• Military
• WMD

• Intelligence Menu               

• Systems
• Operations
• Countries
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Imagery
• Links

• Homeland Security
• Space

IRGC’s Guard Cyber Defense Command (GCDC)

The Cyber Security Command of the Islamic Revolutionary Guard Corps, formerly known as the Organized Crime Investigation Center, is one of the units affiliated to the Intelligence Organization of the Islamic Revolutionary Guard Corps , which was established in 2006. The short name of this institution is Vortex. The purpose of establishing this center was to deal with domestic and international organized movements and abuse of the internet platform (against the Islamic Republic of Iran) and other communication systems to carry out terrorist acts , internet espionage , money laundering and cultural attacks (against the culture of the Islamic Revolution of Iran) and Desecration and insulting the sanctities of the Islamic religion and the values ??of the Islamic Revolution of Iran has been organized with the cooperation of the judiciary of Iran, and according to Article 150 of the Constitution of the Islamic Republic of Iran, it operates in the direction of protecting this system and its achievements.

The Revolutionary Guards Organized Crime Investigation Center was established in 2006 as a part of the IRGC's cyber defense and based on Article 150 of the Constitution. Mushroom-like growth of international organized crimes and abuse of the internet platform and other communication systems and carrying out terrorist acts, internet espionage, money laundering and destruction of the cultural and social system of the society and desecration and insulting of religious sanctities and revolutionary values are among the reasons for setting up this center in order to identify And dealing with the mentioned crimes was coordinated with the judiciary.

Mazalin, Fatnah al-Mabim, Darkob, Mursad, Cheshm Babah, Naseh and Ankabut projects are part of the center's actions , which have been publicized through the "Gordab" website. It is noteworthy that the foundation of a significant part of the projects implemented by the center was due to public reports sent through this site.

But now and according to:

• The increasing spread of mobile social networks and the enemy's extensive attempt to destroy the cultural system of the society in this way at the same time as the lack of proper culturalization of these networks
• The drastic reduction in the age of cyberspace users and the efforts of hostile groups to create deviations in their activities
• Aliens' attempt to change people's lifestyle under the cover of information technology
• Expanding the field of digital diplomacy as one of the branches of public diplomacy
• The process of going back and forth between virtual and real space and their mutual influence on each other
• Expanding the dimensions of western services spying on users under the cover of providing free services
• Emergence of new methods of infiltration and sabotage and enemy cyber attacks on important positions and places of the country
• The enemy's extensive attempt to create unauthorized access (bypass filtering)

New areas of threats have opened up for the Organized Crime Investigation Center, which has led to the expansion of the mission field and the updating of the structure and position of this complex so that it can respond to the needs of the real and virtual society. Therefore, at the end of 2013, the structure of the "Cyber ??Defense Command" was improved and the "Cyber ??Security Command of the IRGC" was formed to carry out its new missions to improve the security of cyberspace users in terms of content and technology, in addition to continuing the previous process. .

Alireza Rahmani, the spokesman of the "Cyber Security Command" of the Islamic Revolutionary Guard Corps, announced June 26, 2022 the improvement of the structure of the "Cyber Defense Command" complex and the change of its command and said: From now on, the "Cyber Organized Crime Investigation Center" will be one of the centers It will be a subdivision of this command. Rahmani added: The formation of emerging threats in the cyber space in thematic, technical-infrastructural and technological dimensions, and the role of hegemonic countries in it, led to the decision to improve the structure and update it [updating the structure of the IRGC Cyber Defense Command].

Explaining the details of this upgrade, he said: The use of Internet and social media services in all aspects of users' lives and the attempt to create disruption and deviation in the natural process of users' activities in the context of information technology opened up new areas of threat to the Organized Crime Investigation Center. which led to expanding the field of mission and updating the structure and position of this collection so that it can respond to the needs of the real and virtual society.

This official in the IRGC cyber security command continued: Therefore, "Sardar Ali Fateh" has assumed the command of this group and has expanded the structure of this group according to the 7-year experience of the Cyber Organized Crime Investigation Center. Previously, the task of the Center for Investigating Organized Cyber Crimes was to monitor and investigate organized terrorist, espionage, economic and social crimes in the cyber space, in cooperation and coordination with other intelligence and judicial areas in order to investigate the threats and damages of the global Internet network and other new technologies. He took advantage of the technical and intelligence capabilities of IRGC experts and other specialists and worked according to the 150th principle of the constitution in order to guard the revolution and its achievements.

