Iran’s Asymmetric Cyber Strategy

Iran is no stranger to propaganda. The Islamic Republic owes its existence in part to the distribution of cassette tapes with the recorded speeches of Ayatollah Khomeini. These were smuggled into Iran along with pamphlets copied on new Xerox machines. The goal was to incite the mustadafeen (disinherited) to take to the streets and demonstrate against the Shah and the “Great Satan”[i].

Since gaining power in 1979 Iran’s clerics have expended considerable resources to protect the Revolution with propaganda which promotes Iran as the alternative leader of the Muslim world while simultaneously denouncing the US and its allies and censoring dissident Iranian voices. The annual budget for the Iranian Republic of Iran broadcasting (IRIB) runs around $750m, roughly equivalent to US spending on the US Agency for Global Media, but as a proportion of total government spending, about fifty times as much[ii].  Along with terrorism, kidnapping, rocket fire, and destructive cyberattacks, Iran’s influence operations constitute another component of its asymmetric toolkit, which it uses to deter and defy its enemies, while maintaining plausible deniability and remaining below the threshold of conventional conflict[iii]. 


Iran’s more recent cyber and information operations can be understood as a response to both internal and external forces. Internally, Iran’s fears of a counter-revolution modeled on Czechoslovakia’s Velvet Revolution of 1989[iv] or the color revolutions in Georgia, Ukraine and Lebanon in the mid-2000s came uncomfortably close to realization in 2009 when pro-democracy activists took to the streets and to Twitter to protest the fraudulent re-election of President Ahmadinejad.  The clampdown was brutal and swift. Bloggers were incarcerated and tortured. Special cyber police units were formed, new laws restricting internet use were passed, and most western digital platforms were outlawed[v].


Externally, Iran’s fears of US-orchestrated regime change, which date back to the overthrow of Mosaddegh in 1953, have been heightened by the toppling of the Taliban to its east in 2001 and of the Baathists to its west in 2003[vi]. Compounding these fears have been western efforts to thwart Iran’s nuclear ambitions via Stuxnet in 2009 and to steal Iranian state secrets via Flame in 2012[vii]. These events have driven the Islamic Republic to invest heavily in cyber and media influence capabilities[viii]. In cyberspace Iran’s modus operandi has been to mount overt destructive “wiper” attacks accompanied by ostentatious defacements to get its message across[ix]. In the media arena, Iran sees itself engaged in a “soft war” (Jang-e Narm) to disrupt the infiltration of foreign ideas and influences[x].  

Cyber & Public Policy

Some of Iran’s cyberattacks have targeted US banks or even casino owners supporting muscular anti-Iranian policies. Others have focused on US allies in the Middle East, specifically Iran’s archenemy, Saudi Arabia. Images of a burning US flag or of the body of the 3-year old Syrian refuge, Alan Kurdi, seared onto Saudi Arabian hard drives are prototypical examples of the propaganda that accompanies Iran’s destructive cyberattacks[xi]. But Iran reserves such cyber diplomacy for extreme retaliations. Its more routine propaganda is best understood as a continuation of public diplomacy that promotes its interests abroad[xii] while denouncing its enemies through resistance narratives[xiii]. Ayatollah Khamenei captured the essence of this approach in 2009 during the rise of the Green Movement when he declared “the most effective international weapon against enemies and opponents is promotion”[xiv].

Champion of the Oppressed

The super narrative that Iran promotes is that it is a benevolent power that is being oppressed by the United States and its allies – Saudi Arabia, Israel and the Arab states[xv]. It positions itself as a religious beacon for the Islamic world and the perennial underdog that leads the fight against the evils of western imperialism[xvi]. To this end it is quick to frame US sanctions as a form of economic warfare, to attribute to Saudi Arabia the humanitarian crisis in Yemen, to seize upon the killing of Palestinian civilians by Israel, to highlight the impact of US air strikes in Iraq and Syria[xvii], and even to piggyback US domestic oppression of minorities. For example, the site seeks to redirect a left-leaning cause to its own ends by laundering Iranian state propaganda to progressive activists[xviii].

Compared to Russia, which stokes both sides of a conflict to generate chaos in western societies, Iran generally plays up one side only – the side of the oppressed – to generate sympathy (e.g. for the impact of US sanctions) or promote its interests (e.g. for the continuation of the JCPOA)[xix]. Also compared to Russia, Iran makes more sparing use of fabrication in its narratives[xx]. Like China it exaggerates the actions of US troops and police during demonstrations, alleging western hypocrisy[xxi]. It exaggerates its own military strength to deter attacks by its enemies[xxii]. And it exaggerates the aggression of its enemies by copying or stealing articles from legitimate media and injecting subtle changes[xxiii].

