How Iran built such a formidable cyberwar machine

Bombs are falling across the Middle East as the United States and Israel try to bring Iran to heel. But while physical infrastructure is toppling in Iran, the country’s digital armies are still fighting with force.

Groups linked to the Iranian regime have hit Jordanian gas firms, as well as businesses in the UAE and Qatar, as part of its Great Epic cyber offensive. Countries including the UK, whose military base in Cyprus has been hit by Iran-linked missiles, have begun warning businesses to prepare for possible Iranian cyberattacks.

That raises a bigger question: How did Iran become such a formidable force in cyberwarfare, and to what end?

A cyber shock to the system

Iran’s cyber prowess today stems in part from an earlier attempt to cripple its capabilities. In 2010, the United States and Israel reportedly launched the Stuxnet virus against Iran’s Natanz nuclear facility, destroying centrifuges and setting back the country’s nuclear program. (Both countries have denied involvement in the attack.) The attack was widely seen as the first true cyberweapon used against real-world infrastructure—and a wake-up call to Iran about the destructive potential of digital warfare. The intervention, unprecedented at the time, was designed to delay or halt Iran’s nuclear ambitions.

It may well have succeeded in that. But it also pushed Iran to focus on another form of combat: cyberspace, inspired by the way it had been attacked. “Being on the receiving end of what was the world’s first true cyber weapon showed Iran exactly what was possible then and in the future,” says Jake Moore, global cybersecurity advisor at ESET, a cybersecurity firm.

In response, Iran moved aggressively to build its cyber capabilities. The country established governance and coordination structures—including the Supreme Council of Cyberspace in 2012—to advance its goals, while also sponsoring advanced persistent threat (APT) groups through the Islamic Revolutionary Guard Corps and the Ministry of Intelligence. Iran’s cybersecurity budget increased by 1,200% between 2012 and 2015, according to contemporaneous reports.

A glut of technical talent

Iran has also benefited from a strong base of technical talent, some of which has been directed toward offensive cyber operations. “Iran is one of the top countries for producing software and computer engineers,” says Mo Hoseini, head of resilience at ARTICLE 19, a human rights organization focused on digital rights.

Those APT groups saw significant successes throughout the 2010s. Some of the most notable—the APT33 and OilRig groups—conducted long-running campaigns targeting the aerospace and energy sectors. The U.S. ended up sanctioning a number of individuals believed to be linked to those groups in 2024. But it’s not only formally organized groups that pose risks. Analysts have tracked more than 120 hacktivist groups allied with Iran that operate independently, any of which only need to get lucky once to sow chaos.

A battlefield without borders

The ability to attack digitally has become a more strategic asset for Iran, allowing it to project power despite military constraints and economic pressure from sanctions. That dynamic helps explain why Tehran has invested so heavily in cyber capabilities and why Iranian-linked groups continue to appear at the center of major incidents. Support from other adversarial states has also played a role, says Hoseini. “We’ve seen over the years a lot of influence from China and Russia,” he explains, noting that Iranian cyber operations often mirror Russian tactics and appear to involve exchanges of technical knowledge. That knowledge sharing also extends to Iran’s supporters abroad, which could make efforts to curb the country’s cyber capabilities more difficult than countering its conventional weapons.

That’s in part because Iran has invested time and money into supporting young Iranians to go abroad, then effectively blackmailing them into becoming spies for the regime. “They’ve been sending loads of pro-regime supporters on the scholarship program abroad, and now they have jobs in tech companies,” says Hoseini, pointing to the February arrest of three people alleged to have secured jobs in Silicon Valley firms and transferred confidential information to hostile countries, including Iran.

“They have resources, at least for now,” he adds. “But how they can hold this ground, coordinate, and execute will become more of a question mark in the coming weeks.”

View the full article