In recent years, Iran has significantly expanded its cyber capabilities and is using them aggressively against Western states. These measures include a variety of attacks ranging from data theft to destructive cyberattacks. Iran’s cyber strategy reflects the country’s overall asymmetric warfare and demonstrates how Tehran uses its limited resources to achieve significant impact.
Background and basics of Iranian cyber capabilities
Iranian hacking activities are far-reaching and affect many different areas. The motivation behind these activities can be seen in geopolitical and security objectives. Iranian hackers, often on behalf of or with the support of the state, pursue the goal of collecting sensitive information, destabilizing the enemy and gaining geopolitical advantages.
Iran began its journey into cyber warfare in response to damaging attacks against itself. A significant event was the Stuxnet attack in 2010, in which malware sabotaged the centrifuges at the Natanz nuclear facility and significantly delayed Iran’s nuclear program. Other attacks such as the Flame malware and the cyber repression against the Green Movement in 2009 made it clear to Tehran that it needed its own cyber capabilities.
The Iranian cyber strategy is highly structured and based on a multi-layered approach, using a combination of government-led organizations and private contractors to conduct offensive cyber operations. This setup allows for flexibility and efficiency while ensuring government control and ideological alignment!
Motivation
Iran has a long history of tensions with Western countries, particularly the US and Israel. These tensions often manifest themselves in cyberattacks aimed at undermining the West’s influence and strengthening Iran’s geopolitical position. One example is the attempt to influence negotiations on Iran’s nuclear program through cyberattacks on US and European targets. These attacks are not only used to gather information, but also to intimidate and destabilize political opponents.
Iranian players at a glance
The main actors behind Iranian cyberattacks are often linked to the Islamic Revolutionary Guard Corps (IRGC) and the Iranian Ministry of Intelligence and Security (MOIS). These organizations use a network of private companies and academic institutions to carry out their cyber activities. These “cyber managers” work according to requirements and objectives set by the Iranian security services and subcontract them to various contractors.
One prominent example is the “Charming Kitten” group, which specializes in cyber espionage. This group and other similar actors often use phishing and other social engineering techniques to gain access to sensitive information. In addition, targeted attacks have also been carried out against Iranian dissidents and opposition groups abroad.
Who is Who
Islamic Revolutionary Guard Corps (IRGC)
The IRGC is Iran’s leading security organization and plays a central role in the country’s cyber operations. The IRGC has its own cyber department, which is responsible for both defensive and offensive operations. It also manages the “Khaybar Center for Information Technology”, a facility responsible for carrying out international cyber attacks.
Ministry of Intelligence and Security (MOIS)
The MOIS is also heavily involved in cyber operations and works closely with various private and academic institutions to achieve its goals. These institutions often act as front organizations that allow the MOIS to disguise its activities.
Khaybar Center for Information Technology
This facility was established in 2011 and has played a key role in conducting cyberattacks against targets in the US, Saudi Arabia and Turkey. The center is an important part of the IRGC’s cyber infrastructure and serves as a base for many offensive operations.
Overview of Iranian hacker groups and the state bodies behind them in detail
Iran has developed a complex network of hacker groups that are supported and coordinated by various state organizations. These groups carry out cyber operations ranging from espionage and data exfiltration to destructive attacks. The main state actors behind these hacker groups are the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). By using a mix of state control and decentralized contractors, Iran can continuously improve its cyber capabilities and respond flexibly to new threats.
Important Iranian hacker groups
- Charming Kitten (APT35):
This group is known for its extensive phishing campaigns and targeted cyberattacks against political, military and commercial targets. Charming Kitten uses social engineering techniques to gain access to sensitive information and specializes in spying on dissidents and Western targets. - Elfin (APT33):
The Elfin group is known for its attacks on critical infrastructure, particularly in the energy and aviation sectors. It uses advanced techniques such as spear phishing and DNS hijacking to compromise networks and steal data. Elfin mainly targets Saudi Arabia, the US and other Western countries. - MuddyWater (APT34):
MuddyWater conducts extensive espionage operations, often targeting telecommunications companies, government agencies and energy companies. The group is known for its data exfiltration capabilities and the use of customized malware. - OilRig (APT34):
OilRig is another major hacker group that specializes in phishing and malware distribution. Their attacks often target IT and financial services companies as well as government organizations in Israel and other countries. - Ashiyane Digital Security Team:
This group is one of the oldest and best-known hacker groups in Iran. It is known for its defacements and DDoS attacks on various websites and often works on behalf of the IRGC.
