Published On : 2024-02-21
Share :


The situation is escalating between Iran and the United States in the Middle East: on Sunday, January 28, three U.S. service members were killed in an Iranian-linked drone attack on “Tower 22”; a U.S. military outpost in Jordan, near the Syrian border. This constituted one of over 160 such attacks on U.S. targets in Iraq and Syria since October 7th, when Hamas attacked Israel. In response, the U.S. launched simultaneous attacks on 85 Iranian-linked targets, stoking fears of an even wider regional conflict in the Middle East. The escalation comes at an inopportune time for Iran, which is also among world leaders in terms of using cyber warfare as a tool of statecraft. We assess Iran will diminish its overt military footprint and focus more on activity in cyberspace.


The recent acceleration in hostilities involving Iran-backed militias and the United States, coupled with a surge in Israeli strikes on Iranian positions in Syria, seems to have compelled Tehran to reassess elements of its regional strategy. The fact that U.S. strikes were postponed until nearly a week after the incident in Jordan gave the Iranian Islamic Revolutionary Guard Corps (IRGC) more time to remove personnel and equipment out of harm’s way. However, the change in Iranian posture was underscored in early February, when reports emerged that the IRGC had begun withdrawing its high-ranking commanders from Syria. Iranian sources describe the repositioning of IRGC commanders as a “provisional measure” aimed at safeguarding them from further U.S. retaliatory strikes and investigating intelligence leaks regarding their whereabouts in Syria. The action also came as Israel’s targeted assassination campaign against IRGC leaders in Syria escalated, with five senior officers targeted in a strike that recently took place in Damascus.

The public announcement of the move could signify a temporary recalibration towards a more cautious Iranian regional position, with a reduced military footprint (however the flip side of this could be increased operational intensity in other domains, mainly in cyberspace).

The objective of this is to force America into a no-win proposition: either to remain in Iraq and Syria (where U.S. troops are posted to maintain striking distance on terrorist organizations like Islamic State) and deal with constant attacks from Iranian allies, escalate against Iran and trigger a full-scale war, or pull its troops out of the region. Washington has so far attempted balance by striking enough to save face, but is stopping short of provoking more significant conflict with Iran. Iran will likely not make it simple for the US to stay walking this line.

Tehran is likely to seek greater oversight over its non-state proxies to prevent impulsive actions that might compromise Iran’s security by provoking direct military responses from Washington: while the future of Iran’s influence over Iraqi militias remains uncertain, so does the nature of Tehran’s evolving regional strategy, but the timing and domestic situation in Iran makes de-escalation of overt action likely – this will arguably escalate to other domains such as cyberspace.


Neither Iran, its non-state allies, nor the United States wish for a broad regional confrontation, but there are many ways in which a war between Israel and Hamas could escalate. In some respects, the Gaza war does have some advantages for Iran, such as freezing the potential for normalization of relations between Saudi Arabia and Israel (which would greatly improve the position of its adversaries). It has also exposed the reach of the so-called “axis of resistance”, which is a collection of Iranian-backed armed groups – Hezbollah in Lebanon, various militias in Iraq and Syria, the Houthis in Yemen, and the Palestinian militant groups Hamas and Islamic Jihad – over which Tehran exercises varying degrees of control.

The war comes at an inopportune time for Iran, as its relations with the US have barely recovered after the brutal suppression of civil protests in Tehran.  August saw a mutual exchange of detainees, alongside a tacit request – in exchange for an easing of sanctions – to discourage allied militias from attacking U.S. forces, and for Iran to slow its development of nuclear weapons and cooperate better with U.N. inspectors. That deal is now demonstrably in tatters, and the regime, with its aging leader, will also have to table a transfer of power.

The Gaza war puts Iran in a difficult situation. Tehran does not want the situation to threaten Hezbollah, who are a key element of the regime’s ‘forward defence’ as a deterrent against an attack from Israel or the United States. Iran has positioned itself as the protector of the Palestinians since the revolution, which makes the number of Palestinian dead politically disquieting, even though Hezbollah’s deterrent potential might take precedence in Tehran’s considerations.

As for the United States, the last thing the Biden administration wants is more war in the Middle East as efforts persist in Ukraine, alongside containment of China and the campaign for re-election. Washington’s unwritten agreement with Tehran to ease friction last summer was intended to stymie a regional crisis, but without giving Iran formal sanctions relief and acting as a softener ahead of the 2024 US elections.

