The Iran Threat Brief

This special report captures insights into the capabilities and intent of the Islamic Republic of Iran, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.


Iran is undemocratic, with power centered in a Supreme Leader (Ali Khamenei). A President exists but has little power compared to the Supreme Leader. 

Iran Military:

The Armed Forces of the Islamic Republic of Iran total about 500,000. They are a regional force that includes a strong Navy capable of causing chaos in the Persian Gulf and potentially shutting down the supply of oil from the region. 

Iran Geopolitical Objectives and Actions:

The officially stated goal of the government of Iran is to establish a new world order based on world peace, global collective security, and justice. The reality is that Iran is a strong supporter of extreme violence, terrorism and diplomatic bullying and seeks to dominate as much of the middle east as possible. 

Tehran has publicly stated they want to preserve the Joint Comprehensive Plan of Action (JCPOA) and convince other nations to force the US back into the agreement. Iran expects China, the EU, France, Germany, Russia, and the United Kingdom—to honor their commitments. Iran’s implementation of the JCPOA has extended the amount of time Iran would need to produce enough fissile material for a nuclear weapon from a few months to about one year, provided Iran continues to adhere to the deal’s major provisions. The JCPOA has also enhanced the transparency of Iran’s nuclear activities, mainly by fostering improved access to Iranian nuclear facilities for the IAEA and its investigative authorities under the Additional Protocol to its Comprehensive Safeguards Agreement.

Iran’s ballistic missile programs give it the potential to hold targets at risk across the region, and Tehran already has the largest inventory of ballistic missiles in the Middle East. Tehran’s desire to deter the United States might drive it to field an ICBM. Progress on Iran’s space program, such as the launch of the Simorgh SLV in July 2017, could shorten a pathway to an ICBM because space launch vehicles use similar technologies.

Iran will seek to expand its influence in Iraq, Syria, and Yemen, where it sees conflicts generally trending in Tehran’s favor, and it will exploit the fight against ISIS to solidify partnerships and translate its battlefield gains into political, security, and economic agreements.

  • Iran’s support for the Popular Mobilization Committee (PMC) and Shia militants remains the primary threat to US personnel in Iraq. We assess that this threat will increase as the threat from ISIS recedes, especially given calls from some Iranian-backed groups for the United States to withdraw and growing tension between Iran and the United States.
  • In Syria, Iran is working to consolidate its influence while trying to prevent US forces from gaining a foothold. Iranian-backed forces are seizing routes and border crossings to secure the Iraq-Syria border and deploying proregime elements and Iraqi allies to the area. Iran’s retaliatory missile strikes on ISIS targets in Syria following ISIS attacks in Tehran in June were probably intended in part to send a message to the United States and its allies about Iran’s improving military capabilities. Iran is pursuing permanent military bases in Syria and probably wants to maintain a network of Shia foreign fighters in Syria to counter future threats to Iran. Iran also seeks economic deals with Damascus, including deals on telecommunications, mining, and electric power repairs.
  • In Yemen, Iran’s support to the Huthis further escalates the conflict and poses a serious threat to US partners and interests in the region. Iran continues to provide support that enables Huthi attacks against shipping near the Bab al Mandeb Strait and land-based targets deep inside Saudi Arabia and the UAE, such as the 4 November and 19 December ballistic missile attacks on Riyadh and an attempted 3 December cruise missile attack on an unfinished nuclear reactor in Abu Dhabi.Iran will develop military capabilities that threaten US forces and US allies in the region, and its unsafe and unprofessional interactions will pose a risk to US Navy operations in the Persian Gulf.
  • Iran continues to develop and improve a range of new military capabilities to target US and allied military assets in the region, including armed UAVs, ballistic missiles, advanced naval mines, unmanned explosive boats, submarines and advanced torpedoes, and antishipand land-attack cruise missiles. Iran has the largest ballistic missile force in the Middle East and can strike targets up to 2,000 kilometers from Iran’s borders. Russia’s delivery of the SA-20c SAM system in 2016 has provided Iran with its most advanced long-range air defense system.
  • Islamic Revolutionary Guard Corps (IRGC) Navy forces operating aggressively in the Persian Gulf and Strait of Hormuz pose a risk to the US Navy. Most IRGC interactions with US ships are professional, but as of mid-October, the Navy had recorded 14 instances of what it describes as “unsafe and/or unprofessional” interactions with Iranian forces during 2017, the most recent interaction occurring last August, when an unarmed Iranian drone flew close to the aircraft carrier USS Nimitz as fighter jets landed at night. The Navy recorded 36 such incidents in 2016 and 22 in 2015. Most involved the IRGC Navy. We assess that these interactions, although less frequent, will continue and that they are probably intended to project an image of strength and, possibly, to gauge US responses.