State organizations behind the hacker groups
- Islamic Revolutionary Guard Corps (IRGC):
The IRGC is the main actor behind many Iranian cyber operations. It runs the Electronic Warfare and Cyber Defense Organization, which is responsible for offensive cyber operations. The IRGC recruits and coordinates a large number of hacker groups and provides them with resources and technical support. It also uses intermediaries to place orders with various hacker groups and cover their tracks. - Ministry of Intelligence and Security (MOIS):
The MOIS is another important state organization that manages and coordinates cyber operations. It uses private Iranian companies and academic institutions to carry out cyberattacks. This decentralized structure enables the MOIS to respond flexibly and efficiently to various threats. - Basij militias:
The Basij, a paramilitary organization under the control of the IRGC, claims to have over 1,000 cyber battalions across the country. These units carry out cyber attacks and often collaborate with other hacker groups. The Basij coordinates its activities through the Basij Cyber Council.
Structures
The structure of Iran’s hacking hierarchy demonstrates a sophisticated and effective structure that allows the country to conduct cyber operations flexibly and efficiently. Through the combination of state control, private participation and academic support, Iran can continuously develop its cyber capabilities and pursue its geopolitical goals. The challenges are to find the right balance between ideological loyalty and technical excellence and to maintain control over the multiple actors.
Unlike many nations that conduct their cyber operations directly through state intelligence services, Iran uses a network of contractors. These consist of private Iranian companies and academic institutions. This decentralized structure makes it difficult to precisely identify and track the attackers:
- Top level – Political and ideological leadership At the top of the hierarchy is the country’s political and ideological leadership, including the Supreme Leader and the highest military and security authorities. This level sets the strategic goals and priorities for cyber operations.
- Middle level – Ideologically aligned managers A group of ideologically reliable managers translate the strategic goals into specific cyber tasks. These managers are responsible for awarding contracts to various private contractors and academic institutions. They act as intermediaries between the top level and the operational units.
- Operational Level – Private Contractors and Universities At the operational level, there are numerous private companies and academic institutions that conduct the actual cyber operations. These contractors often compete with each other to win government contracts. The best teams are selected, paid and stay in business, while less successful teams drop out.
The best cyber talent is often recruited through closed communities of trust and security forums. These communities serve as a basis for recruiting and sharing knowledge among hackers. One example is the Ashiyane Forum, which plays a central role in networking and training hackers who are later recruited for state-sponsored projects.
A significant feature of Iran’s cyber strategy is the tension between ideological reliability and technical capabilities. While the government highly values ideological loyalty, often the most technically adept hackers are less ideologically motivated. This leads to a constant balancing act between ensuring loyalty and utilizing the best skills available.
Deployment and targets of Iranian cyberattacks
Iran mainly uses cyber attacks for espionage, data theft and the dissemination of propaganda. Although most attacks are not particularly technically sophisticated, they are often successful due to their sheer volume and persistence. One of the best-known attacks is Shamoon, a data erasure software that caused considerable damage to IT systems in 2012, 2016 and 2018.
Of particular concern is Iran’s ability to carry out targeted phishing attacks to gain access to sensitive information. These techniques have been successfully used against government agencies, telecommunications companies and even universities worldwide. Iranian hacking activities are diverse and include a wide range of targets that can be divided into three main categories: Iranian domestic targets, Middle Eastern targets and other international targets.
State hackers at a glance
The most significant international actors include state actors from Russia, China and Iran. These countries use various tactics to promote their geopolitical interests and undermine the stability of European democracies.
In addition to the main actors named below, there are also other countries and non-state actors that attempt to influence elections in Europe. These include, for example, groups acting on behalf of governments or in their own interests to advance certain political agendas. These actors use a variety of methods, including cyberattacks, disinformation, economic pressure and diplomatic maneuvers to achieve their goals. The European Union and its Member States face the challenge of recognizing and countering these threats in order to protect the integrity of their democratic processes.