The most dangerous hotspot is the Israeli-Lebanese border. Since 7 October, Hezbollah and Israel have been exchanging strikes continuously, with Hezbollah trying to bind the Israeli army below the line of open warfare last experienced in 2006. These tensions have been growing and the intensity of the fighting is increasing, with bombing of targets deep in Lebanon becoming more frequent. Israeli political commentators are now suggesting that Israel cannot risk leaving a hostile militant force so close to its northern border.

The Houthis, who are more expendable to Iran than Hezbollah, represent something of a wild card. Yemeni militants have sent rockets and drones into Israel and repeatedly hit merchant ships in the Red Sea, their attacks prompting shipping giant Maersk and others to halt transiting in the area. The US and other allies are now patrolling the area and carrying out strikes on the Houthis: they have dialled back their activity for now, but another future attack could lead the United States to strike not only in Yemen, but quite possibly closer to the source (the obvious target being an Iranian spy ship believed to be passing intelligence to the Houthis from the Red Sea). Although neither side wants a major war, factors outside their control may force the issue – this is particularly true in the case of the Houthis, who are not controlled by Iran nearly as much as Hezbollah, for example.


Iranian sponsored groups are not the only threats in the region. By the beginning of the year, the nation unleashed a barrage of missiles and drones on targets across Iraq, Syria, and Pakistan, claiming that the strikes targeted the perpetrators and backers of the attacks on Iran. In one attack in early January, two Islamic State suicide bombers targeted the anniversary meeting honouring the assassinated IRGC commander Qassem Suleimani. The bombing was the worst terrorist attack in Iranian modern history, killing more than 90 people.

These attacks undermined the perception of Iran as a strong and stable state, revealing its susceptibility to internal and external challenges. Its counterattack has further raised the stakes in the region, with retaliations in Syria and Iraq. The 1,450-kilometer-range, never-used-before Kheibar Shekan, was one of the missiles employed in the strikes. This missile is often believed to have been intended for use against Israel, therefore its deployment on locations in Syria’s Idlib province (the same distance from the launch site as Israel) was arguably more of a field test to demonstrate the weapon’s accuracy, power and range than retaliation against any real Islamic State cells in the area.

The elderly supreme leader, Ayatollah Ali Khamenei, is thus likely seeking to deter Israel and USA from any large-scale operation against Iran. He is reportedly of ill health and looking to secure his legacy, and to achieve that, he will need to install a like-minded successor, pursue a nuclear weapons programme, and ensure the survival of the regime as an Islamist power dominating the Middle East. Becoming embroiled into a wider war in the region would jeopardise all.

The most salient issue for the regime, however, is domestic unrest. Since Iran faced what may have been its biggest significant rebellion since the revolution in 2022, Ayatollah Khamenei’s regime has been working to contain domestic opposition. A nationwide movement aimed specifically at overthrowing the theocracy was sparked by the death of Mahsa Amini, while in the morality police’s custody, which tapped into a general dissatisfaction with the nation’s authorities. The security forces loyal to the mullahs retook the streets and schools by violent means, fully aware that even disorganized rallies had the potential to pose a threat to the regime. Iran’s economy is also in peril as a result of ongoing fiscal mismanagement, corruption, and sanctions imposed on Iran for its nuclear transgressions. Even under less fraught circumstances, succession would be a delicate task.

Iran thus needs to reduce its exposure and limit the risk of war before the regime finds steady ground. Because they have so little to lose, Iran’s proxies can afford to face limited backlash from the US and Israel, but if they initiate a direct conflict with the United States or Israel in which Iran could get entangled, the regime would stand to lose far more (for instance, Iran was unable to match the Houthis‘ attempt to blockade shipping through the Strait of Hormuz). There would be a great deal of risk involved in any attempt, not to mention the strain it would put on ties with China.

Iran outsourced much of the direct violence to its clients in an attempt to lower risk. By using proxies to channel its strategic activity, Iran has so far been able to keep the conflict off of its borders and shift much of the burden to others. However, Tehran’s proxies have limited options in the current situation, as they try to position themselves as the main force opposing Israel and the US (this is particularly true when it comes to military action, which is primarily restricted to standoff strikes). Neighbours can be threatened, and enemies fired at distance, but Iran and its allies are limited in what they can accomplish. They are unable to use force to free Palestine or bring their war to Israel, and on the contrary, death of U.S. servicemen meant the U.S. administration were guaranteed to take action, even if it does not pursue confrontation with Iran.


Iran is among world leaders in terms of using cyber warfare as a tool of statecraft. Iranian hackers have been repeatedly successful in gaining access to emails from an array of targets, including government staff members in the Middle East, the US, militaries, telecommunications companies, or critical infrastructure operators. The malware used to infiltrate the computers is increasingly more sophisticated and is often able to map out the networks the hackers have broken into, providing Iran with a blueprint of the underlying cyber infrastructure that could prove helpful for planning and executing future attacks.

