Artificial Intelligence Is Accelerating Iranian Cyber Operations

In late June and early July, Iranian hackers stole information from Donald Trump’s presidential campaign and sent it to Biden campaign officials, according to the Office of the Director of National Intelligence, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA). This was far from a one-off. Recently, Tehran has increased its asymmetrical advantage by harnessing cyber capabilities through the internet and social media, a trend that extends back even further. Over the past few decades, Iran has been quietly building its cyber capability in the shadow of great powers. 

These recent activities took place after sustained Houthi attacks on commercial vessels in the Red Sea and attacks on U.S.-backed installations in Iraq and Syria. Iran’s cyber activities are part of a broader hybrid strategy combining conventional military power, economic leverage, and the strategic use of proxies. While there is considerable information about Iranian offline proxies, its cyber proxies largely fly under the radar. Though they are less visible than their offline counterparts, cyber proxies are nonetheless a powerful asymmetric tool. 

Iran’s multifaceted approach in the cyber domain allows Iran to project power and influence in the Middle East while avoiding direct conventional military confrontations with stronger adversaries. Iran uses cyber operations to complement its broader geopolitical strategies, often employing cyber espionage and sabotage to gain strategic advantages or to retaliate against sanctions and military threats. As Iran increasingly incorporates AI technologies into its cyber operations, the likelihood of more disruptive and damaging activities escalates, presenting a substantial challenge not only to regional stability but also to global security.

Tehran is capitalizing on the strategic competition between the U.S. and Russia by aligning with and learning cyber capabilities from Moscow and, to a different extent, China. Integrating AI increases the sophistication of Iran’s asymmetric cyber tactics, heightening the stakes in international power dynamics and intensifying the challenges for maintaining a stable regional and international security. 

To fully grasp Iran’s complex hybrid strategy, it is essential to examine its cyber infrastructure and the role cyber proxies play within the context of Iranian foreign policy. Our analysis first explores known Iranian cyber tactics, techniques, and procedures (TTPs) before delving into current Iranian cyber operations. Finally, we examine how Iran is using artificial intelligence (AI) in its cyber activities, operations, and threats.

Iran’s Cyber Infrastructure, Proxies, and Operations in Context

Iran follows a foreign policy strategy of “forward defense,” seeking self-preservation by addressing threats before they infiltrate its borders. In recent years, this strategy has expanded to conducting both offensive and defensive cyber operations for the regime. The Islamic Revolutionary Guard Corps (IRGC) established a “flexible, layered” hybrid-warfare national security strategy called “Mosaic Defense,” which capitalizes on decades of Iranian mistrust of foreign powers and utilizes asymmetrical warfare tactics to slow an invading force. The Iranian government’s cyber task organization is not well defined and operates across multiple government entities. This fragmented approach to cyber operations is likely due to the relative newness of cyber operations in the Iranian government. Due to the closed nature of the Iranian regime, the specific cyber entities within the government are not well defined or easily identifiable. However, some entities within the Iranian government focus specifically on propaganda and cyber-enabled information operations (IO) for the regime (see Figure 1).

Figure 1. Attributed Iranian cyber/information operations components.

(Sources for Figure 1 are from the Council on Foreign Relations, Insikt Group (Recorded Future), Iran International, Microsoft Threat Intelligence, MicrosoftSecurity, Ostovar’s “Vanguard of the Imam,” Radio Free Europe/Radio Liberty, SecureWorks, Sentinel Labs, United Against Nuclear Iran, the U.S. Department of Justice, the U.S. Institute of Peace, and the Washington Institute.)

Cyber proxies affiliated with Iran either are under the direction of the Iranian national security apparatus or are loosely connected with seemingly unclear ties. The Iranian government’s cyber posture has evolved significantly, as evidenced by the leading U.S. government authority on cybersecurity, CISA. The government has continued to enhance its cyber capabilities, leveraging both state-sponsored groups and proxies to conduct sophisticated cyber operations. Maj. Gen. Qassem Soleimani’s death marked a significant turning point in Iran’s cyber strategy, pushing Tehran to assert its power and influence through increased cyber activities aimed at the U.S. and its allies. These operations seek not only to disrupt but also to demonstrate Iran’s technological prowess and strategic capability in cyberspace to establish deterrence against its main adversaries, the United States and its allies. The proxies’ ambiguity further offers Iran plausible deniability in leveraging them to achieve its foreign policy goals. The utilization of AI and customized malware and exploits in these operations suggests a trend toward more sophisticated and potentially more dangerous cyber capabilities.