Russia
Russia is known for its extensive disinformation campaigns and cyberattacks aimed at weakening trust in democratic processes. Some of the best-known examples include influencing the 2016 US elections and attempts to influence the Brexit vote. Russian actors often use social media platforms to spread false information and deepen social divisions.
China
China is increasingly relying on cyberattacks and disinformation campaigns to expand its influence in Europe. Chinese hacker groups are known for conducting industrial espionage and stealing sensitive information that can then be used to influence political decisions. China is also trying to manipulate public opinion in Europe by spreading pro-Chinese narratives in the media.
Iran
Iranian actors also use disinformation campaigns and cyberattacks to pursue their geopolitical goals. These campaigns are often aimed at destabilizing the policies of the US and its allies in Europe. Iranian hacker groups use similar techniques to their Russian and Chinese counterparts.
North Korea
North Korea is another international actor trying to influence elections and political processes worldwide, including in Europe, through cyber activities. While North Korea is less of a focus compared to Russia, China and Iran, there is still significant activity emanating from North Korean actors. North Korea also uses disinformation to further its geopolitical goals and foment political unrest. While there are fewer documented cases of direct election interference by North Korea, the regime still uses cyber operations to exert political pressure and protect its interests, for example by publishing compromising information about political candidates or spreading propaganda.
Iranian domestic targets
Within Iran, most cyberattacks target dissidents, opposition groups and specific ethnic minorities. These targets are mainly chosen for surveillance, blackmail or to use compromised accounts for further attacks. The aim of such surveillance is to maintain control over these groups and gather information about their structure and members. Sometimes Iranian security agencies use this surveillance to arrest members of dissident groups. In addition, patriotic Iranian hackers attack the websites of these groups and place pro-Iranian government messages there. These cyber operations are only part of the broader surveillance of the opposition by the Iranian security apparatus, which also monitors other forms of communication.
Targets in the Middle East
In the Middle East, Iranian APTs (Advanced Persistent Threats) and patriotic hackers regularly target facilities and government agencies in neighboring countries, particularly Saudi Arabia. These attacks are used to gather information on rivals’ civilian and military activities. Given the regional tensions and the involvement of both countries in proxy wars, such as in Yemen and Syria, monitoring Saudi Arabia is particularly important for Iran. As the cyber security apparatuses in these countries are less developed than in the US, many Iranian cyber attacks are focused on Saudi Arabia. These attacks affect strategically relevant targets such as aerospace, energy (mainly oil and gas), telecommunications and technology companies as well as defense and foreign ministries.
Other targets
In addition to targets in the Middle East and within Iran, Iranian cyberattacks are also directed against international targets. These include NGOs, academics, media companies, aerospace and technology companies and the Iranian diaspora worldwide. In some cases, data is stolen to be used in other attacks, in other cases the attacks serve political purposes, such as gathering compromising information or identifying data the targets may have on Iran.
The strategic selection of targets shows that Iran is seeking to maximize its influence and surveillance both domestically and internationally, with cyberattacks playing a key role.
Iran’s technical capabilities and further developments in hacking
Iran has continuously worked to improve its cyber capabilities. Despite technical restrictions and international sanctions, Iran has found innovative ways to exploit vulnerabilities in industrial control systems (ICS). One example is the Elfin group, which is known for using vulnerabilities in web servers to carry out extensive espionage operations.
Iran’s cyber capabilities are diverse and include a mix of basic and advanced techniques. The use of social media and the expansion of SIGINT capabilities show that Iran is determined to continuously improve its cyber capabilities and use them against Western states. In the face of these threats, it is critical that Western states continually adapt and strengthen their cyber defenses to protect the integrity of their information systems and communications networks.
Technical skills
Iranian hacker groups are characterized by a variety of technical capabilities that enable them to carry out extensive cyber operations. The most important techniques include:
- Phishing and spear phishing: These techniques are often used to steal user credentials. Phishing attacks are large-scale, unspecific attacks, while spear phishing targets specific individuals or organizations.
