This page provides an overview of the Cybersecurity and Infrastructure Security Agency’s (CISA's) assessment of the Iranian government’s malicious cyber activities. The overview leverages publicly available, open-source intelligence and information regarding this threat. This page also includes a complete list of related CISA publications, many of which are jointly authored with other U.S. government agencies (Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to Iranian government actors). Additionally, this page provides instructions on how to report related threat activity.
Iranian cyber threat actors have been continuously improving their offensive cyber capabilities. Iran has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries. They continue to engage in conventional offensive cyber activities ranging from website defacement, spearphishing, distributed denial-of-service attacks, and theft of personally identifiable information, to more advanced activities—including destructive malware, social media-driven influence operations, and, potentially, cyberattacks intended to cause physical consequences.
The U.S. intelligence community and various private sector threat intelligence organizations have identified Iran’s Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks, either through IRGC contractors in the Iranian private sector or by the IRGC itself. According to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment, "Iran’s expertise and willingness to conduct aggressive cyber operations make it a significant threat to the security of US and allied networks and data." The Assessment states that "Iran has the ability to conduct attacks on critical infrastructure, as well as to conduct influence and espionage activities."
Latest U.S. Government Report on Iranian Malicious Cyber Activity
On November 17, 2021, CISA, the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) released a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group that CISA, FBI, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia. See AA21-321A: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.
The Iranian Malicious Cyber Activity section below lists all CISA Advisories, Alerts, and Malware Analysis Reports (MARs) on Iranian malicious cyber activities.
Iranian Malicious Cyber Activity
Much of the information contained in the Advisories, Alerts, and MARs listed below is the result of analytic efforts between CISA, the U.S. Department of Defense, and FBI to provide technical details on the tools and infrastructure used by Iranian state-sponsored cyber actors. The publications below include descriptions of Iranian malicious cyber activity, technical details, and recommended mitigations. Users and administrators should flag activity associated with the information in the products listed in table 1 below, report the activity to CISA or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
Table 1: CISA and Joint CISA Publications
|November 17, 2021||
|July 20, 2021||
|October 30, 2020||
|October 22, 2020||
|September 15, 2020||
|January 06, 2020||
Report Activity Related to This Threat
CISA encourages all organizations to urgently report any additional information related to this threat. Users and administrators should flag associated activity, report the activity to CISA (see below) or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
- 1-888-282-0870 (From outside the United States: +1-703-235-8832)
- Central@cisa.gov (UNCLASS)
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at https://www.us-cert.cisa.gov/.
Mitigate and Detect This Threat
CISA recommends users and administrators review the publications in the Iranian Malicious Cyber Activity section as well as the following resources for descriptions of tactics and techniques associated with this threat and recommended mitigations and detections. Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to Iranian government actors.
Respond to an Incident
CISA recommends users and administrators consult the Joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, which details technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. This Joint Advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.
 U.S. Office of the Director of National Intelligence | 2021 Annual Threat Assessment | April 9, 2021 | URL: https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf