*(All material drawn exclusively from the public text of the report; all redactions **/ are reproduced exactly as printed.)
Original report:
| Strategic driver | Report detail |
|---|---|
| Regime survival | Cyber is treated as an “asymmetric” capability which allows Tehran to threaten adversaries “with minimal risk of retaliation”. |
| Forward-defence doctrine | Offensive cyber and remote proxies fit Iran’s aim of keeping conflict “outside its own borders”. |
| Low cost / high deniability | Tools are “cheap, deniable, and enable [the IIS] to gain information which would not necessarily be possible to obtain within the UK”. |
| Retaliation | Iran sees cyber as a proportionate response when direct military action would be “unachievable or impragmatic”. |
| Category | Named in report | Characteristics |
|---|---|---|
| State-controlled | MOIS, IRGC-IO, IRGC-QF | Direct tasking, larger budgets, ability to leverage intelligence obtained by other arms of regime. |
| Affiliated front-companies | • Mabna Institute (2013-) • Rana Intelligence Computing |
Work under contract, gather bulk data (e.g., 8 000 academic e-mails), run spear-phish campaigns, receive state protection/sanctions. |
| Private “patriotic” actors | e.g., CHARMING KITTEN | Claim ideological loyalty; mix state tasks with private extortion. |
| Criminal mercenaries | Drug-smuggling group run by Naji Sharifizindashti; ransomware crews | Hired for remote ops, logistics or physical surveillance. IIS value: deniability & diversified tradecraft. |
NCSC: “The ecosystem sits on a sliding scale from organs of the state to private groups with only perceived state links.”
| Cluster mentioned | Primary activity | Tools/techniques in report |
|---|---|---|
| APT39 / “PEPPERCAT” | Bulk collection of travel & academic datasets. | Spear-phish, fake airline portals, credential harvest. |
| CHARMING KITTEN | Target diplomats, think-tankers, health sector. | Impersonates Wall St Journal/CNN reporters, fakes social accounts, steals log-ins. |
| APT33 | Disruption of petro-chem sector (KSA, Italy). | Shamoon wiper waves; Visual Basic Script droppers; scheduled destructive trigger. |
| PEPPER | Ransomware operations . | Encryption + data-leak extortion. |
| Black Shadow (US media) | Hack-and-leak attempts against Israel and academics. | Website defacement, TOR leak sites. |
Commodity TTPs: password spraying, open-source recon, reuse of leaked credentials, deployment of web-shells on PHP/IIS servers, dual-use pentest tools (Cobalt Strike, Mimikatz), DNS tunnelling.
- 2017 Parliament attack – password-spray; 39 mailboxes (MPs & staff) accessed; cited by MI5 as lesson for “raising resilience bar”.
- Iran International – repeated phishing; 2022 hostile reconnaissance at London HQ; associated phone spoofing & credential phish.
- Bulk travel & finance datasets – APT39 theft of airline PNR records; NCSC: “almost certainly” used for surveillance / kidnap planning.
- Academia – fake scholar invitations; 2018 Mabna campaign stole 31.5 TB from 176 universities world-wide incl. UK.
- Defence sector – APT33 & spear-phish at UK-headquartered oil-services firm ***; malware capable of ICS interference exfiltrated R&D data.
- Personal e-mail compromises – MOIS targeting of serving & former UK officials, including *** policy advisers, by spoof login pages.
| Year | Incident | UK relevance |
|---|---|---|
| 2012 | Shamoon 1 wiper on Saudi Aramco/RasGas. | UK crude prices spiked; UK energy firms alerted via NCSC. |
| 2018 | Shamoon 3 against Italian *** firm; 300+ servers lost. | UK servers “affected collaterally” (report). |
| 2020 | Israeli water-facility infiltration. | HMG/NCSC assessed capability could “in theory” target UK utilities. |
| 2022 | Albania government wiper. | First UK public attribution of destructive Iranian cyber-attack. |
No publicly documented direct destructive strike on UK soil, but NCSC warns “UK entities would almost certainly be targeted” if Tehran shifts priority.
- Coverage: nearly 100 covert domains (FireEye study), 28 languages, IRIB funding; Facebook removed 500 Iran-linked assets (Q1 2021).
- UK focus: Black Lives Matter, Scottish independence (“yes vote” push in 2014), anti-UK-military narratives, repeated attacks on BBC Persian and Iran International credibility.