- Denial of Service (DOS) attacks: Some Iranian groups, such as the Elfin group, are known for their DOS attacks, which aim to overload networks and make services inaccessible.
- Data exfiltration: Once the hackers have gained access to a network, they are able to steal large amounts of data undetected. This data can include sensitive information, intellectual property or communication data.
- Malware and data deletion: The use of malware such as “Shamoon” shows that Iran is also capable of carrying out destructive cyberattacks aimed at deleting data.
Use of social media
Social media is used by Iranian hacking groups in various ways to achieve their goals. However, the effectiveness of these tactics is increasingly limited as social media platforms improve their security measures and are quicker to detect and remove fake accounts and malicious activity:
- Propaganda and disinformation: Iranian actors use social media platforms to spread propaganda and influence public opinion. This is often done by creating and spreading fake accounts and identities.
- Spear phishing: Social media is also used to launch targeted phishing attacks. By faking identities and gaining the trust of target persons, hackers can obtain sensitive information.
Signals Intelligence (SIGINT)
Iran has limited SIGINT capabilities compared to global players such as the US or China. Despite these limitations, Iran has taken steps to expand its capabilities in this area:
- Satellite surveillance: Iran is developing satellite surveillance equipment that will enable it to intercept communications data from satellites in synchronous orbits. This includes satellites from countries such as Israel, Saudi Arabia and the USA.
- Submarine cables: Iran has potential access to communications data transmitted via submarine cables that run through Iranian territory. These cables carry a variety of data, including internet and telephone traffic.
Cooperation with other nations
Another aspect of Iran’s cyber strategy is possible cooperation with other states such as Russia. Reports suggest that Russian cyber actors have used Iranian infrastructure for their own attacks. This could indicate deeper cooperation involving the exchange of technical know-how and target information.
Warning from the Federal Office for the Protection of the Constitution (BfV) on Iranian cyber espionage
In its Cyber Letter No. 01/2023, the Federal Office for the Protection of the Constitution (BfV) issued a warning against cyber espionage activities against critics of the Iranian regime in Germany. This warning is aimed in particular at Iranian dissidents, Iranians in exile and organizations that are critical of the Iranian regime.
Background to the warning
In 2022, several IT security service providers reported on the activities of the APT group Charming Kitten (also known as APT42, Phosphorus, Cobalt Illusion, Yellow Garuda and Mint Sandstorm). This group is known for spying on Iranian opposition groups and Iranian exiles. According to the BfV, Charming Kitten and similar groups have made concrete attempts to spy on Iranian individuals and organizations in Germany.
Attackers’ approach
Charming Kitten uses sophisticated social engineering techniques to obtain confidential data from its victims. The attackers create online identities tailored to the victims and initiate contact in order to gain trust. The attacks are carried out in several steps:
- Information gathering: Attackers research the preferences and interests of their targets, often through publications on the internet or social media.
- Contacting: The group contacts the victim personally and manipulates them through social engineering in order to provoke security-critical behavior.
- Phishing: In a later step, the attackers send invitations to online video chats. The victims are asked to click on a link and log in to a fake login page. This enables the attackers to steal the access data.
- Access and data theft: With the stolen credentials, the attackers can access the victims’ online services and download their data.
Protective measures
The BfV recommends several measures to protect against such attacks:
- Be skeptical when making contact: Be suspicious of unexpected contact, even from people you seem to know.
- Verification of identity: Verify the identity of contacts via a second, verified channel, for example by calling an officially known number.
- Be careful with e-mail addresses: Watch out for anomalies in email addresses and be suspicious if official letters are sent via private email services such as Gmail or Outlook.
- Do not click on links: Do not open any links you are unsure about and pay particular attention to user-generated content.
- Security measures for online services: Only use official login pages, set up multi-factor authentication and regularly check whether unknown devices are accessing your accounts.
In addition, the BfV recommends familiarizing yourself with general cyber security advice and observing special protective measures for business trips, especially when travelling to Iran. This warning particularly highlights the serious threat of state-sponsored cyber attacks and the need to be vigilant and well prepared to protect yourself against such attacks.