Known Iranian Cyber Tactics, Techniques, and Procedures (TTPs) 

Iran’s cyber proxies consist of both state-sponsored groups and non-state-sponsored groups. Open-source research can have limitations due to over- and under-reporting as well as mis- and disinformation efforts, such as espionage operations and obfuscation. Cyber advanced persistent threats (APTs)—as they are referred to in the cyber industry reporting and research—are highly resourced and capable groups commonly associated with nation-states. Due to a nation-state cyber threat actors to enable their anonymity, they can often take on multiple names over time to avoid attribution and identification. Groups will often commit attacks under multiple group names, and there is ambiguity as to whether or not these groups are directly state sponsored, but they are assumed to be aligned, because attack vectors, priorities, and victim overlap align with nation-state priorities. Threat actors will often commit attacks under different names to leverage anonymity. The implementation of AI would align with an asymmetric strategy and would be in line with proxies’ Mosaic Defense. Utilizing AI in their known cyber apparatuses and their respective capabilities would effectively create a more robust persistent threat. In June 2024, Iran and the IRGC used AI to create news sites that pull content from legitimate news sites to target U.S. voters on different sides of the political spectrum. Additionally, in December 2023, Iranian-sponsored hackers used AI-generated deepfakes to disrupt news broadcasts with the purpose of swaying public opinion in their favor.

The primary goals of Iranian cyber proxies are strategic espionage and reconnaissance to support nation-state priorities and to conduct cyber-enabled influence operations. Iranian cyber threats also target individuals in journalism who directly oppose them. Iranian hackers executed a social engineering campaign impersonating journalists and human rights activists to send phishing emails to targets. Additionally, Iranian cyber threats commit acts of cyber crime to support their geopolitical activities. Iranian nation-state actor MuddyWater has committed cybercrimes by deploying the BugSleep malware to maintain persistent access to target systems. Groups are also known to prioritize creating disruption and the transfer of tech and information. From a technical perspective, the tactics and procedures these groups use are a combination of different phishing techniques and social engineering. A recent example of Iran’s social engineering tactics involves Iran-linked hackers targeting U.S. presidential campaigns through phishing attacks, aiming not only to exfiltrate but also to leak sensitive data. If these tactics are successful, the target environment will then ingest malware/ransomware for the purposes of data exfiltration, command and control, reconnaissance and, espionage. (For more information consult sources about OilRig, APT33, Magic Hound, APT39, and APT42.)

Iranian cyber operations include cyber-enabled influence operations. Iranian-backed cyber groups conduct these low-cost, high-yield operations to elicit a psychological effect on target audiences in Israel, the U.S., and their allies. A Microsoft report details one case in 2023 in which several Iranian proxies conducted a multi-phase, cyber-enabled influence operation against Israel. The operation occurred in three phases. The first phase focused on spreading disinformation using “sock puppets,” which are fake social media personas to spread false successes about their exploits. In the second phase, Iranian APTs increased cyberattack activity against strategic targets. Finally, in the third phase, Iranian APTs attacked targets across borders and created deepfakes to spread their ideologies.

Current Iranian Cyber Operations Activity

The Israel-Hamas war has intensified Israel-Iran cyber conflict. For example, Iranian hackers have compromised Israeli-made components used in U.S. water systems. Iranian cyber groups have developed software and systems that regulate water systems in Israel and the United States. There is evidence that Iranian hackers have been waging an intelligence gathering campaign that has targeted adversaries in the Middle East, Israel, and the United States. Their targets have included government staff, telecommunications, financial organizations, and military entities. These priorities are in line with previously mentioned Iranian state-sponsored groups and their associated TTPs. A CISA report described how Iranian state cyber actors inject malware and ransomware into target systems to exfiltrate email content. The continuous tension between Israel and Iran has escalated cyberattacks on both sides of the conflict. Since June 2010, there has been a history of Iran blaming both Israel and the United States. Recently, Iran’s banking systems were targeted by Israel. The initial reactions to the attack indicated that it was the largest-scale attack Iran has faced. 

