Iranian Cyber and Physical Acts Against Any Opposition - Cyber Grey Zone

From Cyber Grey Zone Actions to Assassinations – In the Crosshairs.

The following is an overview of Iranian regime tactics, techniques, and methods used against dissidents and opposition groups. The People's Mojahedin Organization of Iran (PMOI) holds a Free Iran conference every summer. Every year, the Iranian regime works to discredit, disrupt, delay, and destroy any attempts at the PMOI to hold the conference. From physical threats to the hacking of foreign governments to political pressure because of prisoner exchanges, Iran uses any tactic available to push the envelope during each action. Iran continues these actions.

Cyber grey zone actions blur the line between acceptable state behavior and hostile acts, creating challenges for attribution, response, and establishing explicit norms and rules in the cyber domain. Addressing these challenges requires international cooperation, robust cybersecurity measures, and the development of norms and agreements to regulate state behavior in cyberspace.

Iranian cyber grey zone activities refer to malicious actions in cyberspace that fall short of a full-fledged cyberattack but aim to achieve strategic objectives.

Espionage: Iran conducts cyber espionage campaigns targeting foreign governments, organizations, and individuals. These activities involve stealing sensitive information, such as political or military intelligence, intellectual property, or personal data.

Disinformation and Influence Operations: Iran engages in online disinformation campaigns, spreading misleading information or propaganda to shape public opinion and advance its political or ideological agenda.

DDoS Attacks: Distributed Denial of Service (DDoS) attacks involve overwhelming a target's servers or networks with a flood of traffic, rendering them inaccessible. Iran conducted DDoS attacks against various targets, including websites of foreign governments, media organizations, and financial institutions.

Hacking and Defacement: Iranian hacking groups have conducted cyber intrusions and website defacements to highlight their capabilities, make political statements, or retaliate against perceived adversaries. These activities often target government websites, news outlets, or organizations critical of Iranian policies.

Cyber Attacks on Critical Infrastructure: While not explicitly falling into the grey zone, Iran conducts cyberattacks on critical infrastructure, such as energy facilities, banks, and transportation systems. Notable examples include the 2012 attack on Saudi Aramco and the 2019 attack on the oil tanker industry.

Iranian Cog War activities

Social Media Manipulation: Iranian actors operate fake social media accounts and engage in disinformation campaigns to influence public opinion, particularly during sensitive periods like elections or geopolitical tensions.

Cyber Espionage: Iran executed various cyber espionage campaigns targeting governments, organizations, and individuals worldwide. These activities involve stealing sensitive information for intelligence purposes or as a method to gain a competitive advantage.

Website Defacements: Iranian hacker groups have conducted website defacements, replacing the content of targeted websites with their own messages or political statements. Iran uses defacements to highlight capabilities, raise awareness, or promote political ideologies.

Phishing and Spear-Phishing: Iranian actors execute phishing campaigns that use deceptive emails or messages to trick individuals into revealing sensitive information, such as login credentials or financial data.

Influence Operations: Iran engages in influence operations through various means, including spreading propaganda, manipulating narratives, and leveraging state-controlled media outlets to shape public opinion, both domestically and abroad.

Targeting Dissidents and Activists: Iranian cyber actors target dissidents, activists, and human rights organizations, both within Iran and abroad. These activities aim to disrupt or silence opposition voices.

Distributed Denial of Service (DDoS) Attacks: Iran conducts DDoS attacks targeting various websites and online services. These attacks overwhelm the targeted systems, rendering them inaccessible to legitimate users.

Data Theft and Intellectual Property Theft: Iranian cyber actors steal sensitive data, including intellectual property, from foreign companies, universities, and research institutions.

Ransomware Attacks: While not exclusively attributed to Iran, there have been instances where Iranian-linked groups deployed ransomware to extort money from organizations by encrypting their systems and demanding payment for their release.

Iran disrupts conferences and activities organized by the Mujahedin-e Khalq (PMOI), an Iranian opposition group. Iran targets the PMOI due to its opposition to the Iranian regime.

Cyber Attacks: Iran launched cyber attacks against the PMOI and its supporters. These attacks have included phishing campaigns, malware distribution, and hacking attempts to compromise the PMOI's  infrastructure or steal sensitive information.

Disinformation Campaigns: The Iranian government has reportedly engaged in disinformation campaigns to undermine the PMOI's reputation and credibility. The campaigns include spreading false narratives, propaganda, and misinformation about the PMOI and its activities.

Diplomatic and Political Pressure: Iran has sought to influence the international community and governments to isolate and delegitimize the PMOI. The pressure involves diplomatic efforts to discourage support for the PMOI, pressure to prevent opposition protests, requests to evict opposition groups from their Western bases of operation, and lobbying to designate the PMOI as a terrorist organization.

Diplomatic and Political Pressure as a Result of Prisoner Swaps

  • Negotiating Use: Iran holds foreign nationals in custody as a bargaining chip in negotiations. Iran swaps these individuals for their citizens held overseas or for other concessions, like lifting sanctions, providing financial or material resources, or removing the PMOI from their soil.
  • Domestic Approval: Iran frames their successful prisoner swaps as diplomatic victories, which boost the government's approval ratings at home. The swaps show that the government can protect its citizens abroad and secure their release when they are in trouble.
  • International Image: Releasing foreign prisoners improves Iran's international image, showing it as humane, fair, or willing to engage in diplomatic solutions. Releasing foreign prisoners assists their international relations and decreases hostility from other nations.
  • Direct Diplomatic Engagement: Iranian prisoner swaps create opportunities for direct engagement with Western countries. The swaps assist in an opening dialog when formal diplomatic channels do not exist. The swaps open doors for further negotiations on other matters.

