The Iran Threat Brief

This special report captures insights into the capabilities and intent of the Islamic Republic of Iran, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions. This report will be dynamically updated so we encourage you to bookmark it for future reference.

Important note: This report is strategic and is important to periodically review for background context. For more operational insights be sure you are subscribed to the OODA Daily Pulse.

Background:

Iran is undemocratic, with power centered in a Supreme Leader (Ali Khamenei). According to the Economist Intelligence Unit, the country has a democracy score of 2.45 out of a possible 10 points, making it 150th out of 167 countries ranked. The country holds presidential elections every four years, but the office holds little power compared to the Supreme Leader.

The Intelligence Community articulates the overall objectives of Iran as: Iran will continue to threaten U.S. interests as it tries to erode U.S. influence in the Middle East, entrench its influence and project power in neighboring states, and minimize threats to regime stability. Tehran will try to leverage its expanding nuclear program, proxy and partner forces, diplomacy, and military sales and acquisitions to advance its goals. The Iranian regime sees itself as locked in an existential struggle with the United States and its regional allies, while it pursues its longstanding ambitions for regional leadership.

Business executives, as well as others, should be wary of travel to Iran and exercise extreme caution while there. Doing business with Iran can create severe legal trouble, at the level of the individual and of the company, with most Western nations. Even without travel to Iran, there are risks individual and corporate risks, with increasing cyber threats.

Iran Military:

The Armed Forces of the Islamic Republic of Iran total about 500,000. They are a regional force that includes a strong Navy capable of causing chaos in the Persian Gulf and potentially shutting down the supply of oil from the region.

The Islamic Revolutionary Guard Corps (IRGC) is an elite branch of Iran’s Armed Forces, numbering around 120,000 and founded after the 1979 Revolution. In 2019, it was since been designated by the U.S. Government as a Foreign Terrorist Organization.

In terms of weapons of mass distruction, the country has capabilities across a number of domains. The country possesses the largest arsenal of ballistic missiles in the region and, according to the Worldwide Threat Assessment, the US “determined in 2018 that Iran is in noncompliance with its obligations under the Chemical Weapons Convention (CWC).” This includes concerns “that Iran is developing agents intended to incapacitate for offensive purposes and did not declare all of its traditional CW agent capabilities when it ratified the CWC.” In terms of nuclear capabilities, however, adherence to the “Nuclear Deal” has extended the estimated time for it to produce enough fission material for a nuclear device, if it were to resume production, from a few months to one year.

We should also point out that with the 20 June 2019 shootdown of a Predator Drone and the decision by the U.S. to not immediately strike back, it may be changing the calculus of the Iranian regime regarding attacking other unmanned systems, including space based systems. This makes review of the threat to space systems important. For more on that topic, OODA members should review: What Business Needs To Know About The Threats To Space 

On January 3, 2020, Iran’s Qassem Suleimani, head of the Islamic Revolutionary Guard Corps Quds Force (IRCG-QF) was killed by a US drone strike. Response to this will likely include cyber attacks. This is the topic of another OODA Special Report.

 

Iran Geopolitical Objectives and Actions:

The officially goal of the government of Iran is to establish a new world order based on world peace, global collective security, and justice. The reality is that Iran is a strong supporter of extremist violence, terrorism and diplomatic bullying, as it seeks to dominate the Middle East.

Tehran has publicly stated they want to preserve the Joint Comprehensive Plan of Action (JCPOA) and convince other nations to force the US back into the agreement. Iran expects China, the EU, France, Germany, Russia, and the United Kingdom—to honor their commitments. The JCPOA has succeeded in improving the transparency of Iran’s nuclear activities, mainly by fostering improved access to Iranian nuclear facilities for the IAEA and its investigative authorities under the Additional Protocol to its Comprehensive Safeguards Agreement.

