in scope, but include defacing, trolling and other forms of anti-social internet conduct. Although the identity of most of these hackers is unknown, it is likely that many are contracted by the state through private companies such as Mersad Company (Arab News, March 24, 2016). Similarly basiji volunteers are active online, often operating as employees of companies with ties to the IRGC.
Independent hacktivist groups also exist, among them Ashiyaneh, a pro-state group that by 2010 had claimed responsibility for the hacking of 1,000 American, British and French websites (Raja News, August 30 2010; DW Persian, September 17 2010).
The third group, the so-called Iranian Cyber Army, has been active since 2005, and has grown to be the most visible, with the launch of internet attacks not only on the United States and Israel, but also Islamic State, and other Sunni militant groups such as (IRNA, July 6 2015).
The group described itself in January 2010 as a collective of volunteer hackers who “defend” Iran from its enemies (The Jerusalem Post, February 6, 2010). However, it was later claimed by Ibrahim Jabari, an IRGC commander, that the Iranian Cyber Army was created by the IRGC and represents an internet military unit tasked with “defending” against cyber-attacks (Farda News, 20 February 2011).
As well as external cyber-attacks, the Iranian Cyber Army is responsible for a campaign of proactive content production. This was an idea proposed by Reza Taqipour, who served as communications minister between 2009 and 2012, as the state-approved production of cultural and media content (Gerdab, July 4 2011). It is an attempt to ‘cancel out’ the perceived soft threat of pervasive Western media through the state-led production of media intended for domestic consumption.
A variety of actors at various public or state institutions have been involved in this campaign. They range from students and basijis to state-sponsored reporters working for news outlets such as Fars or Mehr News, with the aim of promoting media content in favor of the state.
How Tehran Views Cyber-Terrorism
The notion of “cyber-terrorism” first appeared in Iranian security discourse in the mid-2000s, when the phenomenon was limited to hacking activities, e-bombs, spyware, and viruses. One early account describes this in terms of coordinated computer-centric attacks (Aftab, November 18 2007), while another describes it in terms of legal, political, and military paradigms (Fars News, January 27, 2005). But in the main, prior to 2009, security-related internet operations were, by and large, understood as criminal activities best dealt by law enforcement.
With the disputed 2009 elections, however, which saw members of the Green Movement and others use the internet and social media to coordinate street demonstrations, cyber-terrorism emerged as an important factor in Iran’s security discourse, particularly within the intelligence agencies.
In the fall of 2009, in the wake of the elections, a number of top Iranian officials—including Ayatollah Ali Khamenei—frequently used the term “soft war” to describe anti-government internet activism. It was presented as being orchestrated from abroad by the U.S., and was compared to the “velvet revolutions” of the former Soviet Union and Eastern bloc countries (Terrorism Monitor, June 12, 2010). Soft war, as the Supreme Leader defines it, is warfare “by means of cultural tools, for the purpose of influence, for the purpose of fabrication, for the purpose of spreading rumor; with the advanced technologies of modern times,” ultimately causing “doubt in the hearts and minds of people” (Khamenei.ir November 25 2009).
The “soft war” aspect of cyber-terrorism, then, has its roots in various psychological warfare operations and disinformation tactics—the production of harmful cultural content, coordinated through foreign-controlled networks and intended to influence the beliefs, emotions, and social behaviors of ordinary people.
The second, or “hard,” form of cyber-attack includes hacking websites, conducting distributed denial-of-service (DDoS) attacks, spamming, trolling, and spreading malicious software. The main targets in these cases are state institutions or computer-dependent facilities (Jamejam Online January 26, 2011). For Tehran, this second form of cyber-terrorism has caused considerable damage and had a long-term impact on Iran’s financial, informational, and industrial institutions. In turn, the Iranian hackers who accessed the Bowman Avenue Dam in 2013 had access to information about the dam’s operations, including control of its sluice gate, which as it happens had been disconnected for maintenance at the time.
“Hard” and “Soft” Threats
Iran employs multiple actors, including internet-focused military units, or proxies with alleged links to the IRGC, to carry out its cyber-attacks. The increasing number of attempts to disrupt networks, deface websites and infiltrate U.S. institutions reflects the growing importance of digital warfare to Tehran.
Meanwhile, at the heart of Iran’s concept of cyber-terrorism is the perception of continued foreign, U.S.-led attacks aimed at regime change in Tehran. Even following the nuclear deal, Iran sees itself as a target of mainly U.S. and Israeli cyber-attacks, intended to damage institutions and undermine the country’s values, identity and social stability.
Tehran has developed multiple strategies for tackling both hard and soft cyber-threats to its own institutions, and these will continue to evolve as the digital landscape evolves and new communication technologies are developed