The Immortals: Iran’s Cyber Actors
June 29, 2020
June 29, 2020
The key outcomes from this assessment of Irans cyber actors are:
The threat posed by Iranian cyber actors has been a growing concern for the past decade, yet people have yet to see the destructive capabilities this could produce. Iran can affect global infrastructure, drag out and disrupt a potential middle east peace process, and continue implementing restrictions concerning the freedom of information for Iranian citizens. This ability can and will have consequences to the broader global community. This article will assess how the Iranian state organises this often forgotten side of warfare, and how it uses the forces at its disposal.
Iran had to significantly invest in its asymmetric warfare capabilities to assert its influence within the Middle East. Since the creation of the Islamic Republic with the 1979 Revolution, its seen the United States as its main threat. However, had to play catch up being financially weaker than the US, who in 2018 spent $623 billion on defence. In comparison to the $13 billion reportedly spent by Iran.
This move towards asymmetric capability began around the turn of the last decade. The Green revolution from 2009 showed the leadership that it should take this side of asymmetric capabilities seriously. With the Stuxnet attack on the Iranian nuclear program discovered a year later, the threat from internal and external sources, Iran found itself having to pivot its strategy to confront this danger.
The hierarchy of Iranian cyber actors is a tricky web to navigate. While the Supreme Leader, Ayatollah Ali Khamenei, has absolute control over the workings of government. President Hassan Rouhani only has paper authority over the Supreme National Security Council, with the Supreme leader having final jurisdiction on security issues.
There is frequent overlap when it comes to the cyber capabilities of multiple organisations within the national security structure. The Islamic Revolutionary Guard Corps (IRGC) are independent in practice and often refuse to be subordinate to any other organisation outside of the office of the Supreme Leader.
While running parallel to the IRGC, the Ministry of Intelligence and Security and other organisations within the elected government, such as the Ministry of the Interior (which runs the law enforcement organisations) also have its independent prerogatives when it comes to cyber operations. The lack of communication through this competition often results in overlapping duties and conflict for resources.
The IRGC maintains control over a large portion of Iran’s cyber operations. Being founded in the aftermath of the 1979 Islamic Revolution, its role within the Iranian state is that of protecting Iran against domestic and international threats. Its command structure circumvents the elected government and answers to the Supreme Leader and Supreme National Security Council.
The IRGC controls the most important actors within the Iranian system. Included is the Basij, who are the paramilitary wing of the IRGC and claim to have over 120,000 civilian ‘cyber volunteers’, although this is considered to be an exaggeration.
The growth of Iranian cyber operations can be seen from Operation Saffron Rose in 2013, undertaken by the Ajax Security Team, ostensibly associated with the IRGC. Since 2010, the group has known to officials from FireEye having defaced the front page of websites. From this, the group developed capabilities to steal credentials from targets within the defence industry effectively. To achieve this, it set up Spear phishing campaigns and Watering hole attacks, using two tactics:
Not only is the group graduating from defacing websites to committing cyber espionage, but also focusing on Iranian citizens. Its believed to have masked malware as anti-censorship tools to circumvent Iranian censorship which affected 77 individuals, leading to their language being set to Persian and their timezone being set to Iranian Standard Time.
It is believed that through the Basij, IRGC contacts and recruits proxy organisations that operate on behalf of Iran, one such being the Cutting Sword of Justice (CSJ). The CSJ is blamed for one of the most successful assaults over the last decade in 2012, responsible for destroying or wiping out a reported 35,000 computers at one of the world’s largest oil firms Saudi Aramco, using malware called Shamoon, also known as Disstrack.
Another group dubbed APT33 believed to be operating since 2013, is regarded to have been responsible for an attack lasting from mid-2016 through early-2017. Allegedly, the attack was employed to gain intelligence on the structure and capacity of Saudi Arabia’s air forces. These targets are consistent with the state of the geopolitical situation in the Middle East, where Iran and Saudi Arabia are currently involved in a Proxy War in Yemen.
It is not just within the Middle East and greater international sphere that Iran tries to flex its cyber capabilities. The National Passive Defence Organisation (NPDO), another organisation heavily influenced by the IRGC, is led by Brigadier General Gholamreza Jalali Farahani. While not reporting directly to the IRGC, Farahani’s position makes it clear that the IRGC has considerable sway in the dealings of the NPDO. The NPDO undertakes a critical role in the prevention and identification of any cyberattack against the state by international threats or domestic movements supported by them.
Along with the NPDO sitting inside of the more massive structure of the IRGC, there are elements within the elected government itself that deal with cyber issues. Iran’s cyber police, or FATA, is a division of the police service within Iran that deals exclusively with ‘cyber-crime’. From an interview on the 19th of December, Colonel Ramin Pashayi, Deputy of Social affairs at FATA, claims that there have been 42,000 volunteers from the public and that its approach is policing in a ‘Society-Based’ way.
This outlook on how to implement police force has shown up in western news sources regularly, with numerous accounts of people being arrested for Instagram posts that go against the religious tolerances of the country. For example, a couple practising parkour being arrested for posting a picture of themselves kissing on a rooftop in May this year.
To complement the use of police powers, there is the National Information Network project. Through this ambitious undertaking, since 2012, Iran has been seeking to style its own ‘intranet’ under the control of the Supreme Leader. This is under the leadership of a multitude of agencies, all under the guise of the Supreme Council of Cyberspace (SCC), made up of the leadership from both government agencies and the IRGC. It has seen a steady implementation of restrictions on internet freedom in the country, from the banning of google services in 2012 to cut off the Internet to the vast majority of the population during unrest due to fuel price increases in 2019.
Iran has several actors within its system who can successfully and destructively use Cyberwarfare. The IRGC, with its priority to protect and further the Iranian revolution, has the most significant amount of influence within the Iranian Command structure in its Cyber efforts will be placed. The ability to effectively curb Iranian speech within the state, as well as control regional politics in the Middle East, made the rise of Iranian cyber capability a severe cause for concern.
Jeremy Walker is a Graduate of Aberystwyth and the University of Birmingham, achieving a Masters at the latter in International Relations (Terrorism and Political Violence). His research was focused on the evolution of warfare around Eastern Europe and the Middle East, along with general counter-terrorism policy.