Forward Defense in Cyberspace: Iran’s Hybrid State-Hacking Doctrine

• Commentary Digitalisation, Cybersecurity and AI · Middle East and North Africa
  by Luigi Toninelli
• whatsapp

Analyzing Iranian cyber doctrine and its state-sponsored hacking capabilities is essential not so much for decrypting Tehran's technical skills - which today place it among second tier global cyber powers - as to understand how the Islamic Republic engages with the external world. Driven by the need to suppress domestic dissent - as also became evident through the internet shutdown following the protests of January 8 - and limit the spread of what it considers pernicious Western values; Tehran has invested in the development of a national intranet system. At the same time, the experience of sustained attacks, most notably Stuxnet, has highlighted the strategic value of developing hybrid state-hacking capabilities, both to operationalize its "forward defense" doctrine and to find alternative strategies for countering its more powerful adversaries. As seen during the war in Gaza, the Islamic Republic's cyber activities encompass mostly disruptive attacks, espionage operations and social-engineering campaigns, with the extensive use of proxies serving to preserve a certain degree of deniability.

Iranian cyber doctrine: A trailblazing story?

In the early 2010s, the Islamic Republic was one of the first countries to develop a coherent national strategy for the cyber domain. To this end, Tehran established necessary national institutions and invested in the development of the required technological and operational capabilities. Owing partly to this early institutionalization. Several analysts rank Iran, alongside North Korea, at the upper end of the second tier of global cyber powers, behind only the United States, Russia, China, the United Kingdom, and Israel.

Two factors convinced Iran of the importance of developing its capabilities in the cyber domain: first, the effective use of the internet by Iranian citizens during the 2009 Green Movement protests following the re-election of Mahmoud Ahmadinejad in 2009; and second, the dramatic impact of the Stuxnet, the massive cyberattack against Iran's nuclear program in 2010, widely attributed to the US and Israel. Together, these two events, demonstrated the centrality of Internet control in shielding the power system (nezam)from what are perceived as internal and external threats. Indeed, the experience of the 2009 Green Movement and the subsequent repression made clear to Tehran the importance of controlling the internet to pre-empt large-scale domestic dissent. It also demonstrated how this new technology could serve as a Trojan horse, not only enabling internal mobilization, but also providing a tool for influencing public debate and opinion in rival states. At the same time the Stuxnet attack - the first known cyberattack to cause physical damage, destroying roughly one-fifth of Iran's nuclear centrifuges - exposed the extreme vulnerability of the Islamic Republic's infrastructure. This prompted its leadership to accelerate the development of its nascent cyber capabilities as a form of "forward defense".

Although the overall sophistication of Iran's cybersecurity ecosystem remains unclear, Tehran has invested substantial resources in this domain over the years. According to the Israeli think tank INSS (the Institute for National Security Studies), by 2016 Iran was spending over one billion dollars annually - a significant figure considering that the United Kingdom, one of the world's leading cyber powers, was spending around two billion dollars during the same period. The same source reports that Iran's cyber budget jumped twelvefold between 2013 and 2021, and by the early 2020s the authorities of the Islamic Republic had set the strategic goal of increasing Iran's digital economy to 10% of GDP.

At the institutional level, a key pillar of Iran's national cyber strategy is the Supreme Council of Cyberspace, established in 2012. The Council brings together the President of the Republic, the Speaker of Parliament, the head of the Islamic Republic of Iran Broadcasting, the commander of the Armed Forces, the commander of the IRGC (Islamic Revolutionary Guard Corps, pasdaran), and several ministers, including those responsible for defense and intelligence. Since its creation, the Supreme Council of Cyberspace has been responsible for planning and implementing an integrated national cyber strategy, keeping an up-to-date and comprehensive picture of internal and external cyberspace, and deciding "how to deal with the harms of the Internet". Under the Supreme Council of Cyberspace, the National Cyberspace Center coordinates overall cyber activities and is primarily concerned with online content governance and the development of domestic Internet security controls. Other institutions also play important roles, notably the National Organization for Passive Defense, responsible for the protection of the country's critical infrastructure, and FATA, the Iranian cyber police, a unit charged with both domestic repression and countering cybercrime.

Iran's military cyber strategy, however, is primarily developed within the IRGC and the Ministry of Intelligence. Within the IRGC's cyber ranks, authorities are believed to have recruited as many as 120,000 Basij cyber warriors from universities and religious schools, operating as a "proxy hacker force". In addition, the IRGC is linked to several advanced persistent threat (APT) groups, including many of the so-called "Kitten" groups. While the IRGC seems to prioritize external operations, the Ministry of Intelligence focuses predominantly on domestic surveillance while also monitoring "Iranians abroad, collecting intelligence on other governments, countering foreign intelligence plots, and work with allied intelligence agencies".

Finally, Iran also relies on a diverse ecosystem of cyber actors operating on behalf of the Iranian government. This "proxy-based approach", as will be discussed in the next section, allows the Islamic Republic to maintain a degree of deniability and to present itself as a victim at the international level.

