Iran has increasingly used cyber operations to monitor and retaliate against foreign and domestic enemies, according to two new reports. "Iran has demonstrated how militarily weaker countries can use offensive cyber operations to contend with more advanced adversaries,” concludes a study by the Carnegie Endowment for International Peace. It has conducted cyber-attacks against targets in Israel, Saudi Arabia and the United States.
On the domestic front, the regime has developed the National Internet Network, which allows it to control access to the internet and monitor communications. “The Iranian government has now shown the world that it can—and will—cut its citizens off from the global internet, in total disregard for the rights of the Iranian people,” according to the Center for Human Rights in Iran. The organization’s latest report reviews internet polices and technological developments during the last five years. The following are excerpts from the two reports.
Iran's Cyber Threat: Espionage, Sabotage, and Revenge
COLLIN ANDERSON AND KARIM SADJADPOUR
Incidents involving Iran have been among the most sophisticated, costly, and consequential attacks in the history of the internet. The four-decade-long U.S.-Iran cold war has increasingly moved into cyberspace, and Tehran has been among the leading targets of uniquely invasive and destructive cyber operations by the United States and its allies. At the same time, Tehran has become increasingly adept at conducting cyber espionage and disruptive attacks against opponents at home and abroad, ranging from Iranian civil society organizations to governmental and commercial institutions in Israel, Saudi Arabia, and the United States.
IRAN’S CYBER THREAT ENVIRONMENT
- Offensive cyber operations have become a core tool of Iranian statecraft, providing Tehran less risky opportunities to gather information and retaliate against perceived enemies at home and abroad.
- Just as Iran uses proxies to project its regional power, Tehran often masks its cyber operations using proxies to maintain plausible deniability. Yet there are clear indications that such operations are conducted by Iranians and frequently can be linked to the country’s security apparatus, namely the Ministry of Intelligence and Islamic Revolutionary Guard Corps.
- Iran’s cyber capabilities appear to be indigenously developed, arising from local universities and hacking communities. This ecosystem is unique, involving diverse state-aligned operators with differing capabilities and affiliations. Over the decade that Iranians have been engaged in cyber operations, threat actors seemingly arise from nowhere and operate in a dedicated manner until their campaigns dissipate, often due to their discovery by researchers.
- Though Iran is generally perceived as a third-tier cyber power—lacking the capabilities of China, Russia, and the United States—it has effectively exploited the lack of preparedness of targets inside and outside Iran. Just as Russia’s compromise of Democratic Party institutions during the 2016 U.S. presidential election demonstrated that information warfare can be conducted through basic tactics, Iran’s simple means have exacted sometimes enormous political and financial costs on unsuspecting adversaries.
- The same Iranian actors responsible for espionage against the private sector also conduct surveillance of human rights defenders. These attacks on Iranian civil society often foreshadow the tactics and tools that will be employed against other targets and better describe the risks posed by Iranian cyberwarfare. Through technical forensics of cyber attacks, researchers documenting these campaigns can provide a unique window into the worldview and capabilities of Iran’s security services and how it responds to a rapidly changing technological and geopolitical environment.
U.S. RESPONSES GOING FORWARD
- While Iran does not have a public strategic policy with respect to cyberspace, its history demonstrates a rationale for when and why it will engage in attacks. Iran uses its capabilities in response to domestic and international events. As conflict between Tehran and Washington subsided after the 2015 nuclear deal, so too did the cycle of disruptive attacks. However, Iran’s decisionmaking process is obscured and its cyber capabilities are not controlled by the presidency, as evident in cases of intragovernmental hacking.
- The United States is reliant on an inadequately guarded cyberspace and should anticipate that future conflicts, online or offline, could trigger cyber attacks on U.S. infrastructure. The first priority should be to extend efforts to protect infrastructure and the public, including increased collaboration with regional partners and nongovernmental organizations targeted by Iran.
- Narrowly targeted sanctions could be used to deter foreign countries or other actors from providing assistance to Iranian offensive cyber operations. Such restrictions should still prioritize allowing Iranian society wide access to the internet and information technologies, to mitigate the regime’s ability to control information and communications.
- The United States has pursued a name and shame strategy against Iranian threat actors, and should continue to do so. The Justice Department has issued indictments against Iranians implicated in disruptive campaigns and has successfully obtained the extradition from a third country of a hacker involved in the theft of military secrets. Because of the small operational footprint of the groups, targeted sanctions or legal proceedings are more symbolic than disruptive. These indictments may at least chill participation by talented individuals who wish to travel or emigrate.
- Iran continues to pursue its interests through cyber operations, engaging in attacks against its regional opponents and espionage against other foreign governments. A better understanding of the history and strategic rationale of Iran’s cyber activities is critical to assessing Washington’s broader cyberwarfare posture against adversaries, and prudent U.S. responses to future cyber threats from Iran and elsewhere.
Click here to read the full report.
