Iran’s documented cyber operations against the United States are distinguished by their breadth of target selection and their use of both the Islamic Revolutionary Guard Corps and the Ministry of Intelligence and Security as operational entities. The Congressional Research Service record covers Iranian campaigns from 2011 through 2022, with operations targeting financial institutions, election infrastructure, intelligence community personnel, universities, defense contractors, satellite companies, and critical infrastructure operators. The IRGC in particular has been willing to conduct disruptive attacks — not just espionage — against civilian targets at a pace that distinguishes Iran from the more restrained posture of China and, in certain periods, Russia.
The IRGC Campaigns
The earliest documented major IRGC operation ran from 2011 through 2013, when ITSecTeam and Mersad Company — IRGC-affiliated entities — waged distributed denial-of-service attacks against U.S. financial institutions and hacked into the control systems of a municipal dam in Rye Brook, New York. Seven Iranians were charged in 2016 in connection with those attacks. APT-33, an IRGC-linked group active from 2015 through 2019, conducted spear-phishing campaigns against satellite and aerospace company employees to access company networks, steal credentials, and extract intellectual property. The Mabna Institute, a separate IRGC contractor active from 2013 through 2018, stole academic data and intellectual property from universities, companies, and government agencies in the United States and abroad; nine Iranians were indicted in March 2018.
In 2022, IRGC-linked actors operating under the CyberAveng3rs designation targeted industrial control systems at critical infrastructure facilities, including U.S. water and wastewater systems — one of the clearest documented examples of an adversary directly targeting operational technology in civilian infrastructure. That same year, Iranian government actors exploited open-source vulnerabilities in network connection software to install cryptocurrency mining tools and harvest credentials from a federal network, a campaign documented by CISA in November 2022. A separate IRGC campaign from 2021 exploited vulnerabilities in Microsoft Exchange and Fortinet security appliances to gain access to U.S. critical infrastructure, then conducted follow-on ransomware and extortion operations.
Intelligence Collection and Election Interference
The Ministry of Intelligence and Security ran a broader collection program from 2018 through 2022, targeting telecommunications, defense, and energy sector companies as well as government entities — alongside IRGC, as the joint APT-39 designation indicates. MOIS-linked actors also ran an earlier operation from 2014 through 2015 targeting intelligence community personnel, using fake accounts to deploy malware against the professional networks of IC employees.
The 2020 election interference operation, attributed to Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian — individuals associated with a company providing services to the Iranian government — involved hacking into state election websites, accessing voter information on over 100,000 citizens, sending disinformation to politicians and media outlets while posing as voters, and attempting to compromise a media company to amplify the operation. The 2021 DOJ indictment covers conduct that directly targeted democratic infrastructure rather than commercial or intelligence targets.
Iran’s cyber program is less technically sophisticated than China’s or Russia’s by the CRS assessment’s implicit framing, but it compensates with operational aggression. It has repeatedly crossed lines that other adversaries have avoided — attacking civilian infrastructure control systems, targeting election administration, and running harassment campaigns against intelligence personnel. The threat model it presents is distinct: not the long-duration patient collection operation, but shorter, noisier, and more willing to cause damage as a signal of political displeasure.