From "digital curfews" to "forward defense": Iran's cyber strategy

Iran's cyber strategy has unfolded in at least three phases. The first phase (2009-11), corresponding to the early development of the country's cyber doctrine, has been described as a wake-up call. It heightened awareness of the importance of this emerging technology and prompted the formulation of the first responses, particularly those aimed at Iran's own population. The second phase (2012-18) saw the launch of cooperation with allies such as Russia and China, but above all marked the establishment of the cyber institutions meant to support the national strategy. This was also the period in which Tehran began shifting from purely defensive operations to offensive ones. Finally, the third phase (post-2019) has been characterized by a significant expansion of Iran's offensive operations, alongside the systematic mapping and prepositioning of defense-related infrastructure and other targets worldwide. Today, although Iran is not a leading player in the cyber domain, it continues to invest resources to create what some analysts have described as a "technological envelope" to protect its critical and sensitive infrastructure from cyberattacks. At the same time, the Islamic Republic sees cyberspace as an operational area in which to counter its adversaries. In a sort of digital extension of its "forward defense" doctrine, Tehran seeks to project its first line of defense beyond both its physical and digital borders. Indeed, Iran sees cyber as a cost-effective and low-risk tool for harassing its adversaries abroad. This is a tool that enables the Islamic Republic to confront enemies that are conventionally stronger while maintaining a degree of deniability. In this context, the systematic use of proxies is of central, as they provide the most effective means of obscuring Iran's involvement in disruptive and sabotage operations carried out on its behalf.

Iran also employs cyber operations as a tool to ensure internal stability and suppress potential dissent. Domestic surveillance and the management of information flow within the country are two primary objectives for the Iranian deep state. As highlighted in early January, the ability to shut down the internet has become increasingly pervasive and has emerged as one of the most effective tools for suppressing dissent. For this reason, one of the main goals set by the authorities is the development of the National Information Network (NIN), a domestic intranet supported by national infrastructure. NIN aims to place the entire digital sector under national control and to disconnect the Iranian population from the global internet. The capacity to control internet access and impose "digital curfews" has already been demonstrated during previous shutdowns in response to domestic protests, and, notably, during the Twelve-Day War instigated by Israel and the protest movement that emerged between late December and early January. In this latter case, the Nezam also appears to have used military-grade mobile jammers to block or slow down connections and communications. Precisely considering these developments, Iran is believed to have accelerated its process of detachment from the global internet, allowing external access only to those who hold specific authorization. Furthermore, the 7th five-year development plan sets the goal of completing and operationalizing at least 99% of NIN within five years, starting from 2025.

A diverse arsenal of cyberattacks

The cyber operations carried out by the Islamic Republic have been - and continue to be - diverse in scope and content. Over the years, Tehran has conducted operations with significant destructive impact, as well as espionage activities and cyber information operations. The latter are primarily aimed at disseminating propaganda, exacerbating domestic divisions within rival states, and garnering support from foreign public opinion. Iran has also employed combined attacks incorporating destructive elements, espionage, and demonstrative or propagandistic actions. In some cases, these attacks have taken the form of ransomware operations.

While many of Iran's destructive cyber operations have been relatively unsophisticated and often ineffective, the Islamic Republic has nonetheless conducted high-impact operations that inflicted substantial damage on their targets. Among the most notable there are the Ababil attacks (2012-13), carried out in response to Stuxnet. In this case, a large-scale DDoS campaign against 46 US financial institutions caused considerable reputational harm and significant financial costs to upgrade their defensive systems. Even more consequential was the deployment of the Shamoon malware. In 2012, Shamoon severely struck the Saudi oil company Aramco, erasing data from 30,000 computers and 10,000 servers and nearly collapsing the company's corporate information architecture. After attempts to target Qatar's natural gas authority, Shamoon reappeared on several occasions until 2018, though with less impact than in 2012.

The most aggressive attack launched by Tehran occurred in 2022 against Albania, which had granted refuge to the Mojahedin-e Khalq (MEK), an Iranian terrorist organization. In July of that year, Iranian Advanced Persistent threats (APT) shut down government services and websites. Only a month later, a second wave of attacks struck the Albanian police force's Total Information Management System (TIMS), prompting the severance of diplomatic ties with Tehran. A third wave targeted the Albanian Institute of Statistics in February 2024. In addition to causing the breakdown of diplomatic relations, the attacks on Albania were particularly significant as they represent the first destructive cyber operations conducted by Iran against a country outside the Middle East and the first against a NATO member.

Beyond these high-profile attacks, the Islamic Republic has conducted espionage operations against a range of countries and foreign companies. Successful attempts have targeted corporations and universities in the United States, the United Kingdom, Israel, and Germany, as well as international organizations such as Human Rights Watch. Tehran's espionage campaigns serve not only to exfiltrate sensitive information from different states and companies, but also as a tool for political pressure and propaganda. Particularly noteworthy is the alleged theft of documents related to Israel's nuclear program, which Iran publicized during the Twelve-Day War. Additionally, Iran conducts social engineering campaigns through numerous news websites and social media platforms. These campaigns are primarily propagandistic, aiming to project a positive image of Iran in contrast to the West. Furthermore, Tehran also seeks to sow discord among and between its adversaries. Repeated attempts to influence US elections or to undermine confidence in their integrity, fully illustrate this approach. Social engineering campaigns were also employed by Iranian proxies and Tehran's APTs during the conflict that erupted on 7 October in Israel-Palestine.

In sum, although Iran does not rank among the world's leading cyber powers, it possesses a comprehensive strategy and a diverse set of actions, which can also be employed in combination. Its use of the cyber domain to pursue its "forward defense" doctrine and to strengthen internal security has driven substantial investment in this area. While Iran may not yet rival the major cyber powers, its capabilities should not be underestimated: they have repeatedly proven operational effectiveness and continue to constitute a significant factor in regional and global cyber dynamics.