Iran’s ballistic missile programs give it the potential to hold targets at risk across the region, and Tehran already has the largest inventory of ballistic missiles in the Middle East. Tehran’s desire to deter the United States could drive it to field an ICBM. Progress on Iran’s space program, such as the launch of the Simorgh SLV in July 2017, could shorten a pathway to an ICBM because space launch vehicles use similar technologies.

Iran will seek to expand its influence in Iraq, Syria, and Yemen, where it sees conflicts generally trending in Tehran’s favor. It also successfully exploited the fight against ISIS to solidify partnerships and translate its battlefield gains into political, security, and economic agreements.

  • Iran’s support for the Popular Mobilization Committee (PMC) and Shia militants remains the primary threat to US personnel in Iraq. We assess that this threat will increase as the threat from ISIS recedes, especially given calls from some Iranian-backed groups for the United States to withdraw and growing tension between Iran and the United States.
  • In Syria, Iran is working to consolidate its influence while trying to prevent US forces from gaining a foothold. Iranian-backed forces are seizing routes and border crossings to secure the Iraq-Syria border and deploying proregime elements and Iraqi allies to the area. Iran’s retaliatory missile strikes on ISIS targets in Syria following ISIS attacks in Tehran in June were probably intended in part to send a message to the United States and its allies about Iran’s improving military capabilities. Iran is pursuing permanent military bases in Syria and probably wants to maintain a network of Shia foreign fighters in Syria to counter future threats to Iran. Iran also seeks economic deals with Damascus, including deals on telecommunications, mining, and electric power repairs.
  • In Yemen, Iran’s support to the Huthis further escalates the conflict and poses a serious threat to US partners and interests in the region. Iran continues to provide support that enables Huthi attacks against shipping near the Bab al Mandeb Strait and land-based targets deep inside Saudi Arabia and the UAE, such as the 4 November and 19 December ballistic missile attacks on Riyadh and an attempted 3 December cruise missile attack on an unfinished nuclear reactor in Abu Dhabi.Iran will develop military capabilities that threaten US forces and US allies in the region, and its unsafe and unprofessional interactions will pose a risk to US Navy operations in the Persian Gulf.
  • Iran continues to develop and improve a range of new military capabilities to target US and allied military assets in the region, including armed UAVs, ballistic missiles, advanced naval mines, unmanned explosive boats, submarines and advanced torpedoes, and antishipand land-attack cruise missiles. Iran has the largest ballistic missile force in the Middle East and can strike targets up to 2,000 kilometers from Iran’s borders. Russia’s delivery of the SA-20c SAM system in 2016 has provided Iran with its most advanced long-range air defense system.
  • Islamic Revolutionary Guard Corps (IRGC) Navy forces operating aggressively in the Persian Gulf and Strait of Hormuz pose a risk to the US Navy. Most IRGC interactions with US ships are professional, but as of mid-October, the Navy had recorded 14 instances of what it describes as “unsafe and/or unprofessional” interactions with Iranian forces during 2017, the most recent interaction occurring last August, when an unarmed Iranian drone flew close to the aircraft carrier USS Nimitz as fighter jets landed at night. The Navy recorded 36 such incidents in 2016 and 22 in 2015. Most involved the IRGC Navy. We assess that these interactions, although less frequent, will continue and that they are probably intended to project an image of strength and, possibly, to gauge US responses.

Iranian centrist and hardline politicians increasingly will clash as they attempt to implement competing visions for Iran’s future. This contest will be a key driver in determining whether Iran changes its behavior in ways favorable to US interests.