Mushroom-like growth of international organized crimes and misuse of the internet platform and other communication systems in order to carry out terrorist acts, internet espionage, money laundering and destruction of the cultural and social system of the society and desecration and insulting of religious sanctities and revolutionary values ??are among the reasons for setting up the investigation center. Organized crimes in 1386 were aimed at identifying and dealing with the aforementioned crimes in coordination with the judiciary of the Islamic Republic. From now on, the IRGC Cyber Security Command, in addition to continuing the previous process, is going to implement its new missions to improve the security of cyberspace users in terms of content and technology.

The IRGC’s Guard Cyber Defense Command (GCDC) includes a special department called the Center for Inspecting Organized Crimes (CIOC). The CIOC focuses on ensuring the regime’s vision of cyber security. The CIOC’s official website is called Gerdab (www.gerdab.ir), which is a Farsi word meaning whirlpool. The IRGC’s CIOC has openly admitted that it would forcefully suppress anyone seeking to carry out “cultural operations” against the Islamic Republic via the Internet and that it monitors Persian-language sites for what it deems to be aberrations.

The CIOC has taken an active role in identifying and arresting protesters involved in the 2009 post-election unrest, particularly those individuals active in cyber space.

The IRGC’s CIOC uses extensive methods to identify Internet users, including through an identification of their Internet Protocol (IP) addresses. The Iranian regime has identified and arrested many bloggers and activists through the use of advanced monitoring systems, and the CIOC inspects forwarded emails to identify those critical of the regime. The IRGC's cyber police focus on filtering websites in Iran, monitoring the email and online activity of individuals on a watch list, and observing the content of Internet traffic and information posted on web blogs. Individuals on the watch list included known political opponents and reformists, among others. Individuals arrested by the IRGC have been subjected to severe mental and physical abuse in a ward of Evin Prison controlled by the IRGC.

The Department of the Treasury previously designated the IRGC in June 2011 under E.O. 13553 and in October 2007 under E.O. 13382 “Blocking Property of Weapons of Mass Destruction Proliferators and Their Supporters.” On 23 April 2012 President Obama announced an Executive Order, “Blocking the Property and Suspending Entry into the United States of Certain Persons with Respect to Grave Human Rights Abuses by the Governments of Iran and Syria Via Information Technology” (“the GHRAVITY E.O.” or the “Order”). The Order targets, among others, persons determined to have operated, or to have directed the operation of, information and communications technology that facilitates computer or network disruption, monitoring or tracking that could assist in or enable human rights abuses by or on behalf of the Government of Syria or the Government of Iran. Pursuant to this order sanctions were imposed on the Syrian General Intelligence Directorate (GID), the GID’s Director Ali Mamluk, Iran’s Ministry of Intelligence and Security (MOIS), Iran’s Islamic Revolutionary Guard Corps (IRGC), Iran’s Law Enforcement Forces (LEF), the Iranian Internet service provider Datak Telecom, and the Syrian communication firm Syriatel.

The GHRAVITY E.O. sends a clear message that the United States condemns the continuing campaigns of violence and human rights abuses against the people of Syria and Iran by their governments and provides a tool to hold accountable those who assist in or enable such abuses through the use of information and communications technology.

Government organizations, including the Basij “Cyber Council,” the Cyber Police, and the Cyber Army, which observers presumed to be controlled by the IRGC, monitored, identified, and countered alleged cyberthreats to national security. These organizations especially targeted citizens’ activities on officially banned social networking websites such as Telegram, Facebook, Twitter, YouTube, and Flickr, and they reportedly harassed persons who criticized the government or raised sensitive social problems.

Minister of information and communications technology Mahmoud Vaezi announced in 2017 that the government had improved methods to control the internet and had shut down a number of online platforms. The government’s decade-long project to build a National Information Network (NIN) resulted in its launch in 2016. The NIN enabled officials to allow higher speed and easier access on domestic traffic, while limiting international internet traffic. RSF reported that the NIN acted like an intranet system, with full content control and user identification. Authorities may disconnect this network from global internet content, and they reportedly intended to use it to provide government propaganda and disrupt circumvention tools. During nationwide protests in December 2017, authorities used NIN technology to cut off access to the global internet for 30 minutes.

