Security Research
Showing results for 
Search instead for 
Do you mean 

HPSR Threat Intelligence Briefing - Episode 11

SR-FI_Team ‎02-21-2014 03:35 PM - edited ‎02-25-2014 02:35 PM

Threat Actors Operating within the Islamic Republic of Iran 


Iranian hacker groups and their allies launched increasing numbers of cyber attacks over the last year, despite strict state controls of Internet traffic including: spying, censorship, and filtering laws and technology.  HPSR has observed an increasing level of attacks targeting Western interests. James Clapper, the Director of National Intelligence, stated in the DNI Worldwide Threat Assessment of the US Intelligence Community to the Senate Select Committee on Intelligence, that “Advanced cyber actors— such as Russia and China—are unlikely to launch a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests. However, isolated state or nonstate actors might deploy less sophisticated cyber attacks as a form of retaliation or provocation. These less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years”. He then went on to describe two specific incidents, both of Iranian origin – OpAbabil that targeted the US financial sector and the attack on Saudi Aramco that destroyed 30,000 computer systems. Google CEO Eric Schmidt has pointed out that "Iranians are unusually talented in cyber war for some reason we don’t fully understand." And Gabi Siboni, Senior Research Fellow at Tal Aviv University’s Institute for National Security Studies, has stated that "Iran should be considered a first-tier cyber power.”


In June 2013, Israeli Prime Minister Benjamin Netanyahu said “In the past few months, we have identified a significant increase in the scope of cyber attacks on Israel by Iran. These attacks are carried out directly by Iran and through its proxies, Hamas and Hezbollah.” He stated that these attacks were against “vital national systems” such as water, power, and banking systems. In September 2013, US officials disclosed that Iran had compromised the Navy Marine Corps Intranet (NMCI) to such an extent that it took four months to fully resolve the breach.


Historically, attacks originating from these groups range from gaming scenarios to politically motivated retaliation attacks, though their sophistication is increasing. These attacks primarily target Western entities and their affiliates.  Members of these groups operate in stark contrast to the strict controls that Iran imposes on electronic communications for the general population. This unchecked vigilante activity indicates the regime either supports these activities or has chosen to turn a blind eye to their actions. This HPSR Threat Intelligence Briefing (see attached) profiles the essential threat actors; their motives; their tactics, techniques, and procedures (TTP); and evidence of possible ties to state sponsored cyber warfare. An in-depth focus of the group Ashiyane examines how these groups operate, despite the regime’s strict control of the Internet. Finally, this paper identifies solutions for dealing with attacks by these groups and risk mitigation strategies for potential targets. 


In testimony given before the U.S. House of Representatives Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, on March 20, 2013, Ilan Berman, Vice President of the American Foreign Policy Council, said that in the past year “Iran has demonstrated a growing ability to hold Western targets at risk in cyberspace, amplifying a new dimension in the asymmetric conflict that is now taking place over the Iranian regime’s nuclear program.” 


Thomas D'Agostino, head of the U.S. National Nuclear Security Administration, has stated that “nuclear labs are under constant attack” receiving up to “10 million security significant cyber security events" each day.” And Frank Cilluffo, Director of the Homeland Security Policy Institute at George Washington University, testifying before the US House of Representatives Committee on Homeland Security stated that US officials are investigating “reports that Iranian and Venezuelan diplomats in Mexico were involved in planned cyber attacks against U.S. targets, including nuclear power plants.”


Just this week, General Mohammad Aqakishi, commander of the information technology and communication department at the General Staff of the Iranian Armed Forces, said in a speech that “Iran is fully prepared to confront any kind of cyber attacks,” and that “One of the options on the table of the US and its allies is a cyber war against Iran. But we are fully prepared to fight cyber warfare.”

Since the June 2010 discovery of Stuxnet, Iran has been building out their cyber capabilities and attacks from Iranian groups have increased. In November of 2010, Iran’s Passive Civil Defense Organization announced a plan to recruit hackers for a “soft war” in cyberspace. This was a direct result of the discovery of the Stuxnet virus, which targeted Iranian nuclear facilities. 


The Iranian military cyber structure includes the Passive Civil Defense Organization, the Pasdaran (Revolutionary Guard) cyber units, and the Basij paramilitary cyber units. The Passive Civil Defense Organization plays a defensive role in protecting Iran’s networks. The Passive Civil Defense Organization includes the Cyber Defense Command and the Gerdab, which was responsible for identifying and intimidating dissidents during Iran’s 2009 political unrest.  


The Pasdaran is the official military arm of the regime. Its cyber capabilities include a “mosaic defense” of cyber units, joint Signals Intelligence (SIGINT) operations with the Syrian military, a hacker group known as Iran’s Cyber Army, and the Karbala Mazandaran cyberculture forces. The “mosaic defense” concept derives from Iran’s physical military strategy and refers to strategically distributing resources across multiple autonomous units rather than a few cohesive units. Iran military officials and the Supreme Leader’s representatives have publically stated that they are actively engaged in offensive cyber operations.


