EXECUTIVE SUMMARY: The Iranian regime has been a considerable threat to global cybersecurity ever since 2012, when it committed cyberattacks on US financial institutions in retaliation for the high-profile Stuxnet attack on its nuclear program. In the wake of the Stuxnet attack, the Tehran regime vastly ramped up its cyber capabilities, transforming itself from a third-tier cyber power into one that poses a serious threat.

The cyber transformation of Iran was initiated by a decree issued in 2012 by Supreme Leader Ali Khamenei that established the Supreme Council of Cyberspace, which was tasked with creating a strategy and a blueprint for information control at home and intelligence gathering abroad. To achieve these goals, the Council established a sophisticated and multi-layered cyber operations bureaucracy. Within three years, Iran’s budget for cyber development had increased by 1,200%.

In the decade since the establishment of the Council, Iran is believed to have been responsible for a wide range of cyber operations around the world. Industry pillars of the region’s economy, academics, and defense companies have been targeted in these attacks. Aramco and RasGas, the Saudi and Qatari petroleum companies, have both been frequent victims. In 2013, Iranian hackers penetrated the flood control system of the Bowman Avenue Dam in Rye Brook, New York, and the same group of hackers was implicated in separate attacks on three US financial firms. In 2014, regime-linked proxies hit the Sands Casino in Las Vegas with destructive malware.

Empowered by recent political changes, the IRGC is lobbying for parliamentary action to update the laws governing the internet in Iran. Its goal is to develop a national intranet and disconnect Iran from the global internet. Along the lines of this effort, regime-sponsored front companies have produced spyware-enabled mobile apps and VPNs for cyber-surveillance and repression. Some are available on global mobile app marketplaces like Google Play, the Apple Store, and GitHub, potentially exposing millions of citizens in Iran and around the world. These apps enable the regime to censor content, spy on individuals and even make money.

The Islamic regime’s cyber operations not only surveil internal opposition groups and political opponents but also target the Iranian diaspora, using spear-phishing and SMS messages to persuade targets to open malicious links or attachments. In February 2021, the Dutch public broadcaster reported that the regime had used a server in the Netherlands linked to a base in Iran to gather intelligence on Iranian dissidents.