Iranian centrist and hardline politicians increasingly will clash as they attempt to implement competing visions for Iran’s future. This contest will be a key driver in determining whether Iran changes its behavior in ways favorable to US interests.

  • Centrists led by President Hasan Ruhani will continue to advocate greater social progress, privatization, and more global integration, while hardliners will view this agenda as a threat to their political and economic interests and to Iran’s revolutionary and Islamic character.
  • Supreme Leader Ali Khamenei’s views are closer to those of the hardliners, but he has supported some of Ruhani’s efforts to engage Western countries and to promote economic growth. The Iranian economy’s prospects—still driven heavily by petroleum revenue—will depend on reforms to attract investment, strengthen privatization, and grow nonoil industries, which Ruhani will continue pursuing, much to the dismay of hardliners. National protests over economic grievances in Iran earlier this year have drawn more attention to the need for major reforms, but Ruhani and his critics are likely to use the protests to advance their political agendas.
  • Khamenei has experienced health problems in the past few years, and, in an effort to preserve his legacy, he probably opposes moving Iran toward greater political and economic openness. As their relationship has deteriorated since the presidential election last June, Ruhani has tried to mend relations with Khamenei as well as his allies, but, in doing so, he risks failing to make progress on reforms in the near-term.

The Iranian Cyber Threat:

The US Intelligence Community’s annual threat assessment considers Iran one of the four greatest cyber threats to the United States, with the others being China, Russia and the DPRK. 

Iran will very likely continue to work to penetrate US and Allied networks for espionage and to position itself for potential future cyber attacks. Most espionage is going to be directed against Middle Eastern adversaries, especially Saudi Arabia and Israel, however Tehran views cyber espionage and cyber attacks as a versatile tool to respond to perceived provcations. Iran’s cyber attacks against Saudi Arabia in late 2016 and 2017 involved data deletion and destruction of computers on multiple networks across multiple organizations in both government and the private sector. 

Economic and Industrial Espionage Threat against the US and US  Companies:

Iran was singled out by the National Counterintelligence and Security Center as one of the top three most capable nations at conducting cyber espionage (the other two being China and Russia, and DPRK being a close forth). Iran maintains a very well resourced capability and will continue to target sensitive U.S. economic information and technologies through cyberspace. 

Iranian cyber activities are often focused on Middle Eastern adversaries, such as Saudi Arabia and Israel; however, in 2017 Iran also targeted U.S. networks. A subset of this Iranian cyber activity aggressively targeted U.S. technologies with high value to the Iranian government. The loss of sensitive information and technologies not only presents a significant threat to U.S. national security. It also enables Tehran to develop advanced technologies to boost domestic economic growth, modernize its military forces, and increase its foreign sales. Examples of recent Iranian cyber activities include the following:

  • The Iranian hacker group Rocket Kitten consistently targets U.S. defense firms, likely enabling Tehran to improve its already robust missile and space programs with proprietary and sensitive U.S. military technology.
  • Iranian hackers target U.S. aerospace and civil aviation firms by using various website exploitation, spearphishing, credential harvesting, and social engineering techniques.
  • The OilRig hacker group, which historically focuses on Saudi Arabia, has increased its targeting of U.S. financial institutions and information technology companies.
  • The Iranian hacker group APT33 has targeted energy sector companies as part of Iran’s national priorities for improving its petrochemical production and technology.
  • Iranian hackers have targeted U.S. academic institutions, stealing valuable intellectual property and data.

We believe that Iran will continue working to penetrate U.S. networks for economic or industrial espionage purposes. Iran’s economy—still driven heavily by petroleum revenue—will depend on growth in non oil industries and we expect Iran will continue to exploit cyberspace to gain advantages in these industries. Iran will remain committed to using its cyber capabilities to attain key economic goals, primarily by continuing to steal intellectual property, in an effort to narrow the science and technology gap between Iran and Western countries.

Recent cases of note: In July 2017, Iranian nationals Mohammed Reza Rezakhah and Mohammed Saeed Ajily were charged with hacking into U.S. software companies, stealing their proprietary software, and selling the stolen software to Iranian universities, military and government entities, and other buyers outside of the United States.

In November 2017, Iranian national Behzad Mesri was charged with allegedly hacking HBO’s corporate systems, stealing intellectual property and proprietary data, to include scripts and plot summaries for unaired episodes. Mesri had previously hacked computer systems for the Iranian military and has been a member of an Iran-based hacking group called the Turk Black Hat security team.