Beneath the Pasdaran’s command is the paramilitary group known as the Basij. The role of enforcing cultural and religious mandates overlaps with that of the Karbala Mazandaran. Basij cyber assets include the FATA (Cyber Police) and the Basij Cyber Council. The FATA assists the regime in enforcing strict cyber laws meant to quell dissents and banish Western influence. 


Basij cyber capabilities reportedly include:

  • satellite jamming
  • media courts to discourage dissent and western influence
  • Internet censorship particularly of social media
  • a cyber police unit
  • anti-journalism campaigns
  • creating "sanitized" mirrors of MSM sites
  • propaganda and disinformation
  • infiltration of social media and other websites

The Basij Cyber Council operates under the direction of university professor Dr. Hassan Abbasi and recruits its cyber operators from young talent found in state sponsored universities and IT startups., On February 12, 2014, the Ayatollah Ali Khamenei delivered a message to the Islamic Association of Independent University Students, instructing them to prepare for cyber war: “You are the cyber-war agents and such a war requires Ammar-like insight and Malik Ashtar-like resistance; get yourselves ready for such war wholeheartedly.” The Ayatollah stressed that this is their religious and nationalistic duty. 


Iranian Cyber Organizational Chart


Figure 1 Iranian Cyber Organizational Chart


Iranian cyber operations are carried out under the belief that "The cyber arena is actually the arena of the Hidden Imam." Iran’s cyber doctrine relies heavily on asymmetrical warfare tactics. Asymmetrical warfare is defined as “a conflict in which the resources of two belligerents differ in essence and in the struggle, interact and attempt to exploit each other's characteristic weaknesses. Such struggles often involve strategies and tactics of unconventional warfare, the ‘weaker’ combatants attempting to use strategy to offset deficiencies in quantity or quality”.  For example, a cyber attacker may target the opposition in such a way that it takes advantage of legal limitations that prevent the target from exercising offensive cyber capabilities or from retaliating. Leveraging hacker crews as a force multiplier is another asymmetrical warfare strategy Iran uses to compensate for its lack of military might. 


Use of psychological operations is another asymmetrical warfare tactic favored by Iran. Iran's recent claims of plans to lessen Internet controls are potentially propaganda meant to ease international tensions during nuclear proliferation talks. This rhetoric happens to coincide with a noted increase in the activity of hacker groups acting in support of the regime. If the world believes there is a sudden increase in the number Iranians who have new opportunities for Internet access they will be less surprised when there is also a sudden influx of hacker attacks originating in Iran. 


Other core facets of Iran’s cyber doctrine are as follows:

  • development of defensive capabilities to protect Iran’s infrastructure against attacks
  • development of operational capabilities to stifle domestic opposition to the regime 
  • development of offensive capabilities to empower Iran against Western cyber assets and capabilities 
  • elimination of Western influence


Included in the report is a full timeline over the prior decade of Iranian cyber activity. It is interesting to note the change in Iran’s cyber landscape from 2010 to present. There is a noticeable transition that occurs from Iran’s awareness of cyber intrusions to the regime’s institution of defensive cyber capabilities. The focus then shifts to implementation of strategic offensive cyber capabilities. From the discovery of Stuxnet to the creation of a vast cyber army, Iran has made significant progress in the cyber war arena in a relatively short time.  


Another interesting point is that many of Iran’s efforts to increase its cyber capabilities seem to occur in correlation with or in reaction to political events.  In 2004, the International Atomic Energy Association (IAEA) determined Iran was in violation of the nuclear Non-Proliferation Treaty due to its uranium enrichment programs that could potentially produce weapons grade uranium. The following year, Iran made its first major mark in the cyber arena when the Revolutionary Guard first suggested creation of an Iranian Cyber Army.  That same year, Iran and Syria entered into a joint strategic defence co-operation accord. In 2005 and 2006, Iran had a political standoff with the UN, EU, and US – Iran refused to halt its uranium enrichment program and consequently faced sanctions.  In 2007, the regime announced Iran had capabilities to produce nuclear fuel on an industrial scale, and the UN’s IAEA found that Iran has been making nuclear fuel in an underground uranium enrichment plant. Later that year, the first versions of Stuxnet and Duqu were planted to target Iran’s nuclear facilities, although their presence was not discovered until 2010.  In June 2010, the UN Security Council also imposed another round of sanctions against Iran due to noncooperation over its nuclear program. By November, Iran’s Basij announced its plan to recruit hackers for "soft war" in Cyberspace.  In 2011, Iran announced the formation of its Revolutionary Guard's offensive cyber unit. Soon, there was an increase in notable attacks originating from Iran, including the  "Comodohacker" attack on DigiNotar  and the Gauss malware, which targeted Lebanese banks. In early 2012, the US imposed sanctions on Iran’s central bank, and the EU imposed an oil embargo on Iran due to the nuclear program. Later that year, the EU decided to boycott Iranian oil exports. In what appears to be a retaliation move, Iran launched a cyber attack on Qatar's RasGas in July and the Iranin group "Cutting Sword of Justice" attacked Saudi ARAMCO with the Shamoon virus in August. Three months later, the Iranian group Parastoo targeted the IAEA. The regime ended 2012 with a cyber warfare drill in December. In June 2013, Hassan Rouhani was elected as Iran’s new president. Whether his election served as a catalyst for increased cyber activity is unknown, but there is a noticeable increase in cyber attacks and in Iran’s attempts at achieving a significant cyber presence since Rouhani’s election. 