One example is an article on the legitimate Israeli site Maariv, titled “Israel must be ready for war in order to prevent Iran from growing strong in Syria”, which was changed to “Israel must go to war in order to prevent Iran from growing stronger in Syria”[xxiv]. On occasion Iran will amplify existing conspiracy theories e.g. that the US was responsible for creating the self-declared Islamic State of Iraq and al-Sham (ISIS)[xxv], or even create its own conspiracies e.g. that a former Israeli Defense Minister had been dismissed for being a Russian agent[xxvi]. The former conspiracy, which originated in Lebanon, aimed to blunt US soft power and strengthen Hezbollah[xxvii]. The latter conspiracy was designed to strain relations between Israel and Russia[xxviii].  But such outright fabrications are the exception, not the norm[xxix].

Overt Propaganda

Iran spreads its propaganda both overtly and covertly. The IRIB publicly funds and operates 12 radio channels and 47 regional and national TV networks within Iran. It operates 30 radio channels and 9 TV networks outside of Iran. Foreign-facing vehicles include Pars Today (consolidated news in 32 languages), Al Alam (TV news in Arabic), Press TV (TV news in English), and Hispan TV (TV news in Spanish).  All these outlets have a web presence[xxx]. Iran runs its covert influence operations through an obfuscated network of proxies and bloggers tied to the Basij Cyber Council, the Cyber Police, the so-called Iranian Cyber Army and the Passive Defense Organization. These covert resources are more likely orchestrated by the Iranian Revolutionary Guard Council than the Ministry of Intelligence and Security[xxxi].

Covert Propoganda

Iran’s covert machinery consists of a hundred or more news outlets, each with its own website and social media accounts[xxxii]. These outlets claim to be dedicated to independent journalism but obfuscate their financial and operational ties to the Iranian regime[xxxiii]. Many of them attempt to co-opt legitimate foreign media outlets using misleading domain names (“”, “” etc.)[xxxiv]. Typo-squatting, Punycode or lookalike Top-Level Domains are used in this process. Content is then scraped from the corresponding legitimate site and posted as is or amended in line with Iranian interests[xxxv]. Inauthentic “local” personas, many of them attractive women, are then used to amplify the content into conversations on Twitter, Facebook, Instagram, Reddit and other social media platforms[xxxvi]. The combination of the putatively independent website and the “local” social media user makes the content appear more legitimate to Tehran’s audiences in the US and Europe[xxxvii]. By sheer force of repetition much of this Iran favorable content drowns out other opinions[xxxviii].  

Iran started building out its assembly of inauthentic websites and social media personas in 2010[xxxix] and enjoyed eight years before FireEye revealed this covert infrastructure in August 2018[xl]. Nine months later Citizen Lab named the network of inauthentic personas “Endless Mayfly” and described its distinctive characteristic as the ephemerality of its content: once the content had achieved some degree of social media pickup, the spoofed articles were deleted and the links redirected to the legitimate domain being impersonated. This enhanced the legitimacy of the articles while obscuring their origin[xli]. Some of the sites identified were Liberty Front Press, US Journal, Real Progressive Front, The British Left, Critics Chronicle, Instituto Manquehue[xlii], IUVM Press, AWDNews, Yemen Press, Whatsupic, and Podaci Dana[xliii]. Since being outed by FireEye, thousands of inauthentic Iranian personas, estimated to have reached millions of users over the years, have been removed by Facebook and Twitter[xliv].

Implications for US Elections

What are Iran’s intentions regarding interfering in the democratic deliberations of US elections?  Iranian propaganda associated with the 444-day hostage crisis of 1979-1981 is generally regarded as having contributed to the defeat of President Carter in the election of 1980[xlv]. The precedent clearly exists. At the time of writing, Iran has strong incentives to do everything in its power to ensure that Donald Trump is not re-elected. The US withdrawal from the JCPOA, the maximum pressure campaign, the tightening of sanctions[ii], the designation of the IRGC as a terrorist organization, and the assassination of General Soleimani provide ample motivation[xlvii].