- Diaspora intimidation: doctored videos, deep-fake confessions, threats via WhatsApp to relatives in Iran; effect judged “significant” on free speech.
| Document | Cyber-relevant points on Iran |
|---|---|
| Integrated Review 2021 + Refresh 2023 | Calls cyber a critical domain; 2023 text adds “persistent destabilising behaviour of Iran”. |
| NSC Iran Strategy (2021, refocused 2023) | Four pillars: Nuclear, Threats to UK, Values/Human Rights, Regional Security. “Threats” pillar includes cyber & disinformation. |
| Counter-State Threats Strategy 2023 | Actor-agnostic; Home Office ‘Threats’ strand co-ordinates cyber-resilience, sanctions, legislation. |
| National Cyber Strategy 2022 | Whole-of-society resilience; Active Cyber Defence tool-set. |
| National Security Act 2023 | • “Assisting a Foreign Intelligence Service” offence • Foreign Influence Registration Scheme – Iran “will be considered for Enhanced Tier”. |
- NCSC Active Cyber Defence – Protective DNS now mandatory across central government and “wider public sector, including the health sector during the pandemic”.
- Tailored Briefings – NCSC + MI5 joint sessions for Parliamentary Digital Service; sector alerts to airlines, academia, energy.
- Research Safeguards – Academic Technology Approval Scheme expanded (2021) to stop Iranian students accessing dual-use tech; new Research Collaboration Advice Team.
- CNI Assessment – Cabinet Office considering “ambitious targets for all CNI to implement by 2025”.
- Intelligence Coverage – *** tri-Agency “Iran Mission”; partner-and-proxy desk in MI5; GCHQ digital transformation to counter “active Iranian counter-espionage”.
| Mechanism | Detail from report |
|---|---|
| Public attribution | UK statements on Albania wiper; PEPPERCAT & Mabna advisories. |
| NCF operations | • SESAME – disruption of *** exfiltration nodes • TAMARIND – counter-ransomware. |
| Sanctions | 508 individuals / 1 189 entities: cyber actors (Mabna, PEPPER), IRGC ransomware crew, UAV manufacturers. |
| Visa & immigration powers | Home Office Special Cases Unit: exclusions & revocations where cyber-espionage suspected; one Royal-Prerogative passport removal ***. |
| Intelligence diplomacy | UK shares technical indicators with Five Eyes & EU; briefings to IAEA, *** “to maintain awareness of Iran’s programme”. |
- Resource vs. Threat – GCHQ Iran staffing down; SIS de-prioritised after JCPOA then forced to “surge”. MI5 still waiting for extra funding requested in previous ISC report.
- Legal modernisation lag – Computer Misuse Act update & Official Secrets Act 1989 reform still outstanding, hampering cyber-espionage prosecutions.
- FIRS Enhanced Tier – Government “considering” but no decision; ISC expects Iran to be designated at launch.
- CNI Exposure & Iran’s ICS intent – Industrial Control Systems risk underlined by Israeli water-facility incident. Committee: “must avoid repeating mistakes that let Russia pre-position”.
- Proxy–Criminal Fusion – IRGC hire of ransomware gangs increases unpredictability; current UK disruption capability “a really challenging thing” (MI5).
- AI Acceleration – FCDO evidence: regime using generative AI for interception, face-recognition, influence. Threat tempo likely to rise.
- Governance Proliferation – “too many boards” (NSC Iran Pillars, FIOG, Defending Democracy Taskforce, Cabinet Office Cyber Unit) → risk of talking vs. doing.
| # | Recommendation (verbatim or paraphrased from report) |
|---|---|
| 1 | Restore or exceed pre-JCPOA GCHQ/SIS resourcing on Iran; reverse “draw-down”. |
| 2 | Include Iran in Foreign Influence Registration Scheme – Enhanced Tier when scheme commences. |
| 3 | Complete Computer Misuse Act overhaul and Official Secrets Act 1989 reform; set binding cyber-resilience baselines for Critical National Infrastructure by 2025. |
| 4 | Expand National Cyber Force counter-Iran portfolio; develop rapid “interdict-and-expose” playbooks to raise Iranian costs. |
| 5 | Mandatory NCSC cyber-hygiene baseline for academia, travel & diaspora organisations; stronger parliamentary guidance on office vetting. |
| 6 | Government must provide annual statement on outcomes of Defending Democracy Taskforce; rationalise overlapping boards. |
| 7 | Where Tehran uses intimidation, HMG should state publicly that attacks on dissident/Israeli/Jewish targets in UK do equal attacks on UK. |
| 8 | Maintain evacuation planning for a regional cyber/kinetic escalation; ensure lessons from Afghanistan withdrawal applied. |
- Threat sections: pp. 87–108 (Cyber Environment & Capabilities); pp. 93–103 (Offensive Cyber); pp. 103–113 (Interference).
- UK response: pp. 203–208 (Offensive Cyber Response); pp. 201–203 (Cyber Espionage); pp. 129–147 (Strategy/Policy).
- Legal tools: pp. 179–185 (Legislation, Sanctions, Proscription).
- Resourcing & Coverage: pp. 151–176 (Resourcing; UK Intelligence Coverage).
(All numbers, code-words, redactions and agency quotations appear exactly as in the published pdf.)