IRANIAN ECONOMIC ESPIONAGE
Industrial espionage by Iranian hackers: activities, successes and goals
Iranian hacking groups have become increasingly involved in economic espionage activities in recent years, targeting companies and institutions worldwide to gain economic and political advantage. These activities are often supported and coordinated by state organizations such as the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).
Iran’s economic espionage activities are an important part of the country’s broader cyber strategy. Through a combination of technical capabilities and support from state organizations, Iran is able to gain significant economic and political advantages.
Activities and successes in industrial espionage
Iranian hacking groups such as APT33 (Elfin), APT34 (OilRig) and others are known for their aggressive cyberattacks targeting the economic sectors of other countries. These groups use a variety of techniques, including phishing, spear phishing, malware infections and exploiting vulnerabilities in networks to gain access to sensitive information.
One notable example is the attack on the Saudi oil company Saudi Aramco in 2012, in which the Shamoon malware was used. This attack destroyed data on around 30,000 computers and caused considerable financial losses. The attack was not only used for espionage, but also for sabotage in order to cause economic damage and send political messages. Other attacks targeted Western companies and organizations, with Iranian hackers successfully gaining access to confidential data. This included information on intellectual property, business strategies and other commercially valuable data. Such data can be used to advance Iran’s own economic and technological development while weakening the competitiveness of targeted companies.
Targets of Iranian industrial espionage
The objectives of Iranian industrial espionage are diverse and include both political and economic motives:
- Political objectives: Iran uses cyberattacks to weaken geopolitical rivals and strengthen its own position in the region. Attacks on critical infrastructure such as energy companies in Saudi Arabia and the USA serve to undermine the stability of these countries and create a deterrent against possible military or economic measures.
- Economic objectives: Obtaining confidential business and technology data allows Iran to promote its own economic development, especially in areas where the country is restricted due to international sanctions. By stealing intellectual property and technological innovations, Iran can strengthen its industrial base and partially offset the effects of sanctions.
Outlook
Iran’s cyber capabilities have increased significantly in recent years, posing a threat not only to regional adversaries, but also to Western states and their interests. By employing asymmetric tactics and constantly improving its technical capabilities, Iran is able to inflict significant damage despite limited resources. These developments raise important questions about how Iranian hacking activities could influence future conflicts.
Further development of cyber skills
Iran is continuously investing in expanding its cyber capabilities to strengthen both offensive and defensive capabilities. These investments include developing new malware, improving phishing techniques and using social engineering methods to gain access to sensitive data. A major goal is to improve the ability to attack and sabotage critical infrastructure, as has been the case in the past with attacks on Saudi and American targets.
Geopolitical motives
A key objective of Iran’s cyber strategy is to destabilize geopolitical rivals and strengthen its own regional hegemony. Cyberattacks offer an effective method to achieve these goals, as they are often difficult to trace and therefore have fewer direct military consequences. Attacks on critical infrastructure such as power grids, water supplies and communications systems could be used to create confusion, undermine trust and promote political instability.
Cyber warfare as part of asymmetric warfare
In the context of asymmetric warfare, cyber operations offer Iran the opportunity to take action against technically superior opponents without having to engage in conventional military confrontations. This tactic allows Iran to avoid the costs and risks of direct military confrontation while still being able to inflict significant damage and pursue geopolitical objectives.
Potential scenarios
In future conflicts, Iran could use cyber attacks to weaken the defense capabilities of its opponents and disrupt their military operations. One scenario, for example, could be the paralysis of communication and control systems prior to a conventional military attack. In addition, cyber attacks could be used to promote political and economic instability by targeting banks, stock exchanges and other economic institutions.
Cooperation with other states and non-state actors
Iran has shown that it is willing to work with other countries such as Russia and China to expand and strengthen its cyber capabilities. This cooperation could allow Iran to gain access to advanced technology and know-how, which would further enhance its ability to conduct effective cyber operations. Furthermore, Iran could recruit non-state actors and cybercriminals to achieve its goals, further complicating traceability and accountability.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Liability of Companies in Phishing and CEO Fraud Incidents - 13. May 2025
- Domain Law in Germany - 10. May 2025
- Art Law in Germany - 10. May 2025