The Iran cyber threat often comes last when mentioned alongside the other so-called “CRINK” attackers, China, Russia, and North Korea. But the risk posed by the country is growing fast, evolving from simple website defacement to attacks on critical national infrastructure (CNI) and more recently, significant US election interference.
In August, US intelligence officials confirmed that Iran was behind a hack of Donald Trump’s presidential campaign. In a joint statement, the FBI, the Office of the Director of National Intelligence, and the Cybersecurity and Infrastructure Security Agency (CISA) said Iranians used social engineering to breach individuals with “direct access to the presidential campaigns of both political parties”.
It’s no surprise, therefore, that in September, the New York Times called Iran a “top disinformation threat” in the US, blaming the country for “a flurry of hacks and fake websites” intended to discredit American democracy and “possibly tip the race”.
Taking this into account, how big is the threat from Iran and its affiliates – and how does this impact your business?
Iran cyber threat: Brief timeline
The attacks on the Trump campaign are not the first time Iran has been implicated in high-profile cyber-attacks. Some of the earliest offensive Iranian cyber activities were a result of the June 2009 Iranian presidential election, which faced allegations of fraud and led to widespread protests.
“The contested election spurred the rise of the opposition Green Movement, which was targeted by a group calling itself the Iranian Cyber Army – who unleashed web defacement attacks on pro-green online content,” Ian Thornton-Trump, CISO at Cyjax explains.
In 2016, it was revealed the Iranian Cyber Army's activities were overseen by the Islamic Revolutionary Guard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces.
Earlier, in 2010, Iran was itself a victim of a now infamous state-sponsored attack. Thought to have been perpetrated by the US and Israel, the Stuxnet worm targeted the SCADA-based systems underlying CNI. The attack hit centrifuges in an Iranian nuclear plant, derailing the country’s program for years.
In 2012, US intelligence services linked Iran with malware targeting CNI, the Shamoon worm. An attack against Saudia Arabia’s national oil company Saudi Aramco marked a “significant milestone” in cyber warfare efforts within the region, with Philip Ingram, a former colonel in British military intelligence, describing Shamoon as “a destructive wiper that caused substantial damage”.
Iran cyber threat: Rising significance
Since then, Iran has emerged as a “significant player in the cyber arena,” Ingram tells ITPro. He says Iran is “not quite top tier like Russia and China” but is still “a good solid second tier player”.
The IRGC is at the forefront of Iran's cyber warfare efforts, employing sophisticated tactics that include ransomware, malware and backdoors to target critical infrastructure and sensitive data. “Its focus is primarily the Middle East including Israel and Saudi Arabia, as well as US and UK interests,” Ingram adds.
Thornton-Trump calls Iran the “Swiss army knife of cyber capabilities,” noting the nation has evolved more quickly than Russia and China “likely due to training and support from the two countries”.
In February 2024, Microsoft identified hackers affiliated with the IRGC using generative AI to assist in social engineering, troubleshooting software errors, and how to evade detection in compromised networks. Microsoft provided detailed instances of Iran’s AI-assisted cyber activities, emphasizing the need to expose these early attempts before attack strategies could improve.
“The Iranians are constantly developing and improving cyber capabilities and are now – in my opinion – at peer capability with Russia and China,” Thornton-Trump warns.
Prominent Iranian threat groups
Prominent Iranian threat groups are almost all state-sponsored, says Jovana Macakanja, CTI editorial analyst at Cyjax. She cites the example of Imperial Kitten formed in 2017, with some of its earliest reported activities targeting US veterans looking for jobs through malicious websites. “The group’s main motivation is information gathering for the purpose of cyber-espionage,” says Macakanja.
APT33 also gained infamy in 2017 due to large-scale attacks against the US and Saudi Arabian aerospace and energy sectors – although the group has been active since at least 2013. The motivation behind the group's attacks is information gathering, says Macakanja. “It steals information, which often includes intellectual property and personally identifiable information, to further the aims of the Iranian state.”
APT42 is an Iranian state-sponsored threat group which dates back to 2015. “APT42 specializes in highly targeted spear-phishing with heavily socially-engineered attacks designed to subvert specific targets for surveillance,” says Ken Dunham, director, cyber threat, Qualys Threat Research Unit.
APT42 performs “extensive operations” including using false identities on social media platforms to interact with a target to collect data, Dunham says.
Suspected Iranian threat groups use a wide range of tactics for initial access, including phishing, social engineering and vulnerability exploitation, says Aleksandar Milenkoski, senior threat researcher, SentinelLabs.
For example, APT42 engages in “extensive correspondence” with targeted organizations or individuals to “establish trust and build rapport” before initiating malicious activities, Milenkoski says. “These groups use various communication methods, including email and instant messaging platforms such as WhatsApp.”
The future of the Iran cyber threat
The threat from Iran-backed groups is real and businesses across multiple sectors will need to factor it into their approach alongside the threat posed by other nations. Any organization with sensitive information is considered a fair target – especially if affiliated with the political process, says Adam Darrah, vice president of intelligence at ZeroFox.
With this in mind, he advises businesses to strengthen their cyber threat intelligence and ensure they have adequate patch management for vulnerabilities and backup strategies.
Additional resources such as the CISA advisories on nation state threats are regularly updated and can augment internal programs, Darrah adds. “Because these groups are often targeting sensitive information, businesses should ensure their data is always backed up to secure, off-site, or cloud servers – and that this is done regularly.”
Many Iranian threat groups aim to gather stolen credentials on the dark web and infiltrate email accounts to gather data and conduct further malicious activity, says Macakanja. Preventing these initial access attempts is “key to protecting organizations from further malicious activity such as the deployment of malware, including backdoors and information stealers,” she says.
Phishing and spear-phishing are the main routes used by these groups to gain access to credentials and email accounts, says Macakanja. “Users can mitigate these threats by having an acute awareness of common phishing tactics.”
As part of this, she advises verifying the source of emails containing a link or attachment and checking official websites for legitimate phone numbers and contact email addresses. “Implementing multi-factor authentication (MFA) and using strong, unique passwords can also help mitigate the chances of account compromise.”
