Iran’s Continuing Proxy Strategy in Cyber Warfare

Alexis Cao, Editor

Since the 1979 revolution, Iran has been expanding its network of proxy groups across the Middle East and using them as a major strategy to expand its regional influence (Lane). As cyber space emerges more prominently as a new battlefield in the recent decade, Iran has become one of the most active actors in cyber warfares. The state actor carries on its tradition of utilizing proxies as part of its tactics in the cyber domain.

A proxy war takes place when a major power plays an important role in supporting or controlling another party in a conflict between two state or non-state actors, but does not explicitly involve in the disputes (Byman). Proxy wars provide the substituted option for state or non-state actors to expand their strategic influence or goals through supplying the chosen proxies with training and fundings etc. without engaging directly in the costly warfares (Brown 128).

Cyber warfare usually involves the actions of digital attack or attempts to disrupt and damage another nation’s computer systems and networks, and to potentially cause physical damage to objects in the real world (Lucas 31). However, cyberwarfare is a distinctive term from “cyber war”, as it usually does not indicate the scale of violence or consequences related to the term “war” (Green 20).

Uses of proxies have long been a key feature in Iran’s strategy to expand its regional influence (Shires 15). In general, proxies offer a way of fighting that can to some extent limit the conflict escalation and the tit-for-tat dynamics (Shires 24). Iran has supported a growing number of non state proxies groups across the Middle East since the Islamic Revolution, including groups from Shiite Muslim–majority countries such as Iraq and Lebanon, from Sunni-majority Afghanistan, Yemen and Syria (Robinson). For example, in Syria, Iran has provided assistance to the Al-Assad regime through training and funding for over 100,000 Shia fighters as it views the survival of the regime as crucial in advancing its regional interests (Jones 3). In Yemen, Iran’s primary organization for foreign operations, IRGC-QF (Islamic Revolutionary Guards Corps-Quds Force), has provided support to the Houthis with ballistic missiles and drones which are later used in Saudi Arabic and United Arab Emirates with potential strategic goals to keep its influence in the Red Sea (Jones 4) Since Iran lacks the navy capabilities to maintain presence in Yemen, using the proxy groups helps Iran achieve its objectives regardless (Byman). 

Over the years, Iran has increased its capability in the cyber domain from traditional warfare since the pivotal civil protest event to challenge the election’s results of Ahmadinejad’s victory on social media in 2009. The situation forces the regime to view the development in cyber space as a strategic necessity (Siboni 22). The following Stuxnet malware in 2010 targeted Iran’s computer systems again reinforces the importances of building up the cyber capabilities for Iran. 

As Iran strengthens its cyber proficiency, it carries on its usage of proxies in cyber warfares. Similar to Iran’s proxy groups in traditional warfare such as in Syria and Yemen, proxies for cyber attacks spread across Shiite and Sunni state and non state actors that align with Iran’s interests or ideology, or actors that are financially motivated (Siboni 34). From the early development of cyber capabilities, Iran has invested heavily in non-state proxies groups such as Iranian Cyber Army (IISS). Moreover, although no specific evidence is presented, Iran’s APT33 (or Elfin) has been linked to the Shamoon malware attack on computer networks belonging to oil company Saudi Aramco through the proxy hackers group “Cutting Sword of Justice” who claimed to be retaliating the regime for the crimes against humanity (Jones 2).

Despite the potential deniability proxies, the attacks have shown possible indications linking to Iran. Six APT (Advanced Persistent Threat) groups have been identified as suspected attributions by Iran through digital forensic analysis in common tactics, techniques, similarity in codes, and similar industry interests (Shample 5). For example, the targeting organizations ranging from aviation to energy align with Iran’s state interests. The timing of proxies’ cyber operations aligns with Iran’s working days as well as Iran’s Daylight time zone. Along with other factors, although not completely conclusive, existing forensics have identified potential ties to Iran (O’Leary 5).

Leveraging proxy groups in cyber warfare has been particularly attractive for Iran, considering the economic sanctions from the United States, and just recently expired weapons embargo from the United Nations (Hochberg 2). Moreover, through the use of proxies in disguising its cyber operations and considering the ambiguity of such actions, it helps Iran to maintain plausible deniability, thereby avoiding potential escalation (Anderson 56). In September 2019, Iran denied the attacks on Saudi facilities and claimed that the Houthis was responsible for the operation (Siboni 38). As a result, this type of less regulated and reduced level of conflict cyber warfare allows Iran to keep on par with rivals and expand its influence given the external limitations.

Anderson, Collin, et al. “Iran’s Cyber Threat: Espionage, Sabotage, and Revenge”, Carnegie Endowment for International Peace. 2018.

Brown, Garrett W, et al. “Proxy War”, A Concise Oxford Dictionary of Politics and International Relations. Oxford University Press, 2018.

Byman, Daniel L. “Why engage in proxy war? A state’s perspective”, Brookings. May 21, 2018. Accessed on Dec. 1, 2021.

Green, James A. Cyber Warfare: A Multidisciplinary Analysis. Routledge Press, 2015. 

Hochberg, Leo. “Iran’s Cyber Future”, Middle East Institute. Feb. 23, 2021. Accessed on Dec. 1, 2021. 

IISS. “Iran’s Networks of Influence in the Middle East”, International Institute for Strategic Studies. May 2020. Accessed on Dec. 1, 2021.

Jones, Seth G. “Infrastructure: The Implications of U.S.-Iranian Escalation”, Center for Strategic & International Studies. Aug. 5, 2019. Accessed on Dec. 1, 2021. 

Jones, Seth G. “War by Proxy: Iran’s Growing Footprint in the Middle East”, Center for Strategic & International Studies. Mar. 11, 2019. Accessed on Dec. 1, 2021.

Lane, Ashley. “Iran’s Islamist Proxies in the Middle East”, Wilson Center. May 20, 2021. Accessed on Dec. 1, 2021. 

Lucas, George R. Ethics and Cyber Warfare: The Quest for Responsible Security in the Age of Digital Warfare. Oxford University Press, 2016. 

O’Leary, Jacqueline, et al. “Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware”, Mandiant. Sep. 20, 2017. Accessed on Dec. 1, 2021. 

Robinson, Kali. “Iran’s Regional Armed Network”, Council on Foreign Relations. Mar. 1, 2021. Accessed on Dec. 1, 2021. 

Shample, Steph. “Iranian APTs: An Overview”, Middle East Institute. Nov. 24, 2020. Accessed on Dec. 1, 2021. 

Shires, James, et al. “Rational Not Reactive: Re-evaluating Iranian Cyber Strategy”, Belfer Center. Oct. 2021. Accessed on Dec. 1, 2021. 
Siboni, Gabi. “Iran’s Activity in Cyberspace: Identifying Patterns and Understanding the Strategy”, The Institute for National Security Studies. Mar. 2020. Accessed on Dec. 1, 2021.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s