What are Iran's policy, strategy, and mission objectives for conducting cyberspace operations? Within this strategic framework, what does Iran perceive as U.S. or partner red lines, and what specific geopolitical events and/or actions would drive an Iranian retaliatory cyberspace attack against the U.S. or our allies and partners?
To comprehensively understand this threat, the U.S. military must also assess Iran's operational capabilities. How reliant is Iran on foreign technologies for the development and procurement of its cyberspace capabilities, and how does it use commercial entities to enable these cyber operations? Finally, at the tactical level, what are the current trends in Iranian cyber operations, and what specific cyber tactics, techniques, and procedures (TTPs) are currently being utilized?
- Evans, Capt. Stephanie, "Exploiting the Alliance: Identifying Methods for the U.S. to Counteract the Advantages of the Russia-Iran International Partnership," AFGC thesis, 2025, 37 pgs.
- Evans highlights that Iran’s cyber tactics heavily rely on recruiting non-government proxy groups to execute attacks, which provides the Iranian government with plausible deniability. Their procedures often focus on targeting critical civilian infrastructure and public health sectors, such as water facilities, pharmaceutical manufacturers, and children's hospitals. A key technique is the strategic timing of these attacks; for example, Iran launched a major malware attack against a Saudi oil company during a religious holiday to ensure minimal staffing, thereby maximizing the malware's success.