Domestic Hacktivists Pose a Different Kind of Threat to Iran
Amid a broader pivot to asymmetric warfare, Iran has significantly ramped up its investments in cyberattacks and espionage over recent years. Initially seen as a fledgling player in the digital arena, the Islamic Republic has evolved dramatically. Now, according to cybersecurity firms, Iran stands as the world’s fifth most potent threat to digital data and infrastructure.
Targeted in the regime’s cyber crosshairs are familiar adversaries: the United States, Israel, and Gulf Arab states. In a surprising twist, Iran-backed hackers were found responsible last year for Albania’s devastating cybersecurity breach—a country where Iran had already been suspected of plotting physical terror attacks.
Yet, despite its newfound prowess in cyber offense, Iran is confronting a vulnerability it didn’t quite anticipate: the frailty of its own digital infrastructure. The regime, well aware of potential blowback for its 2020 surge in cyber offensives, hastened the development of its so-called “National Internet,” or “halalnet.”
Designed for dual purpose, this domestic Internet aims to insulate Iranian data from global scrutiny, while giving the government unprecedented power to stifle internal information flows. This became acutely evident when nationwide protests erupted in the wake of Mahsa Amini’s death at the hands of Iran’s “morality police.”
During periods of heightened unrest, Iran choked off Internet access across vast swaths of its territory. Even many VPN services, typically resilient, were incapacitated by this fortified “National Internet.” Yet, in an ironic twist, the Iranian populace continued to use the digital realm as an organizational tool, highlighting the regime’s limitations in imposing total control.
Adding salt to this self-inflicted wound, dissident hacktivists have successfully exposed significant chinks in Iran’s digital armor. As of late September 2022, targeted cyberattacks exploited domestic servers with weak content management systems, leading to considerable breaches in government websites. These ranged from a government-affiliated housing foundation to the office of Supreme Leader Ali Khamenei himself.
More astonishingly, the same hacktivist groups behind these breaches orchestrated targeted attacks that resulted in voluminous leaks of sensitive government data. This inside job reinforced claims by opposition movements about the scope and depth of their activist networks within Iran, illuminating the regime’s domestic fragility.
Parallel attacks, focusing on Iran’s political and economic pillars, have similarly escalated this internal vulnerability. Spearheaded by the newly prominent hacktivist group, Gyamsarnegouni—or “Uprising Until Overthrow”—these operations have led to an unprecedented trove of exfiltrated documents, calling into question even the highest echelons of Iran’s cybersecurity.
The regime’s digital strategy was perhaps sufficient to counter remote intrusions from foreign entities, but it neglected one critical aspect: the internal rot. Iran’s efforts to isolate its digital sphere from global reach failed to account for the network of domestic hackers and disgruntled insiders embedded within its own institutions.
As cybersecurity experts remain vigilant, both in assessing the cyber threats Iran poses globally and the vulnerabilities it faces domestically, it’s increasingly apparent that Iran’s internal dynamics are fluid. In this shifting landscape, it would be unwise to underestimate the potential revelations and activities from groups like Gyamsarnegouni and other Internet activists within Iran’s borders.