Iran’s political situation in 2013 and early 2014, on the surface, seemed to be taking small steps toward improved relations with Western nations. The election of Rouhani, viewed as a political moderate, was followed by a Geneva agreement to move towards “neutralizing” its stockpile of uranium (in exchange for relief funds). However, while the Iranian Supreme Council on Cyberspace continues to filter and outright ban sites like Facebook and Twitter, hacker groups continue to gain access to these sites to brag about their exploits. This behavior begs the question as to whether Iran is really attempting to “improve relations”, or if their soft war continues. An in-depth analysis of Iranian cyber capabilities indicates that Iran’s cyber units recruit from various hacker groups or leverage their talent as a force multiplier. The recent increase in security incidents attributed to Iranian hacker groups and their associates has coincided with critical political and military tensions and negotiations, as Western nations seek to determine whether previous sanctions against Iran will be lifted, whether foreign relations policies with Iran will change, and under what conditions Iran’s government will be invited to negotiate with other world leaders. 


In light of recent cyber events originating from Iran and pro-Iranian groups such as the Syrian Electronic Army, an analysis of Iran’s cyber warfare capabilities was in order. As noted above, Iran’s cyber capabilities were developed as an asymmetrical warfare response to cyber attacks on its nuclear program and to give the regime an advantage in the face of more powerful Western militaries. The regime’s leaders believe that the cyber realm is the realm of the “hidden imam,” and analysis of Iran’s cyber structure shows three major trends in Iran’s cyberspace: 1) measures to isolate the Iranian people from Western influence, which is viewed as corrupt; 2) an attempt to exert a position of offensive power; and 3) to better defend Iranian infrastructure against cyber attacks. The regime’s officials have made it clear that they are willing and able to launch an all-out cyber war, yet on the surface their official cyber capabilities do not seem adequate for such a task.


One of the most interesting facets of Iran’s cyber capabilities is how it leverages hacker groups as a force multiplier. Due to their tendency to target Western entities, particularly corporations and government entities, it is imperative to understand the motivations and tactics, techniques, and procedures (TTP) of Iranian hacker groups. The Iranian regime looks to the country’s youth to broaden its forces. 


Two points of interest indicate that these hacker groups target youths, training them to conduct cyber operations in service of the regime: privilege and training. First, the mere privilege exhibited by members of these hacker groups indicates that members do not fear repercussions for their actions, despite the regime’s strict cyber laws. For example, members of Iran’s longest-standing hacker group Ashiyane have public profiles on social media sites, which are otherwise blocked by the regime. Some members tie their aliases to their real names and photos on their social media profiles and brag about their exploits. This behavior is in violation of Iran’s cyber laws, which prohibit circumvention of regime-imposed Internet controls and forbid content that could be used to commit cyber crimes. The attached HPSR Threat Intelligence Briefing includes evidence that members of Iranian hacker groups operate openly, in a manner that is contrary to Iranian cyber law, with no fear of repercussions. The briefing also questions how these actors have access to social media in the first place.


Second, the regime plays a role in providing training for these groups. Two of the primary Iranian groups, Ashiyane and Shabgard, have training portals that are offered in conjunction with degree programs at major Iranian universities. The core members of these groups are well educated and include university graduates and IT professionals in their mid-20’s to early 30’s. There is also a great sense of camaraderie among these groups, extending to offline meet-ups. Iranian hacker groups also train members using gamification scenarios such as defacement contests on and capture the flag contests. Some of the more prominent capture the flag contests are sponsored by entities tied to the regime: Sharif University and the Atomic Energy Organization of Iran. TTPs of these groups range from technical attacks such as SQL injection to phishing and social engineering attacks, to psychological operations. The attached HPSR Threat Intelligence Briefing examines these war games and the key entities responsible for sponsoring them.



In this report (see attached report for full content), we examine Iran’s cyber warfare capabilities, particularly the hacker groups that serve as a force multiplier to Iran’s continually expanding cyber presence. Due to Iran’s recent statements implying an increase in forthcoming cyber attacks, an in-depth examination of these groups was necessary. The report covers how these groups recruit and train members, the primary actors involved, TTPs, motivations, and indicators of state sponsorship by the regime. Through this analysis, the goal is to educate the reader on the capabilities of these groups and the significance and implications of state sponsorship of underground cyber actors. It also advises potential targets on mitigation strategies in the face of state sponsored cyber activities. 


About the Author


HAji from onja
on ‎03-07-2014 05:31 AM

کسخلها :))

on ‎04-23-2014 12:48 AM

Hello, this says episode 11... where can I find the previous episodes? can you provide links to them, please? 


Thanks a lot.



on ‎04-29-2014 08:10 AM

Hi Amira,

You should be able to access all of the past Threat Briefings here:



27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all