Countries and APTs, Part 1: Iran

This post is the first episode of the series “Countries and APTs”, that focuses on the emergence and the evolution of cyber threats.

Brief history of modern Iran and its national priorities

Iran, like North Korea or Russia, has used its cyber capabilities to conduct disruptive operations in the past, especially during times of high geopolitical tensions1.

Iran is an Islamic country with a rich history rooted in the Persian Empire that lasted from the 6th century B.C. to the 12th century A.D. In 1501, Iran was reunified as an independent state by the Safavid dynasty which set Shia Islam as the Empire’s official religion. Iran has been a monarchy ruled by an emperor almost without interruption since this time, until the 1979 Iranian revolution where Iran officially became an Islamic Republic on April 1st, 1979. Iran’s rise to power from its origins to modern times has been marked by regional rivalry.

The early 1900s were very unstable in Iran. The government ratified the first Constitution in 1906, abolished it in 1908, then reestablished it in 1909. Then, as World War I broke out, the Qajar government ruling the country declared its neutrality in the conflict. However, Iran was occupied by British and Soviet forces, whose departure after WWI left a power vacuum that was filled by Reza Khan in 19212.

The Pahlavi dynasty and foreign interventions

Between 1921 and 1925, Reza Khan served as Prime Minister, and finally became the first Shah of Iran, establishing the Pahlavi dynasty. His reign was a period of growth and societal progression3. He remained the Shah until 1941, when he refused to join the Allies during WWII again declaring Iran as a neutral party during the war. British and Soviet armies invaded Iran again and forced Reza Khan to abdicate the throne to his son, Mohammad Reza Shah Pahlavi4.

After WWII ended, the Soviet Union threatened to continue their occupation of Iran for its oil5. This threat was countered by the USA under Truman, who supported the Shah. In 1949, the National Front Party was formed by Mohammad Mossadegh, one of the party’s main goals being nationalizing Iran’s oil industry, and in 1951, Mossadegh was named Prime Minister by the Shah leading to the creation of the National Iranian Oil Company. This nationalization angered both Britain and America that had interests in keeping Iran’s oil industry privatized, which ultimately led to the coup that overthrew Mossadegh in 1953, with “Operation Ajax” led by the MI6 and the CIA6.

The White Revolution and the rise of Khomeini

In 1963, the Shah implemented a series of land reforms, privatization of national industries, and granted women the right to vote, which became known as the White revolution. This openness to other religions raised criticism from the clergy, and created protests led by Ruhollah Khomeini, resulting in his exile to Iraq in 1964.

Iranian women voting for the first time, 1963, source
Iranian women voting for the first time, 1963, source

The oil boom of the 1970s led to an influx of petro-dollars. This influx of wealth to the regime, as well as the Shah’s lifestyle and political and societal restrictions led to the emergence of an anti-Shah sentiment among Iranians during the 70s.

TIME magazine cover from 1978: The Shah of Iran, source
TIME magazine cover from 1978: The Shah of Iran, source

Ayatollah Ruhollah Khomeini, living in exile in France, was one of the loudest critics of the Shah as well as the most influential advocate for an Islamic Republic. In January 1979, Khomeini led a coup that resulted in the Islamic Revolution and the U.S. embassy hostage that lasted 444 days.

Students storming the U.S. embassy, 1979, source
Students storming the U.S. embassy, 1979, source

Khomeini became the Supreme Leader in December, created the Islamic Revolutionary Guard Corps (IRGC), and the doctrine of velayat-e-faqih, which gives ultimate authority to a religious leader.

The Iran-Iraq war and Khamenei’s Iran

In September 1980, the Iran-Iraq war began and lasted 8 years. This war highlighted the separation of interests among countries: Iraq received support from the United States, the UK, Russia, France, and the majority of the Arab countries, whereas Iran received assistance from Syria, Yemen, China, Libya and Israel.

In 1982, Iran provided support to Lebanon during the Israeli invasion of Lebanon, sending IRGC members to fight and train an Islamist-Shia military group known as Hezbollah.

In 1989, Ayatollah Ali Khamenei was elected as the second Supreme Leader of Iran. He led the economic and societal recovery from the Iran-Iraq war, continued restrictions on social reforms, and put effort into the development of nuclear weapons and ballistic missiles in the 2000s.

In March 2026, Ayatollah Ali Khamenei has been killed by joint U.S. and Israeli military strikes on Iran, and at the time of writing this, no successor has been designated.

Iran’s national priorities

Iran’s national priorities seem to revolve around 3 pillars:

  • protecting the regime and the velayat-e-faqih doctrine. The IRGC is constitutionally tasked with safeguarding the Islamic Revolution and its ideals7. Domestically, the Basij (a paramilitary volunteer militia embedded in neighbourhoods, universities, and mosques) acts as a nationwide surveillance and population-control network to monitor and suppress dissent7;
  • acquiring nuclear weapons, by circumventing the JCPOA. Since 2019, the IAEA has verified that Iran’s nuclear activities exceed JCPOA-mandated limits. Iran stopped implementing the Additional Protocol in February 2021, and by 2025 had stockpiled 275 kg of 60% enriched uranium (enough material, if further enriched, to build more than a dozen nuclear weapons)8;
  • developing regional hegemony, relying on proxy groups collectively known as the Axis of Resistance. This network includes Hezbollah in Lebanon, Hamas in Palestine, the Houthis in Yemen, and various Shia militias in Iraq. Iran’s IRGC provides training, weaponry, and funding to these groups9.

Iran’s Government Structure

In Iran’s Islamic Republic, the Supreme Leader basically controls everything, but he relies on various institutions to execute his vision and is advised by the Supreme National Security Council (SNSC).

