Iran: What’s the Real Threat to CISOs?

Kate O’Flaherty explores whether parliamentary fears over the Islamic republic are justified

Iran is the least talked about of the “big four” nation state adversaries, yet mounting geopolitical tensions have prompted fears that the country could ramp up attacks. At the end of June, US intelligence agencies issued a joint advisory, warning that Iranian adversaries are targeting vulnerable networks – even following the ceasefire with Israel.

Separately, the parliamentary Intelligence and Security Committee warned in July that Iran poses a significant and wide-ranging threat to the UK. While the committee acknowledged the threat is not in the same league as Russia or China, it claimed the risk is increasing, and that UK critical infrastructure (CNI) providers may not be fully prepared.

Iran’s cyber capabilities are a growing concern across the globe, but how big is the actual threat, and how will it impact CISOs?

From 2010 to today

Before 2012, Iran’s offensive cyber activities were relatively nascent – often limited to website defacements, distributed denial-of-service (DDoS) attacks and basic espionage. “They were considered a second-tier cyber power, lacking the sophistication of actors in Russia or China,” says Philip Ingram, a former colonel in British military intelligence.

However, the 2010 Stuxnet attack, which successfully targeted Iran’s nuclear programme in a joint effort attributed to the US and Israel, was “a watershed moment”, he tells Assured Intelligence. Since then, Iran has matured into a “formidable and aggressive” cyber threat, Ingram says.

“Iran’s strategic goals have expanded from simple retaliation to include broad intelligence gathering, IP theft and destructive attacks” Philip Ingram

“Its strategic goals have expanded from simple retaliation to include broad intelligence gathering, theft of intellectual property and disruptive and destructive attacks against perceived adversaries,” he adds.

Iran’s aims can largely be defined as: geopolitical influence, retaliation against sanctions and perceived aggression, regional power projection, and disruption. For example, in 2024, Tehran-backed hackers accessed and distributed stolen information from Donald Trump’s election campaign in a bid to disrupt the election. A year earlier, Iran-linked threat group the Cyber Av3ngers breached industrial control systems across multiple US states, defacing interfaces and prompting shutdowns.

Iran is a risk-taking nation state that’s more likely than others to deploy wiper malware designed to permanently destroy data and disrupt operations, says Ingram. “Its operations can sometimes appear less sophisticated than its peers, but this often reflects a higher risk tolerance and a focus on speed and impact over long-term stealth,” he claims.

The country’s technical sophistication has also increased, moving towards living-off-the-land techniques which use legitimate tools such as PowerShell to hide activities and evade detection, says Ingram.

A loose cannon

To understand the threat from Iran, it’s helpful to compare it to other major nation state adversaries, China, Russia and North Korea. The four are often grouped under the acronym “CRINK”.

In comparison to Iran, Russia is “highly sophisticated, patient and technically advanced”, Ingram says. “Russia is generally considered more sophisticated and stealth focused. An Iranian attack might be a sledgehammer using data destruction, whereas a Russian attack is often a hidden microphone, focusing on long-term espionage.”

While Iran lacks the scale of Russia or China, its “high tolerance for risk” and global reach make it “formidable”, Phil Miles, associate managing director in the enterprise security risk management practice at Kroll, tells Assured Intelligence.

“Iran’s operations are becoming increasingly disruptive and combine traditional espionage with psychological warfare” Ziv Mador

While over a dozen nations possess advanced cyber capabilities, Iran is the most volatile of the CRINK group, claims April Lenhard, principal product manager at Qualys. “Unlike many of China and Russia’s espionage-driven intrusions, or North Korea’s financially motivated heists, Iran’s cyber operations are largely retaliatory, stemming from national ideology and geopolitical backlash,” she tells Assured Intelligence.

Citing the examples of the Shamoon wiper attack on Saudi Aramco and DDoS attacks on US banks in retaliation for economic sanctions, Lenhard says Iran has proven itself to be “a loose cannon”.

The Iran cyber threat is “serious and persistent”, but not as technically advanced as Russia or China, Ziv Mador, vice president of security research at Trustwave, tells Assured Intelligence. “Its strength lies in asymmetric disruption, such as targeting critical infrastructure and spreading disinformation to cause panic or political pressure.”

Industries at risk

While any organisation could be an opportunistic target for Iranian threat actors, the country has shown a clear preference for sectors that align with its strategic interests. These include CNI such as telecoms and healthcare, as well as technology, and academia and research, says former British army officer Ingram.

The financial sector – including banks, fintech platforms and stock exchanges – is another likely target, particularly for DDoS or ransomware-style attacks designed to cause disruption and erode public confidence, Trustwave’s Mador adds.

Government agencies and defence contractors could face “sophisticated espionage attempts”, as Iran has historically targeted Western military and diplomatic networks to gather intelligence, he claims. Iran is also increasingly leveraging artificial intelligence to amplify disinformation campaigns, Kroll’s Miles adds.

How CISOs should respond

The threat from Iran is real and growing, especially as tensions continue with Israel. Ingram describes the nation as a “high-impact, high-probability threat, particularly for specific sectors”.

He adds: “What they may lack in ultimate stealth, they make up for in persistence and destructive intent.”

As well as the threat from Iran itself, CISOs should consider the collateral damage from offensive cyber operations conducted by allies. “The Stuxnet worm is the canonical example of a highly targeted weapon that eventually escaped the lab and was found in the wild,” Ingram warns.

“Parliament’s Intelligence and Security Committee warned that Iran poses a significant and wide-ranging threat to the UK”

For a CISO, the origin of a malicious tool that disrupts the network is secondary to its impact, Ingram points out. “An attack vector or vulnerability exposed by an allied operation can be discovered and repurposed by adversaries like Iran.”

For this reason, a defence-in-depth strategy is crucial: “You must defend against the tool and the technique, not just the attacker,” he warns.

Ingram advises CISOs to remember the cybersecurity basics, including vulnerability and patch management, as well as strong identity and access management, including multifactor authentication, and hardening the network and endpoints.

CISOs should also closely monitor Iranian state-sponsored APT groups and their growing ecosystem of proxy hacktivists, prioritising “proactive defence, rapid response, and intelligence sharing”, Trustwave’s Mador advises. “Its operations are becoming increasingly disruptive and combine traditional espionage with psychological warfare,” he says. Tactics to look out for include spear-phishing, social engineering, password spraying and malware deployment, often aided by insider access.

Meanwhile, Kroll’s Miles points to “comprehensive risk assessments, aligning cyber and physical defences, and enhanced monitoring of high-risk sectors” as key.

Raising the bar

The threat from Iran is certainly growing, but would seem some way from emulating that of even North Korea, whose IT workers may already be actively seeking employment in the UK. It is right that parliament has raised concerns over the preparedness of UK organisations. But its call to “raise the resilience bar” should not be a heavy lift for CISOs with a threat intelligence-led mindset.

As always, cybersecurity best practices will go a long way to achieving that necessary resilience. For those in high-risk sectors, more careful planning may be required.