In March 2018, nine Iranian hackers associated with the Mabna Institute were charged with stealing intellectual property from more than 144 U.S. universities which spent approximately $3.4 billion to procure and access the data. The data was stolen at the behest of Iran’s Islamic Revolutionary Guard Corps and used to benefit the government of Iran and other Iranian customers, including Iranian universities. Mabna Institute actors also targeted and compromised 36 U.S. businesses.

Overall Assessment:

Iran will use all instruments of national power, including information and cyber means, to seek advantage. 

Our Recommendations:

Raise your defenses against cyber crime. There are many things that businesses can do that make it harder to have secrets stolen, and most of these things are low cost.  Kick start your actions with our list of best practices, available here:

Current Intelligence On The Iranian Cyber Threat

Cyberwar predictions for 2019: The stakes have been raised

January 1, 2019

Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure. It’s therefore no surprise to find nation-state cyber activity high on… Read more

The Most Dangerous People on the Internet in 2018

December 31, 2018

This year thankfully avoided any world-breaking ransomware attacks like NotPetya. It even had some small victories, like GitHub beating back the biggest DDoS attack in history. Still, online threats are manifold, lurking and evolving, making the internet a more hostile place than ever. The biggest threats online continued to mirror the biggest threats in… Read more

Shamoon 3 Attacks Targeted Several Sectors

December 18, 2018

New details have emerged about the recent Shamoon 3 attacks, including information on several malware samples, targets in additional sectors, and some links to threat groups believed to be operating out of Iran. Several new samples of the notorious Shamoon malware emerged recently. While initially researchers could not say who had been… Read more

Iran Hackers Hunt Nuke Workers, US Officials

December 14, 2018

As U.S. President Donald Trump re-imposed harsh economic sanctions on Iran last month, hackers scrambled to break into personal emails of American officials tasked with enforcing them, The Associated Press has found — another sign of how deeply cyberespionage is embedded into the fabric of U.S.-Iranian relations. The AP drew… Read more

Why Microsoft is fighting to stop a cyber world war

December 13, 2018

Two days last year finally woke the world up to the dangers of cyberwarfare, according to Microsoft’s President Brad Smith: 12 May and 26 June. On 12 May the WannaCry ransomware attack created havoc by encrypting PCs across the world and costing billions to repair the damage. Just over a month later… Read more

Iran-Based Hackers Indicted in March Cyberattack on Atlanta

December 6, 2018

A U.S. grand jury indicted two Iranian nationals over claims they carried out a March ransomware attack against the city of Atlanta, crippling its computer systems and causing millions of dollars in losses. Faramarz Shahi Savandi and Mohammed Mehdi Shah Mansouri used ransomware known as SamSam to infect about 3,789… Read more

2019 Security And Defence Predictions

November 30, 2018

It’s the time of the year for cybersecurity predictions. This time, Suzanne Spaulding, former DHS Under Secretary and Nozomi Networks advisor believes that in 2019, provides her insights. The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could… Read more

Federal Indictments in SamSam Ransomware Campaign

November 29, 2018

Two men — Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran — have been indicted in a criminal conspiracy around the creation and distribution of the SamSam ransomware campaign. The indictment, unsealed today, was handed down by a federal grand jury in New Jersey. According… Read more

Meaner, more violent Stuxnet variant reportedly hit Iran

November 5, 2018

Stuxnet allegedly has a vicious little brother, or perhaps it is a malicious cousin; the complex malware was likened to being similar to Stuxnet but “more violent, more advanced and more sophisticated.” Iran, according to the Times of Israel, admitted that its “infrastructure and strategic networks” were hit by a meaner,… Read more

Unconfirmed Reports: New Cyber Attacks Hitting Iran

November 4, 2018

This report highlights that all should be prepared when major geopolitical events occur. Attacks, actions and re-actions in the phyiscal world are known to directly result in actions in cyberspace. We should also point out that when big players like nations attack each other companies and even individuals can at… Read more

These are the hackers targeting the US midterm election

October 11, 2018

The intelligence community and cybersecurity experts are in lockstep agreement that elections in the U.S. remain vulnerable to hacking and influence campaigns, like efforts deployed by Russia in 2016. But they warn that the threat from a broader range of diverse actors is also growing, posing a unique challenge for governments and corporations around the world. These… Read more