Iran uses cyber operations as a low-cost tool of statecraft, and will work to use cyber operations to achieve strategic objectives unless they face clear repercussions for their cyber operations. The use of cyber attacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks. However, Iran is testing more aggressive cyber attacks that pose growing threats to the United States and US partners.

Iran will continue working to penetrate US and Allied networks for espionage and to position itself for potential future cyber attacks, although its intelligence services primarily focus on Middle Eastern adversaries — especially Saudi Arabia and Israel. Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran’s recent restraint from conducting cyber attacks on the United States or Western allies. Iran’s cyber attacks against Saudi Arabia in late 2016 and early 2017 involved data deletion on dozens of networks across government and the private sector.

The Iranian regime, under the supervision and guidance of the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), has employed new cyberwarfare and tactics in a desperate attempt to counter the growing dissent inside the country, in particular the nationwide uprising that erupted in late December 2017. NCRI-US reveals information about the regime’s new wave of cyber repression, and key players involved. A domestic mobile apps marketplace modeled after Google Play, is supervised by the IRGC to distribute spyware-enabled apps. IRGC front companies are developing spyware-enabled apps for cyber-surveillance and repression. Ironically, some of these apps are available on Google Play, Apple Store, and GitHub, potentially exposing millions of users worldwide to the regime’s spyware and surveillance.

The messaging app Telegram is actively being used by 40 million Iranians and was crucial in the spreading of information during the recent wave of anti Iranian regime protests. However, as the book details, the Iranian Revolutionary National Guard has spread alternative messaging apps installed with malware into the app marketplace. The National Guard then uses these apps to track and combat the spread of rebellious information.The regime's extreme effort on the cyber front underscores the need for free internet within Iran and its essentiality in spreading a successful anti-theocratic protest.

On 24 March 2016, a grand jury in the Southern District of New York indicted seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, on computer hacking charges related to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS) attacks.

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26, launched DDoS attacks against 46 victims, primarily in the U.S financial sector, between late 2011 and mid-2013. The attacks disabled victim bank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers. In addition, Firoozi is charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013.

The indictment was announced by Attorney General Loretta E. Lynch, Director James B. Comey of the FBI, Assistant Attorney General for National Security John P. Carlin and U.S. Attorney Preet Bharara of the Southern District of New York. “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,” said Attorney General Lynch. “Through the work of our National Security Division, the FBI, and U.S. Attorney’s Offices around the country, we will continue to pursue national security cyber threats through the use of all available tools, including public criminal charges. And as today’s unsealing makes clear, individuals who engage in computer hacking will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.”

The DDoS campaign began in approximately December 2011, and the attacks occurred only sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, between Tuesday and Thursdays during normal business hours in the United States. On certain days during the campaign, victim computer servers were hit with as much as 140 gigabits of data per second and hundreds of thousands of customers were cut off from online access to their bank accounts.

Fathi, Firoozi and Shokohi were responsible for ITSEC’s portion of the DDoS campaign against the U.S. financial sector and are charged with one count of conspiracy to commit and aid and abet computer hacking. Fathi was the leader of ITSEC and was responsible for supervising and coordinating ITSEC’s portion of the DDoS campaign, along with managing computer intrusion and cyberattack projects being conducted for the government of Iran. Firoozi was the network manager at ITSEC and, in that role, procured and managed computer servers that were used to coordinate and direct ITSEC’s portion of the DDoS campaign. Shokohi is a computer hacker who helped build the botnet used by ITSEC to carry out its portion of the DDoS campaign and created malware used to direct the botnet to engage in those attacks. During the time that he worked in support of the DDoS campaign, Shokohi received credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran.

Ahmadzadegan, Ghaffarinia, Keissar and Saedi were responsible for managing the botnet used in MERSAD’s portion of the campaign, and are also charged with one count of conspiracy to commit and aid and abet computer hacking. Ahmadzadegan was a co-founder of MERSAD and was responsible for managing the botnet used in MERSAD’s portion of the DDoS campaign. He was also associated with Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (ADST), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012.