  • Centrists led by President Hasan Ruhani will continue to advocate greater social progress, privatization, and more global integration, while hardliners will view this agenda as a threat to their political and economic interests and to Iran’s revolutionary and Islamic character.
  • Supreme Leader Ali Khamenei’s views are closer to those of the hardliners, but he has supported some of Ruhani’s efforts to engage Western countries and to promote economic growth. The Iranian economy’s prospects—still driven heavily by petroleum revenue—will depend on reforms to attract investment, strengthen privatization, and grow non-oil industries, which Ruhani will continue pursuing, much to the dismay of hardliners. National protests over economic grievances in Iran earlier this year have drawn more attention to the need for major reforms, but Ruhani and his critics are likely to use the protests to advance their political agendas.
  • Khamenei has experienced health problems in the past few years, and, in an effort to preserve his legacy, he probably opposes moving Iran toward greater political and economic openness. As their relationship has deteriorated since the presidential election last June, Ruhani has tried to mend relations with Khamenei as well as his allies, but, in doing so, he risks failing to make progress on reforms in the near-term.

The Iranian Cyber Threat:

The US Intelligence Community’s annual threat assessment considers Iran one of the four greatest cyber threats to the United States, with the others being China, Russia and the DPRK.

Iran will very likely continue to work to penetrate US and Allied networks for espionage and to position itself for potential future cyber attacks. Most espionage is going to be directed against Middle Eastern adversaries, especially Saudi Arabia and Israel. However, Tehran views cyber espionage and cyber attacks as a versatile tool to respond to perceived provocations. Iran’s cyber attacks against Saudi Arabia in late 2016 and 2017 involved data deletion and destruction of computers on multiple networks across multiple organizations in both government and the private sector.

A key entity in Iran responsible for cyber war is called “The Cyber Defense Command”, which stood up in 2010. It officially works under the country’s “Passive Civil Defense Organization” in the Iranian Armed Forces. The government is known to contract out many cyber attack functions including development of exploits and sometimes operational attacks.

Iran figured prominently in the report of the Cyberspace Solarium Commission. They described the cyber threat from Iran in this way:

Iran uses cyber operations to undermine the U.S. deter- rent posture and network of alliances in the Middle East. In place of a nuclear deterrent, Tehran relies on the threat of cyber intrusions, proxy groups, terrorists, and ballistic missiles to hold other states at risk. Iranian cyber operations focus on the commercial networks of energy and finance entities of particular importance to the global economy. They leverage the inherent difficulties of coordinating cyber defenses between public and private partnerships and sovereign states. Unless it faces a more robust deterrent, Iran will continue to view cyber operations as a low-cost means of ensuring regime survival and achieving regional goals.

Like other autocratic states, Iran is becoming a digital authoritarian. Groups linked to the Iranian regime turn to cyberspace to suppress dissidents and undermine democratic institutions around the world. These operations harass activists at home and abroad. Like Russia, Iran even extends its cyber-enabled political warfare campaign to the free media and electoral institutions. Iranian groups have been caught using fake social media accounts to spread disinformation and attempting to hack the 2020 U.S. presidential campaigns.

 

Some famous attacks believed to be run by Iran include:

  • 2012: Saudi Aramco attacks by Shamoon variants which destroyed data, networks and endpoints.
  • 2012: Believed to have been behind attacks on US Banks
  • 2013: DoJ levies charges against seven Iranians for cyber attack against banks and a dam in New York.
  • August 2014: An IDF official told press in that Iran has launched numerous significant attacks against Israel’s Internet infrastructure.
  • 31 March 2015: Iranian hackers, possibly Iranian Cyber Army pushed a massive power outage for 12 hours in 44 of 81 provinces of Turkey, holding 40 million people. Istanbul and Ankara were among the places suffering blackout.
  • June 2017: The Daily Telegraph reported that intelligence officials concluded that Iran was responsible for a cyberattack on the British Parliament lasting 12 hours that compromised around 90 email accounts of MPs. The motive for the attack is unknown but experts suggested that the Islamic Revolutionary Guard Corps could be using cyberwarfare to undermine the Iran nuclear deal
  • 2018: Shamoon 2 hits an Italian oil services company, taking hundreds of servers and computers offline.
  • 2019: APT39, an Iranian-linked group, is implicated in a widespread cyber espionage campaign targeting the personal information of citizens in the United States and Middle East and striving to establish a foothold, escalate privileges, and conduct reconnaissance in support of future operations.