Cyber defence: We’ll hack back at attackers, says US

September 21, 2018

The military must be prepared to disrupt hacking attacks before they reach US computer networks, according to a new strategic vision from the Pentagon. The Department of Defence (DoD) has updated its cyber strategy for the first time since 2015, advocating a more aggressive approach than the previous document. Perhaps most controversially,… Read more

‘Domestic Kitten’ Mobile Spyware Campaign Aims at Iranian Targets

September 10, 2018

A mobile spyware campaign against mainly Iranian citizens has been spotted. The operation is dubbed Domestic Kitten by Check Point researchers — “kitten” to follow common APT nomenclature for Iranian groups and “domestic” because they believe the group is affiliated with the Iranian government, targeting Iranian citizens. The campaign mainly… Read more

Iran-Supported Influence Operations Bigger Than We Thought

August 30, 2018

Reuters is reporting that the Iranian influence operations targeting internet users worldwide are much larger than previously thought. We have all been watching revelations on the threat. As background see: Iran cited as growing threat in cybersecurity landscape Following Facebook and Twitter, Google Targets Iranian Influence Operation and Iranian Hackers… Read more

Following Facebook and Twitter, Google Targets Iranian Influence Operation

August 27, 2018

In the wake of influence-campaign takedowns by Facebook and Twitter, Google has issued a report detailing its own efforts to root out foreign influence operatives allegedly tied to an Iranian state-run media broadcaster. The news comes as President Donald Trump appeared to tweet in opposition to the efforts of the… Read more

Iranian Hackers Charged in March Are Still Actively Phishing Universities

August 27, 2018

An Iranian hacking group has continued its phishing operations undeterred by indictments from the US Department of Justice. The group’s name is Cobalt Dickens or Silent Librarian. In March 2018, the US DOJ charged nine hackers it believed were behind the group’s activity. The nine were charged with carrying out cyber-attacks against… Read more

Twitter Announces Action Against Probable Iranian and Russian State Sponsored Propaganda Accounts

August 21, 2018

Twitter announced it has shut down 284 accounts that have been engaging in coordinated information warfare activities. Many of these accounts originated in Iran. They indicated they have been working with other companies and relevant law enforcement entities. These these accounts are probably part of the same activities discussed by… Read more

Facebook Announces Action Against Russian and Iranian Information Warfare

August 21, 2018

More firms are recognizing that closed nations like Russia, China, Iran and DPRK will seek to leverage their platforms to conduct their information operations campaign. Facebook has been struggling with what to do with hostile actors use of their platforms and is increasingly acting to take down malicious deceptive content… Read more

Iran cited as growing threat in cybersecurity landscape

August 8, 2018

In the new Accenture Cyber Threatscape Report 2018, Iran is cited as an emerging player in the cyberattack space. The cybersecurity firm’s iDefense threat intelligence team says it has seen a “significant” uptick in not only cyberattacks but also cyberespionage campaigns launched by hackers in the country. During the first half of… Read more

Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East

July 26, 2018

Leafminer, a threat actor that appears to be operating out of Iran, is conducting a wide-ranging cyber espionage campaign against organizations in the Middle East using a mix of publicly available tools and custom malware. While the group’s technical capabilities are average at best in comparison to other advanced persistent… Read more

David Sanger Writes The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

June 25, 2018

David Sanger has established himself as on of the top cyber journalists in the nation. His latest work, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, provides a critically important update on the rapid progress of cyber war and belongs on the bookshelf of every cyber defender.… Read more

Can Russian hackers be stopped? Here’s why it might take 20 years

June 18, 2018

In the spring of 2015, faced with external cyberattacks on the US of increasing frequency and severity, President Obama declared a national emergency to deal with this “unusual and extraordinary threat to the national security, foreign policy, and economy” of the country. Since then the national emergency has been extended three times,… Read more

Iran likely to retaliate with cyberattacks after nuclear deal collapse

May 10, 2018

Iran is likely to respond with cyberattacks against Western businesses in response to the Trump administration’s withdrawal from the nuclear deal, cybersecurity experts say. New research suggests attacks could come “within months, if not faster,” according to security firm Recorded Future. The research paints a detailed picture of how Iran uses… Read more

SynAck Ransomware Gets Dangerous ‘Doppleganging’ Feature

May 8, 2018

The authors of the SynAck ransomware family appear to have found a way to make the malware considerably more dangerous for enterprises. Kaspersky Lab this week reported discovering a new version of SynAck that uses a very sophisticated technique called Process Doppelganging to try and evade anti-malware tools. In an… Read more

Cisco security: Russia, Iran switches hit by attackers who leave US flag on screens