Ahmadzadegan has also provided training to Iranian intelligence personnel. Ghaffarinia was a co-founder of MERSAD and created malicious computer code used to compromise computer servers and build MERSAD’s botnet. Ghaffarinia was also associated with Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the United States, the United Kingdom and Israel. Keissar procured computer servers used by MERSAD to access and manipulate MERSAD’s botnet, and also performed preliminary testing of the same botnet prior to its use in MERSAD’s portion of the DDoS campaign. Saedi was an employee of MERSAD and a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks. Saedi wrote computer scripts used to locate vulnerable servers to build the MERSAD botnet used in its portion of the DDoS campaign.

Between Aug. 28, 2013, and Sept. 18, 2013, Firoozi repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam, and is charged with one substantive count of obtaining and aiding and abetting computer hacking. This unauthorized access allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates. Although that access would normally have permitted Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, Firoozi did not have that capability because the sluice gate had been manually disconnected for maintenance at the time of the intrusion.

On 18 July 2017, OFAC designated the Ajily Software Procurement Group as a significant transnational criminal organization (TCO) pursuant to E.O. 13581, “Blocking Property of Transnational Criminal Organizations.” The Ajily Software Procurement Group, based in Iran, uses hackers to steal engineering software programs from the United States and other western countries. Some of this software was sold to Iranian military and government entities, which are unable to acquire it overtly because of U.S. export controls and sanctions. The hackers use computer servers located in multiple western countries to carry out their thefts. The Ajily Software Procurement Group is the eighth TCO targeted under E.O. 13581.

OFAC designated Iranian national Mohammed Saeed Ajily for acting or purporting to act for or on behalf of, directly or indirectly, the Ajily Software Procurement Group. Mohammed Saeed Ajily is an Iranian businessman who directs Ajily Software Procurement Group hackers to steal specific software programs. Once the software is illegally acquired, Ajily uses multiple companies to market and sell the stolen computer programs in Iran. Some of this software, which is export controlled given its use in the design of rockets and GPS-guided weaponry, was sold to Iranian military and government entities. Ajily also procured specialized software for Malek Ashtar University of Technology, which was designated pursuant to E.O. 13382 on July 12, 2012 and is one of the major research institutes contained under the MODAFL umbrella.

OFAC designated Iranian national Mohammed Reza Rezakhah for acting or purporting to act for or on behalf of, directly or indirectly, the Ajily Software Procurement Group. Mohammed Reza Rezakhah is a computer hacker who steals software programs from western countries and cracks software protections, at the direction of Ajily, in order for the Ajily Software Procurement Group to sell the stolen technology, including to Iranian military and government entities.

On 23 March 2018, in a coordinated action with the U.S. Department of Justice, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated one Iranian entity and 10 Iranian individuals under Executive Order (E.O.) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” as amended. The entity and individuals designated today engaged in the theft of valuable intellectual property and data from hundreds of U.S. and third-country universities and a media company for private financial gain.

“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data,” said Treasury Under Secretary Sigal Mandelker. “We will not tolerate the theft of U.S. intellectual property, or intrusions into our research institutions and universities. Treasury will continue to systematically use our sanctions authorities to shine a light on the Iranian regime’s malicious cyber practices, and hold it accountable for criminal cyber-attacks.” As a result of this action, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.

The 23 March action designated one Iranian entity and 10 Iranian nationals pursuant to E.O. 13694, as amended, which targets malicious cyber activities, including those related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain.

The Mabna Institute is an Iran-based company that engaged in the theft of personal identifiers and economic resources for private financial gain. The organization was founded in or about 2013 to assist Iranian universities and scientific and research organizations in obtaining access to non-Iranian scientific resources. The Mabna Institute also contracted with Iranian governmental and private entities to conduct hacking activities on its behalf.

Initially, the cyber criminals used an elaborate spearphishing campaign to target the e-mail accounts and computer systems of their victims, which in addition to the universities included nearly 50 domestic and foreign private-sector companies, the states of Hawaii and Indiana, and the United Nations.

