What Defenders Need to Know about Iran’s Cyber Capabilities

With the current Iran crisis at its peak, cyber activity is a relevant part of the threat picture alongside kinetic and political pressure. Iran’s ecosystem includes multiple clusters aligned with state entities, the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), as well as deniable operators and “hacktivist” groups. This ecosystem supports a broad set of objectives: espionage to gain intelligence and footholds; disruption and destructive activity, including DDoS attacks, pseudo-ransomware, and data wipers to impose costs; and information operations that pair destructive activity or data leaks with coordinated online amplification. This activity is expected to intensify and broaden across the Middle East, the United States, and other countries that Iran views as their opponents in the current war. 

This overview summarizes key Iranian-linked threat actor clusters that may be relevant to this war, and the tactics, techniques and procedures (TTPs) they have recently ...