Indeed, Microsoft and Google have reported that Iran-linked hackers have attempted to breach email accounts belonging to the Trump campaign[xlviii]. But Iran must be realistic. Its attempts to sway the Republic Primary in 2012 in favor of Ron Paul failed miserably to gain traction[xlix]. And although Endless Mayfly appears to have enjoyed considerable influence, it will take time for Iran to reestablish trusted inauthentic websites and personas following the recent takedowns. Iran is also keenly aware of its limitation and conflict of interest vis-a-vis its ally, Russia, which is aiming its own manipulation resources in favor of Trump’s reelection.

Although the ODNI has assessed that Iran is likely to seek to undermine President Trump and divide the country in advance of the 2020 elections[l], it is highly unlikely that Iranian influence operations alone, without the benefit of other elements of its asymmetric toolkit, will be enough to achieve its goals.  

[i] Ariane M. Tabatabai, Alliance for Securing Democracy, Iran’s Authoritarian Playbook. The Tactics, Doctrine, and Objectives behind Iran’s Influence Operations, 2020,

[ii] Emerson T. Brooking and Suzanne Kianpour, Atlantic Council, Iranian Digital Influence Efforts: Guerrilla Broadcasting for the Twenty-First Century, Feb 11, 2020,

[iii] Ariane M. Tabatabai, Op. Cit.

[iv] Collin Anderson and Karim Sadjadpour, Iran’s Cyber Threat. Espionage, Sabotage, and Revenge, Carnegie Endowment for International Peace, January 4, 2018,

[v] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[vi] Seth G. Jones and Danike Newlee, CSIS, The United States’ Soft War with Iran, June 2019,

[vii] Collin Anderson and Karim Sadjadpour, Op. Cit.

[viii] Ariane M. Tabatabai, Op. Cit.

[ix] Frederick W. Kagan and Tommy Stiansen, The Growing Cyberthreat from Iran, April 2015,

[x] Ghoncheh Tazmini, LSE, Transcending the US-Iran Impasse: From “Soft War” to “Soft Diplomacy”, Feb 18, 2020,

[xi] Collin Anderson and Karim Sadjadpour, Op. Cit.

[xii] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xiii] Seth G. Jones and Danike Newlee, Op. Cit.

[xiv] Article19, Tightening the Net Part 2: The Soft War and Cyber Tactics in Iran, 2017,

[xv] Ariane M. Tabatabai, Op. Cit.

[xvi] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xvii] Ariane M. Tabatabai, Op. Cit.

[xviii] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xix] Ibid.

[xx] Ibid.

[xxi] Ariane M. Tabatabai, Op. Cit.

[xxii] Park Advisors, Weapons of Mass Distraction. Foreign State-Sponsored Disinformation in the Digital Age, March, 2019,

[xxiii] ClearSky, Global Iranian Disinformation Operation. Large-scale Fake News Infrastructure Promoting Iranian Interests, November 2018,

[xxiv] Ibid.

[xxv] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xxvi] Gabrielle Lim et. al., Citizen Lab, Burned After Reading. Endless Mayfly’s Ephemeral Disinformation Campaign, May 14, 2019,

[xxvii] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xxviii] Gabrielle Lim et. al., Op. Cit.

[xxix] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xxx] Ibid.

[xxxi] Article19, Op. Cit.

[xxxii] ClearSky, Op. Cit.

[xxxiii] Ariane M. Tabatabai, Op. Cit.

[xxxiv] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xxxv] Gabrielle Lim et. al., Op. Cit.

[xxxvi] Ibid.

[xxxvii] Ariane M. Tabatabai, Op. Cit.

[xxxviii] Article19, Op. Cit.

[xxxix] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xl] FireEye, Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East, August 21, 2018,

[xli] Gabrielle Lim et. al., Op. Cit.

[xlii] FireEye, Op. Cit.

[xliii] Gabrielle Lim et. al., Op. Cit.

[xliv] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xlv] Ariane M. Tabatabai, Op. Cit.

[xlvi] Ghoncheh Tazmini, Op. Cit.

[xlvii] Emerson T. Brooking and Suzanne Kianpour, Op. Cit.

[xlviii] Ariane M. Tabatabai, Op. Cit.

[xlix] Ben Nimmo, Brookings Institute, The Breakout Scale: Measuring the Impact of Influence Operations, September 2020,

[l] ODNI, Statement by NCSC Director William Evanina: Election Threat Update for the American Public, August 7, 2020,

Translate »