According to the indictments, the hackers stole more than 30 terabytes of academic data and intellectual property—roughly three times the amount of data contained in the print collection of the Library of Congress.“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said a special agent who investigated the case from the FBI’s New York Division. “That information included access to library databases, white papers, journals, research, and electronic books. All that information and intellectual property was provided to the Iranian government,” he added.

The Mabna Institute conducted massive, coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States-based universities, in addition to at least 176 universities located in 21 foreign countries: Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, the Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom. The exfiltrated data and stolen login credentials acquired through these malicious cyber-enabled activities were used for the benefit of Iran’s Islamic Revolutionary Guard Corps (IRGC), and were also sold within Iran through at least two websites. The stolen login credentials belonging to university professors were used to directly access online university library systems.

Mabna Institute targeted more than 100,000 accounts of professors around the world and successfully compromised approximately 8,000 of those accounts. The campaign continued through at least December 2017. Although it is difficult to calculate a dollar loss amount, through the course of the conspiracy, U.S.-based universities spent approximately $3.4 billion to procure and access data that the Iranians accessed for free because of their criminal activity.

Victim professors believed they were dealing with colleagues who had expressed an interest in academic articles. The e-mails tricked many of the professors to click on links that recorded their keystrokes when they signed into what they thought were their secure university domains but were actually bogus sites controlled by the hackers. The Iranians targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields.

In addition to targeting universities, the hackers gained access to employee e-mail accounts at nearly 50 private companies around the world—the majority of them U.S. firms. Among the U.S.-based victims were academic publishers, media and entertainment companies, technology companies, and investment firms. During that same period in 2016, the hackers also began conducting intrusions against various U.S. federal agencies and other organizations such as the United Nations.

This brute force technique involves collecting lists of names and e-mail accounts through open-source Internet searches and then guessing the users’ passwords, betting that some users never changed default company passwords or used common ones such as “password123.” Password spraying is such an unsophisticated technique that it can go undetected by company security networks. “They were flying under the radar,” said the cyber agent who investigated the case, “and the magnitude of their effort was remarkable.”

The tactic worked, providing hackers access to victims’ entire e-mail accounts. Now, in addition to academic data, the hackers were accessing companies’ trade secrets and sensitive U.S. government information.

OFAC also designated nine Iran-based individuals who were leaders, contractors, associates, hackers for hire, and affiliates of the Mabna Institute for engaging in malicious cyber-enabled activities related to the significant misappropriation of economic resources or personal identifiers for private financial gain.

1. Gholamreza Rafatnejad (Rafatnejad) was a founding member of the Mabna Institute and organized the Mabna Institute hacking campaign.
2. Ehsan Mohammadi (Mohammadi) was also a founding member of the Mabna Institute. Along with Rafatnejad,Mohammadi also helped organize Mabna’s university hacking campaign and received from others compromised account credentials belonging to university professors.
3. Seyed Ali Mirkarimi (Mirkarimi) was a hacker and Mabna Institute contractor. Mirkarimi engaged in a variety of phases of Mabna’s university hacking campaign, including the crafting and testing of malicious, spearphishing emails and organizing of stolen credentials.
4. Mostafa Sadeghi (Sadeghi) was a hacker and affiliate of the Mabna Institute. Sadeghi compromised more than 1,000 university professor accounts. Sadeghi exchanged credentials for compromised professor accounts with other Mabna-affiliated actors. Sadeghi was also involved in the operation of, and maintained a financial interest in, one of the websites selling access to the stolen university data.
5. Sajjad Tahmasebi (Tahmasebi) was a Mabna Institute contractor. He helped facilitate the spearphishing campaign targeting universities by, among other things, conducting online network surveillance of victim university computer systems and maintaining lists of credentials stolen from victim professors.
6. Abdollah Karima (Karima) was a businessman who owned and operated a company that sold, through a website, access to stolen academic materials obtained through computer intrusions.Karima contracted with the Mabna Institute to direct hackingactivities. Mabna affiliates regularly provided compromised university professor login credentials to Karima.
7. Abuzar Gohari Moqadam (Gohari Moqadam) was a professor and affiliate of the Mabna Institute. Gohari Moqadamexchanged stolen credentials for compromised accounts with Mabna Institute founders Rafatnejad and Mohammadi.
8. Roozbeh Sabahi (Sabahi) was a contractor for the Mabna Institute. Roozbeh Sabahi assisted in the execution of the various Mabna hacking activities, including its university campaign by, among other things, organizing stolen credentials obtained by Mabna Institute hackers.
9. Mohammed Reza Sabahi (Sabahi) was a Mabna Institute contractor. Sabahi assisted in the carrying out of Mabna’sspearphishing campaign targeting universities. Among his activities, Mohammed Reza Sabahi created targeting lists of university professors and catalogued academic databases at targeted universities.