During the last 5 years, from the 12 largest publicly known cyber-attacks on Saudi Arabia, Iran was responsible for eight. In these attacks, Iranian APTs like MuddyWater, Cotton Sandstorm or Static Kitten have been focusing on traditional espionage targets like governmental organizations (such as the Saudi Arabia Ministry of Defense), telecommunication or aviation but also the oil industry, transportation and critical infrastructure.

Moreover, Iran is now supplementing its traditional cyberattacks with a new playbook, leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims. Supreme National Security Council (SNSC) Secretary Rear Admiral Ali Akbar Ahmadian has called for greater cybersecurity cooperation among BRICS countries during a Friends of BRICS National Security Advisors meeting in Johannesburg, South Africa last summer. Iran is likely trying to tap in to Chinese and Russian expertise in “soft war”, which is an Iranian doctrinal term that refers to the use of non-military means, such as economic and psychological pressure and information operations, to erode regime legitimacy and cultivate domestic opposition.

While – like Russia – Iran expresses the belief “soft war” is a tool mostly used by the West, its own actions in cyberspace and other fronts testify to the fact that Iran is increasingly using “soft war” as its very own tool of statecraft. Iran’s minister of defense, Brig. Gen. Mohammad Reza Ashtiani, confirmed as much in a speech to his country’s defense officials last year, in which he outlined that given the current complex security situation in the Middle East, Iran had to redefine its national defenses beyond its geographic borders. According to Mrs. Ashtiani, that means utilizing new warfare strategies – including the use of space and cyberspace. Iran is demonstrating fast-evolving capabilities, narrowing the gap with other powers opposing the West like Russia and China. Iranian hackers used the relieving pressure provided by the nuclear deal and focused their energy on regional targets like Saudi Arabia, where they have consistently been trying to embed themselves in critical networks, in order to prepare vectors of attack should the regime command the IRGC and the Ministry of Intelligence to do so.


Iran has also seemingly concluded that the Houthis’ experiment in the Red Sea has been so successful that it bears repeating in the Mediterranean and in other waterways. “They shall soon await the closure of the Mediterranean Sea, [the Strait of] Gibraltar and other waterways,” announced the coordinating commander of Iran’s Islamic Revolutionary Guard Corps to Iranian media on Dec. 23, apparently referring to the international community. Since Iran does not possess kinetic strike capability to strike targets that far, we can assume Iran’s cyber capabilities are being referred to, as well as the regime’s apparent willingness to use them.

Iran has been rapidly accelerating cyberattacks since mid-2022 and has further accelerated its cyber operations against Israel over the course of the Israel-Hamas war. In the immediate aftermath of October 7, most of Iran’s immediate operations were disorganised, however, Iran has achieved success since (despite early Iranian claims, many ‘attacks’ in the early days of the war were either ‘leaking’ old material, using pre-existing access to networks or were false). Iran’s activity quickly grew from nine groups monitored by researchers and active in Israel during the first week of the war to 14, just weeks later. Cyber-enabled influence operations went from roughly one operation every other month in 2021 to 11 in October 2023 alone, and the cyber campaign entails an almost 50% increase in traffic in the first week of the war, to news sites run by or affiliated to the Iranian state.

As the war progresses, Iranian actors are expanding their geographic scope to include attacks on Albania, Bahrain and the USA. They also increased their collaboration, enabling greater specialization and effectiveness. In response, the U.S. Treasury Department announced sanctions against six Iranian officials from the IRGC Cyber-Electronic Command for their role in cyber-attacks on U.S. soil. The officials, members of the hacker group Cyber Av3ngers, disabled Unitronics programmable logic controllers (PLC) at a booster station operated by the Municipal Water Authority of Aliquippa, Pennsylvania in the attack. PLCs control pumps and valves in U.S. water and wastewater infrastructure and have been exploited in past destructive cyberattacks. The hackers appear to have targeted the PLCs because Unitronics is an Israeli company. The group also targeted ten water treatment stations in Israel around the time of its attack on Aliquippa.

According to our assessment, Iran is now more likely than ever to use its cyber capabilities to attack critical infrastructure, especially in countries deemed supportive to USA and Israel and on infrastructure important for international commerce. Further, as we have observed in this report, Iran can direct hacktivists into preparing further attacks, with them having already targeted the USA, Israel, Saudi Arabia or the UK.