Guards at the Gate: The Expanding State Control Over the Internet in Iran
CENTER FOR HUMAN RIGHTS IN IRAN
Guards at the Gate: The Expanding State Control Over the Internet in Iran by the Center for Human Rights in Iran (CHRI), examines the key policy and technological developments regarding the internet in Iran over the 2013-2018 period. The report reveals the steady progress the Iranian government has made in controlling its citizenry’s use of the internet. During the unrest that swept through Iran on the eve of 2018, the authorities implemented major disruptions to internet access through slowdowns and the blocking of circumvention tools, blocked the Instagram social media platform and the Telegram messaging app heavily used by the protesters to mobilize the street protests, and briefly cut off Iranians’ access to the global internet on December 30, 2017, demonstrating a new level of technical sophistication. These actions confirm the main contention of this report—namely, that while internet use has expanded throughout Iran with the help of upgrades to the country’s telecommunications infrastructure and faster and cheaper internet service, key technological initiatives undertaken by the Iranian government, in particular development of Iran’s state-controlled National Internet Network (NIN), have significantly enhanced the government’s ability to restrict, block and monitor internet use in Iran.
Over the period this report covers, which encompasses President Rouhani’s first term (2013-2017) and the beginning of his second, internet use has grown robustly in Iran. According to the UN’s International Telecommunication Union (ITU), 53 percent of the country’s 80 million-plus population use the internet, which may well be an underestimate. With 3G and 4G service made widely available by the Rouhani administration, tens of millions of Iranians now access the internet and social media on the 40 million mobile phones now in use in the country. Messaging applications such as Telegram serve as a major platform for societal discussion of political, social and cultural issues. Online communication has become particularly central to Iran’s young, educated and tech savvy population, with the internet increasingly eclipsing traditional print and broadcast media to become the most significant “public square” in Iran.
Yet while internet use has increased and its centrality to Iranian discourse has grown exponentially—and the Rouhani administration has facilitated this greater use by increasing internet speeds and lowering access costs in Iran—internet control, censorship and surveillance by the state have also expanded significantly.1 This is largely due to the development of the NIN, which has accelerated under the Rouhani administration. The NIN’s national search engines now systematically filter key words and phrases—and send users to sites that deliver only state-approved and sometimes fabricated content. NIN tools and services facilitate the state’s ability to identify users and access their online communications, deeply compromising user privacy and security. The government steers Iranians toward use of the NIN and its search engines, security certificates, email services and video broadcasting services through price and internet speed incentives, violating net neutrality principles. Critically, the NIN’s ability to separate domestic internet traffic in Iran from international internet traffic now allows, for the first time, the state to cut Iranians off from the global internet while maintaining access to domestic online sites and services.
The capacity to restrict the people of Iran to state-approved content on a domestic internet has been a long-standing goal of hardliners in Iran—intelligence and security agencies, judicial officials, and the country’s supreme leader, Ali Khamenei, who fear internet freedom and view the internet as a Western ploy to undermine the Islamic Republic. With the demonstrated capacity to sever Iranians’ access to the global internet while maintaining the availability of Iran’s state-controlled internet, this goal has now been realized, justifying for them the huge investment the Iranian government has made in the development of the NIN.
In addition, during this period the government’s blocking of major social media sites such as Twitter, Facebook and YouTube, as well as millions of other websites, has continued, even as Rouhani has on a few occasions thwarted the blocking of messaging applications such as WhatsApp. Moreover, intensifying state filtering is now increasingly targeting applications that provide encryption by default (which provide security automatically, without user input), that are vital to Iranians’ efforts to maintain online privacy. State-sponsored hacking attacks—DDoS attacks, phishing, malware, message interception and the use of insecure fake applications—have also multiplied. With hardline state security and intelligence organizations in control of the country’s telecommunications infrastructure, their ability to access private online communications, unhindered by any judicial oversight, poses grave threats to Iranian users; individuals are arrested and sentenced to lengthy prison terms on the basis of online content unlawfully obtained by the state in this manner.
Rouhani has been silent in the face of these attacks, despite his stated support for internet freedom and his promulgation of a citizens’ rights charter. Indeed, Rouhani has proved either unable or unwilling to defend internet freedom, and, in some respects, such as in the accelerated development of the NIN, has significantly facilitated and implemented decisions and initiatives that severely violate it. The recent brief severance of access to the global internet and the blocking of Telegram and Instagram are a huge departure from his statements after his re-election in 2017 against filtering and his pledges to protect Iranians’ online connection to the world.
The state has significantly deepened its control over cyberspace in Iran. As the NIN has progressed toward the final stages of implementation, it has become clear that the government’s development of a national network that provides faster and cheaper internet access has also led to the creation of a technical infrastructure that can more effectively block, censor, spread false information, and access Iranian users’ online communications, and it has made the Iranian citizenry highly vulnerable to the state intelligence organizations that control this technical infrastructure. Internet freedom is under assault in Iran, and the rights of the Iranian people to information access and internet privacy, both integral to the fundamental right of freedom of expression, are being severely violated.
Click here to read the full report.