In addition to the designations above related to the activities of the Mabna Institute, OFAC designated an additional Iranian national pursuant to E.O. 13694, as amended, for engaging in significant malicious cyber-enabled misappropriation of economic resources, personal identifiers, and financial information for private financial gain for activities targeting a U.S. media company.

Behzad Mesri (Mesri) compromised multiple user accounts belonging to a U.S. media and entertainment company in order to repeatedly gain unauthorized access to the company’s computer servers and steal valuable stolen data including confidential and proprietary information, financial documents, and employee contact information. Mesri then engaged in anattempt to extort the victim company for $6 million. Mesri is the subject of an indictment announced by the U.S. District Court for the Southern District of New York on November 21, 2017.

A January 2018 report of the Carnegie Endowment for International Peace indicates that “Iran’s offensive cyber activities are almost exclusively overseen by the IRGC” (with little prospect of oversight of elected officials) and “composed of a scattered set of independent contractors who mix security work, criminal fraud, and more banal software development”. The report notes that “[w]hile the relationships between proxies and governments can range from passive support to complete control, Iran’s indigenous threat actors maintain an arm’s-length relationship to the state, with certain operations orchestrated to meet the needs of the government”. (Carnegie Endowment for International Peace, 4 January 2018, p. 17)

The same source goes on to provide details on the nature of cyber operations conducted by Iranian groups against foreign and domestic targets over the past years: “After successfully suppressing the 2009 Green Movement and first detecting the Stuxnet attack in 2010, Iranian threat actors conducted sustained campaigns against domestic and foreign adversaries. These indigenous operations appear to be performed by small groups of individuals that have varying levels of technology experience with no more than ten people per team. These campaigns and the resources produced by the groups range from rudimentary to relatively professional, but most actors still face a low capacity ceiling. […]

"Iranian threat actors conduct campaigns with established toolkits that sometimes last for years and ensnare hundreds of targets. However, the fluid nature and decentralization of these groups make them relatively difficult to track. Malware that is publicly attributed to Tehran is often abandoned immediately on exposure, and identifiable members appear to change groups over time. Some groups seem to split up, have members move elsewhere, or even collaborate, further blurring lines. For example, while an IRGC-affiliated group labeled Rocket Kitten was the most active operator for a two-year period (2014–2016), attracting press attention as Iran’s premiere threat, it has since faded into quiescence, eclipsed by the actor Oilrig.

"Despite their substantial financial impact, Tehran’s disruptive operations against foreign targets have been technically simple. The compromise of a small number of IT personnel enabled the destruction of data on computers maintained by Saudi Aramco, eventually resulting in hundreds of millions of dollars in damage. In only a few campaigns have Iranian threat actors shown the professionalism and sophistication approaching that expected of a nation-state actor; in one such case, the operation could be tied directly to the Ministry of Intelligence […]

"While sophistication alone can be a superficial metric of posed threat, Iranian operations do not demonstrate the common technical precautions taken by other nation-state actors (such as obfuscating malware), and, even with strong social engineering capabilities, attacks are often betrayed by a lack of investment in nontechnical resources (such as fluency in English or personal tailoring of messages). These resource constraints also account for why Iranians are more effective at compromising dissidents—Iranian threat actors understand their target’s context and language, as opposed to when they are tasked with European languages or other cultures. […]

"It is often difficult to determine the origins and perpetrators of Iranian offensive cyber operations, as these campaigns may disappear as quickly as they appear. Public exposure often leads them to change tactics and abandon tools, making tracking even more difficult. The history of cyber operations targeting Iranians and originating from Iran is populated by groups that arise out of nowhere and conduct campaigns for ambiguous reasons over a finite time span, then disappear.” (Carnegie Endowment for International Peace, 4 January 2018, pp. 17-22)