Lesson Summary

Overview of Iranian Influence and Cyber Operations

Since 2019, widespread protests against Iran's regime and its influence expanded to Iraq and Lebanon. Internally, Iranians demand the end of clerical rule characterized by repression, violence, and censorship. The regime uses the National Information Network (Iranian intranet) for stringent internet control and surveillance, aiming to suppress dissent and control public discourse.

Key Elements of Iranian Influence Operations:

• Social Media Campaigns: The Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) employ large cyber teams, including Basij volunteers, to execute coordinated online propaganda and disinformation campaigns targeting opposition groups such as the National Council of Resistance of Iran (NCRI) and its leader Maryam Rajavi.
• Basij Cyber Battalions: Thousands of organized cyber battalions actively produce regime-favorable content, disrupt oppositional messaging, and conduct psychological warfare online, using coordinated hashtags, bots, and fake accounts.
• Twitter Influence Strategies: Special tactics to evade Twitter suspensions include scheduled tweets, controlled frequency of posts, avoiding repeated mentions, and the use of sarcasm to bypass content filters, as instructed in translated regime documents.
• Command and Control on Telegram: Channels such as @NaslezohorSch provide direct marching orders to cyber operatives worldwide, coordinating mass hashtag trends and messaging to maximize impact while preventing account suspensions.
• Protest Infiltration Playbook: The regime deploys agents at protests to sow confusion and provoke violence by inciting chants, steering crowds, and attacking religious sites to undermine anti-government demonstrations.
• Digital Economy and Infrastructure: Iran invests heavily in building its digital economy, expanding internet infrastructure nationwide, and developing a national information network with secure systems (Dezhfa) to protect critical infrastructure and monitor cyber activities.
• Cybersecurity Measures: Dezhfa encompasses multiple native systems including malware detection ("Honeycomb Net"), DDoS mitigation, botnet tracking, malware scanning, penetration testing platforms, industrial control system defenses, and secure DNS filtering to bolster national cybersecurity.
• Media and Cultural Influence: Organizations like the Masaf Institute and Siraj CyberSpace Organization produce ideological content aimed at cultural indoctrination and support of regime narratives.

Operational and Technical Highlights:

• Use of layered botnets and fake accounts to flood social media with regime messages, drowning opposition narratives.
• Extensive use of fake and impersonated accounts on multiple platforms including Twitter, Facebook, Telegram, and LinkedIn.
• Continuous adaptation to social media platform rules to avoid detection and account suspensions.
• Mobilization of youth and students into cyber battalions trained in propaganda dissemination and cyber defense.
• Development of indigenous cyber defense and attack capabilities to safeguard national infrastructure.
• Centralized coordination of cyber operations through dedicated Telegram channels and command structures mimicking military organization.

Strategic Messaging Guidance for Operatives:

• Maintain tweets within Twitter’s acceptable use policy, avoiding direct calls for violence or hate speech.
• Use indirect language, sarcasm, and ambiguities to evade moderation while conveying regime-aligned messaging.
• Focus discourse on human rights issues where advantageous, and frame discussions around joint rights and legal claims, e.g., regarding Palestine.
• Encourage content production that emphasizes regime legitimacy, strength, and victimhood narratives for opposition groups.

Iranian Cyber Terrain and Influence Infrastructure:

• Dezhfa Project Components: Includes malware traps, malware scanning systems, DDoS mitigation, botnet control, validation and security assessment systems for DNS and modems, penetration testing platforms, and intrusion detection tailored to industrial control systems.
• National Honey Net: Centralized deployment of sensors monitoring malware activity and cybersecurity threats nationwide.
• Industrial Control System Defenses: Specialized IDS and firewall systems to detect malicious activities similar to Stuxnet attacks.
• Secure DNS System: Prevents users from being directed to malicious botnet-controlled domains.