 

Economic and Industrial Espionage Threat against the US and US  Companies:

Iran was singled out by the National Counterintelligence and Security Center as one of the top three most capable nations at conducting cyber espionage (the other two being China and Russia, and DPRK being a close forth). Iran maintains a very well resourced capability and will continue to target sensitive U.S. economic information and technologies through cyberspace.

Iranian cyber activities are often focused on Middle Eastern adversaries, such as Saudi Arabia and Israel; however, in 2017 Iran also targeted U.S. networks. A subset of this Iranian cyber activity aggressively targeted U.S. technologies with high value to the Iranian government. The loss of sensitive information and technologies not only presents a significant threat to U.S. national security. It also enables Tehran to develop advanced technologies to boost domestic economic growth, modernize its military forces, and increase its foreign sales. Examples of recent Iranian cyber activities include the following:

  • The Iranian hacker group Rocket Kitten consistently targets U.S. defense firms, likely enabling Tehran to improve its already robust missile and space programs with proprietary and sensitive U.S. military technology.
  • Iranian hackers target U.S. aerospace and civil aviation firms by using various website exploitation, spearphishing, credential harvesting, and social engineering techniques.
  • The OilRig hacker group, which historically focuses on Saudi Arabia, has increased its targeting of U.S. financial institutions and information technology companies.
  • The Iranian hacker group APT33 has targeted energy sector companies as part of Iran’s national priorities for improving its petrochemical production and technology.
  • Iranian hackers have targeted U.S. academic institutions, stealing valuable intellectual property and data.

We believe that Iran will continue working to penetrate U.S. networks for economic or industrial espionage purposes. Iran’s economy—still driven heavily by petroleum revenue—will depend on growth in non-oil industries and we expect Iran will continue to exploit cyberspace to gain advantages in these industries. Iran will remain committed to using its cyber capabilities to attain key economic goals, primarily by continuing to steal intellectual property, in an effort to narrow the science and technology gap between Iran and Western countries.

Recent cases: In July 2017, Iranian nationals Mohammed Reza Rezakhah and Mohammed Saeed Ajily were charged with hacking into U.S. software companies, stealing their proprietary software, and selling the stolen software to Iranian universities, military and government entities, and other buyers outside of the United States.

In November 2017, Iranian national Behzad Mesri was charged with allegedly hacking HBO’s corporate systems, stealing intellectual property and proprietary data, to include scripts and plot summaries for unaired episodes. Mesri had previously hacked computer systems for the Iranian military and has been a member of an Iran-based hacking group called the Turk Black Hat security team.

In March 2018, nine Iranian hackers associated with the Mabna Institute were charged with stealing intellectual property from more than 144 U.S. universities which spent approximately $3.4 billion to procure and access the data. The data was stolen at the behest of Iran’s Islamic Revolutionary Guard Corps and used to benefit the government of Iran and other Iranian customers, including Iranian universities. Mabna Institute actors also targeted and compromised 36 U.S. businesses.

Overall Assessment:

Iran will use all instruments of national power, including information and cyber means, to seek competitive advantag in its struggle for regional dominance.

Our Recommendations:

Avoid all business with Iran and companies associated with Iran, including companies embedded in supply chains. Consider a review of your supply chain to evaluate any potential use of any other firm that does business with Iran and take steps to reduce your risks.

Raise your defenses against cybercrime. Businesses can implement many best practices to protect against cyber attacks and information theft. Most of these best practices are low cost. Kick-start your actions with our list of best practices, available at Best Practices and Lessons Learned From Years In The Cyber Fight

For more on the growing threat the Iran poses to space systems see our special report on: The Challenges of Security of Space Systems

For other special reports and country studies see the OODA Network Resources page.