Hierarchy of Power in Iran, 2009 infographic by the New York Times magazine, source
Hierarchy of Power in Iran, 2009 infographic by the New York Times magazine, source

Here’s a military-focused diagram representing the Iranian government institutions:

Iran’s Government Structure, source: Google Cloud Mandiant
Iran’s Government Structure, source: Google Cloud Mandiant

Iran’s armed forces are divided into two entities under the Armed Forces General Staff, while having overlapping workforces: the Artesh and the IRGC. Under the control of the President is the MOIS, the Iranian intelligence service. According to multiple threat intelligence attributions10, both IRGC and MOIS are running cyber operations on behalf of the Iranian government.

IRGC’s Intelligence Organisation section seems to be mostly focused on domestic intelligence, internal surveillance and dissident suppression whereas most of Iranian-linked cyberespionage and foreign operations are linked to MOIS. MOIS targets primarily Iran’s adversaries in the Middle East, and is attributed to Iranian advanced persistent threat groups such as APT34, APT39 and MuddyWater11.

Iran-attributed cyber operations

Iran’s cyber capabilities are a direct extension of the national priorities outlined previously. Their development was largely reactive: the discovery of Stuxnet in 2010, a joint U.S.-Israeli cyber weapon that physically damaged centrifuges at the Natanz uranium enrichment facility12, exposed Iran’s vulnerability in cyberspace and pushed the regime to invest heavily in offensive capabilities.

Early operations (2011-2016)

The first notable Iranian cyber operations appeared shortly after Stuxnet. In 2012, the Shamoon wiper malware struck Saudi Aramco, erasing data on thousands of workstations and disrupting oil production. U.S. intelligence attributed the attack to Iran, likely in retaliation for Stuxnet and U.S.-led sanctions13.

Also in 2012, a campaign known as Operation Ababil launched sustained DDoS attacks against 40+ major U.S. financial institutions (Bank of America, the New York Stock Exchange, Capital One, etc.). The attacks lasted until mid-2013 and in 2016, the U.S. DoJ indicted seven Iranians working on behalf of the IRGC for the campaign14.

Expanding scope (2017-present)

Over time, Iranian cyber operations became more targeted and more closely aligned with the regime’s strategic objectives.

On the espionage side, Iranian APTs such as APT33, APT34, and MuddyWater run persistent campaigns against governments, defense contractors, and energy companies across the Middle East, Europe, and North America11. These operations support both regime protection and regional hegemony by gathering intelligence on adversary military capabilities, diplomatic positions, and dissident networks.

On the destructive side, Iran continued deploying wipers and pseudo-ransomware against strategic targets. In July 2022, the HomeLand Justice campaign hit the Albanian government with ROADSWEEP ransomware and the ZeroClear wiper, taking down government websites and services. The U.S. and NATO attributed the attack to MOIS15, motivated by Albania sheltering the MEK, an Iranian opposition group. Albania severed diplomatic ties with Iran in response, a rare case of a cyber operation triggering a full diplomatic rupture.

On the influence side, Iran increasingly pairs destructive cyber activity with coordinated online actions through hacktivists, which provide plausible deniability while extending the impact of operations10.

The June 2025 Israel-Iran conflict showed Iran’s ability to synchronize cyber and kinetic operations. Analysis of hundreds of thousands of Telegram messages from more than a hundred hacktivist and proxy groups revealed rapid mobilization as air strikes began, with coordinated DDoS campaigns, website defacements, and data theft operations running in parallel with military action on the ground16.

Finally, at the time of writing this post, fresh threat reports have been published highlighting activity from Iranian-linked threat actors linked to the ongoing war in the Middle-East:

Ending word

I’m not so good at finding openings, though current events make it easier. Iran has real, proven cyber capabilities, and is able to run covert and disruptive operations against well-protected and instrumented adversaries (the U.S. for example). Given the current conflict which can be considered as an asymmetric one, Iran will probably rely a lot more on cyberwarfare to try to balance the forces and run an attrition war. But we’re still early in the conflict and I’m anything but a war specialist, so anything can happen really.

Found an error, have a comment? Feel free to reach out!

  1. CSIS, How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran? ↩︎

  2. Encyclopaedia Britannica, Iran: Rise of Reza Khan ↩︎

  3. Encyclopaedia Britannica, Reza Shah Pahlavi ↩︎

  4. Stanford University, Britain and the Abdication of Reza Shah ↩︎

  5. Cambridge University Press, The Iranian Crisis of 1945-1946 and the Spiral Model of International Conflict ↩︎

  6. National Security Archive, George Washington University, CIA Confirms Role in 1953 Iran Coup ↩︎

  7. Council on Foreign Relations, The Islamic Revolutionary Guard Corps ↩︎ ↩︎

  8. Arms Control Association, The Status of Iran’s Nuclear Program ↩︎

  9. Council on Foreign Relations, Iran’s Regional Armed Network ↩︎

  10. CSIS, Beyond Hacktivism: Iran’s Coordinated Cyber Threat Landscape ↩︎ ↩︎

  11. CISA, Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks ↩︎ ↩︎

  12. Encyclopaedia Britannica, Stuxnet ↩︎

  13. Taylor & Francis, The Cyber Attack on Saudi Aramco ↩︎

  14. FBI, Iranians Charged with Hacking U.S. Financial Sector ↩︎

  15. NATO, Statement by the North Atlantic Council concerning malicious cyber activities against Albania ↩︎

  16. CSIS, Beyond Hacktivism: Iran’s Coordinated Cyber Threat Landscape ↩︎

Tags: apt threat intel iran