Cyber proxy groups use various tactics to create negative psychological effects among adversaries. APTs such as Mint Sandstorm use precise targeting to create unease among a specific group of people. Iran also uses “faketivists,” which are groups that commit cyberattacks for a specific cause, like hacktivists, but are borne from a specific geopolitical event and are created by a nation-state to perpetuate narratives that support their cause. Faketivists can be nation-state actors and/or proxy groups associated with the IRGC and the Ministry of Intelligence and Security (MOIS). The cyberattacks in Israel that have deployed faketivists have had mixed success, but they have garnered both local and global support. The purpose of these groups is to spread their “success” and to create disruption and attention, regardless of actual operational success.

Cyber threat actors associated with the Iranian MOIS collaborate with offensive cyber proxies to launch more targeted attacks. Subsidiaries of the threat actor group Pink Sandstorm hacked into Israeli hospital networks and LGBTQ dating apps to leak sensitive information regarding personal medical records and to publish details on individuals’ sexual orientation. Unlike the IRGC’s approach of launching an offensive attack and then amplifying it with sock puppets, MOIS threat groups execute more intrusive and destructive maneuvers within servers. This difference sets MOIS apart from the IRGC and indicates that MOIS leverages its intelligence collection operations experience to power its cyber-enabled influence operations and to conceal its actors more intentionally.

Artificial intelligence is also used within Iranian cyber-enabled information operations. Since the Oct. 7 attacks, various Iranian-backed cyber groups have employed AI to generate online propaganda. In one instance, the Storm-1364 persona Tears of Warused AI to generate images meant to coerce Israeli citizens to rally against Prime Minister Benjamin Netanyahu. More recently, after the massive Iranian drone attack, Iranian cyber actors used AI-generated footage to fabricate the effects of the drones and disseminated the content via X. The use of AI, especially generative AI, continues to evolve amid the information war and will certainly elicit more potent psychological effects for the regime. 

***

The U.S. and its allies such as Israel have responded to Iran’s growing cyber and cyber-enabled influence capabilities by strengthening their cybersecurity posture and collaborating with the private sector to develop preventive solutions. By employing both state-sponsored groups and cyber proxies, Iran has developed a complex and hybrid strategy that aligns with its foreign policy goals. Both the U.S. and Iran are enhancing cyber policies to build stronger relationships between public and private entities while educating their societies on the nature of cyber warfare. Iran’s use of AI to bolster its cyber operations, including deepfakes and AI-generated content, enhances its influence operations and creates a more efficient threat landscape. These operations include Iran’s proxy groups using open-source AI tools. The U.S. counters Iran’s cyber-enabled influence operations through a whole-of-government approach, incorporating diplomatic, military, economic, and informational measures.

Looking ahead, we can expect Iran to further integrate AI into its cyber strategy, escalating the frequency and sophistication of attacks, particularly on critical infrastructure and democratic processes. Additionally, the growing alignment between Iran and other global cyber powers, such as Russia and China, further increases the sophistication and reach of its cyber capabilities, presenting significant challenges for those attempting to counter these evolving threats.

Governments and private entities must remain vigilant, as the evolving cyber domain will continue to shape geopolitical conflicts in the coming years. As both sectors face similar threats from Iranian cyber actors, continued collaboration to counter these efforts is not just ideal but essential. Public-private partnerships play a crucial role in countering these threats by pooling resources, expertise, and intelligence. Such partnerships enable more comprehensive defenses against Iranian cyber operations, from protecting critical infrastructure to countering disinformation campaigns. Strengthening this collaboration will be vital to staying ahead of increasingly sophisticated attacks and ensuring resilience in the face of evolving cyber threats.