April 9, 2018

Hackers on Friday attacked vulnerable Cisco switches at data centers in Russia and Iran, leaving an image of the US flag and the message: “Don’t mess with our elections”. Cisco last month released a patch for a critical vulnerability affecting Smart Install software. However, the Friday attacks exploited a Smart… Read more

Iran ‘the New China’ as a Pervasive Nation-State Hacking Threat

April 5, 2018

Of the four new advanced persistent threat (APT) groups christened by FireEye last year, three were out of Iran. Mandiant, the incident response services arm of FireEye, witnessed a major increase in nation-state hacking activity by Iranian attackers in 2017, especially on the cyber espionage side of things. Iranian groups… Read more

Destructive and False Flag Cyberattacks to Escalate

March 29, 2018

Olympic Destroyer. NotPetya. Bad Rabbit. OilRig. These disruptive and in most cases destructive cyberattacks were just the beginning. Geopolitical tensions typically map with an uptick in nation-state cyberattacks, and security experts are gearing up for more aggressive and damaging attacks to ensue against the US and its allies in the… Read more

The Case for Integrating Physical Security & Cybersecurity

March 21, 2018

Early last year in “Grizzly Steppe and Carbanak: The Dangers of Miscalculation in Cyberspace,” TruSTAR researchers outlined the overlap of tactics, techniques, and procedures (TTP) between Russian state organizations and criminal organizations like the Carbanak hacking group. They found that Carbanak and attacks attributed to Russian state security agencies were utilizing… Read more

Latvian mobile operator invites cyber attackers to have a go

March 12, 2018

Mobile telecommunications services in Latvia, a small republic on the frontier between the European Union and the old Soviet Union, may already have been the target of a cyber attack in August 2017. Now Latvijas Mobilais Telefons (LMT), the country’s largest mobile operator, is inviting would-be belligerents to test their… Read more

Chafer: Hacking group expands espionage operation with new attacks

March 2, 2018

A hacking operation has expanded its operations taking advantage of new tools to attack organisations across the Middle East for the purposes of surveillance and intelligence gathering. Targets are mostly working in telecoms and transport and their surrounding supply chains – with IT software, payroll, aircraft services and engineering firms… Read more

What has the Necurs botnet been up to?

January 22, 2018

The Necurs botnet has been slowly growing since late 2012 and still tops the list of largest spam botnets in the world. Since then, the botnet has occasionally stopped or temporarily minimized the sending out of spam but has returned in full force. It’s difficult to say precisely, but the latest information… Read more

Another Cyberattack Spotted Targeting Mideast Critical Infrastructure Organizations

December 20, 2017

Damaging attacks from second and third-tier nation-state threat actors – especially in the Middle East – could become more of a pressing issue for enterprises next year if a couple of recent incidents are any indication. Days after FireEye reported a recent attack where a likely nation-state actor disrupted operations at a… Read more

TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage

December 15, 2017

Cyberattacks that cause physical damage to critical infrastructure—like the Stuxnet campaign that destroyed nearly 1,000 centrifuges at an Iranian uranium enrichment facility in 2010—have been relatively rare because of how difficult they are to carry out. That may be changing. A threat actor with possible nation-state backing recently disrupted operations… Read more

These 5 geopolitical flashpoints could push oil prices up

October 26, 2017

Two volatile situations may increase the price of oil in the near future. Escalating tensions between Iraqi forces and the Kurdistan Regional Government could disrupt oil supplies and decrease crude exports, while the U.S. decertification of the Iran nuclear deal could lead to renewed sanctions. Meanwhile, three other petrostates—Libya, Nigeria… Read more

These three geopolitical risks could impact oil markets in the near future

October 5, 2017

Three geopolitical risks could seriously impact the oil market sometime in October, according to market watchers. They say investors should be wary of the budding independence movement in the Iraqi region of Kurdistan, the possibility that the U.S. could nullify the nuclear deal with Iran, and the ongoing crisis in… Read more

Get ready for cyber-terrorism, courtesy of the Islamic State

July 21, 2017

Read Chris Allen on the threat posed by a cyber-armed Islamic State: [The Islamic State] is unlikely to ignore cyber for long and several prominent terrorism authorities argue “It is no longer a matter of if cyber-terror will emerge, but when”.  States have demonstrated that they can bring down power… Read more

Dick Cheney on the state of global security and the biggest threats to trade

March 28, 2017

An elevated terror threat. An increasingly assertive China and Russia. The nuclear threat posed by North Korea and Iran. The current combination of global threats makes for a tense security situation, the most challenging since World War II, according to Dick Cheney. The former Vice President is particularly concerned by… Read more