Prisoner swaps occur through behind-the-scenes diplomatic negotiations. The process can be lengthy and complex, involving multiple parties, legal considerations, and often, high-stakes bargaining. The swaps are usually highly coordinated and sometimes involve third-party countries to facilitate the exchange.

The use of prisoner swaps can be controversial. Critics argue that they incentivize the arrest of foreign nationals, essentially turning individuals into political pawns. The recent Belgian prisoner swap with Iran emboldens Iran to push the cyber and physical boundaries of what is acceptable. The Physical and Cyber Grey Zone expands beyond traditional norms.

Grand Rally of Iranians on Anniversary of Resistance Against the Mullahs' Regime 42nd anniversary of the founding of the National Council of Resistance of Iran (NCRI) Paris - Place Vauban, July 1, 2023 - 13:00 CET Supports the nationwide uprising of the Iranian people for a democratic republic, separation of religion and state, equality, and homage to leading women.

  • Long live freedom
  • No dictatorship
  • Down with the tyrant, be it the Shah or the mullahs


Physical Attacks and Assassinations: In the past, Iran conducted physical attacks and assassinations against PMOI members or individuals associated with the group. These attacks have taken place both within Iran and in other countries.

  1. Cyber Attacks:
    • In 2018, cybersecurity firms reported a cyber espionage campaign called "Operation SpoofedScholars" attributed to Iran, which targeted PMOI supporters and conferences. The campaign involved creating fake social media accounts and websites to gather information and launch phishing attacks.
    • The Iranian government launched distributed denial of service (DDoS) attacks against PMOI websites, temporarily taking them offline or disrupting their functionality.
    • Reports suggest that Iranian hackers have targeted PMOI supporters' social media accounts, attempting to gain unauthorized access or spread malware through malicious links or attachments.
  2. Disinformation Campaigns:
    • Iranian state-controlled media outlets and propaganda machinery spread false information, engaging in character assassination campaigns against the PMOI. Campaigns include portraying the organization as a terrorist, highlighting alleged internal conflicts, and disseminating fabricated stories to discredit its members.
    • The Iranian government has used state media to promote narratives that demonize the PMOI and portray its members as violent extremists or foreign agents.
  3. Diplomatic and Political Pressure:
    • Iran engages in diplomatic efforts to dissuade foreign governments and international organizations from supporting or hosting PMOI conferences. The pressure (stated earlier) includes lobbying, diplomatic protests, and seeking legal measures to restrict the activities of the PMOI.
    • The Iranian government has consistently sought to have the PMOI listed as a terrorist organization internationally, aiming to delegitimize the group and hinder its activities.
  4. Physical Attacks and Assassinations:
    • The Iranian government conducted physical attacks and assassinations against PMOI members and supporters. These incidents occurred in various countries and have involved bombings, targeted assassinations, and covert operations allegedly conducted by Iranian agents.
    • One notable incident occurred in 2018 when the arrest of an Iranian diplomat in Germany for his involvement in a foiled bomb plot targeting a PMOI conference in France—an action orchestrated by the Iranian government.

Iran employs various tactics to suppress dissent and silence dissidents. Tactics used by the Iranian government include:

  • Arrests and Detentions: Iranian authorities frequently arrest and detain individuals critical of the regime, including activists, journalists, human rights defenders, and political opponents. Iran holds individuals without due process, faces prolonged periods of detention, and sometimes experiences torture or mistreatment.
  • Harassment and Intimidation: Dissidents and their families often face harassment, surveillance, and threats from Iranian security forces or government-backed groups. Actions of this type include monitoring their activities, restricting their movements, or subjecting them to intrusive measures to discourage their activism.
  • Internet and Media Restrictions: The Iranian government exercises strict control over the media and internet access within the country. Iran censors dissenting voices, limiting or blocking access to social media platforms and websites critical of the regime. This control over information aims to stifle the spread of dissent and alternative viewpoints.
  • Discrediting Campaigns: The Iranian government often engages in discrediting campaigns against dissidents, labeling them as foreign agents, spies, or terrorists. State-controlled media outlets may launch smear campaigns or spread false information to undermine the credibility and reputation of activists and dissident groups.
  • Systematic Torture and Execution: There have been reports of the Iranian government using torture, including physical and psychological abuse, against dissidents and political prisoners. In past cases, Iran executed dissidents following trials criticized for lacking due process or fairness.
  • Restrictions on Freedom of Association: The Iranian government imposes restrictions on independent civil society organizations and associations, making it difficult for dissidents to organize and advocate for their causes. Human rights organizations and political groups are either banned or heavily monitored.
  • Forced Exile: Dissidents who face significant threats or harassment in Iran often choose to flee the country, seeking refuge in other nations. However, even in exile, they may face surveillance, threats, or attempts to silence their voices from abroad.

Iran uses social media platforms as part of its influence operations to shape narratives, spread propaganda, and advance its political objectives.

  • Coordinated Inauthentic Behavior (CIB): Iranian actors have created and operated fake accounts, often called "troll farms," on platforms like Twitter, Facebook, and Instagram. Iran uses the accounts to amplify pro-regime messages, disseminate propaganda, and attack critics or opposition groups. They may also engage in targeted harassment or intimidation campaigns against individuals or organizations seen as adversaries.
  • Disinformation and Propaganda: Iranian influence operations involve disseminating false or misleading information through social media channels. Disinformation in use includes spreading narratives that support Iranian government policies, delegitimizing opposition voices, or promoting conspiracy theories to manipulate public opinion and shape the global discourse on specific issues.
  • Hashtag Hijacking: Iranian actors hijack popular or trending hashtags on social media platforms to divert attention to their preferred narratives or to spread propaganda. Using bots or coordinated efforts, they can flood the hashtags with their messages, making them more visible and influencing online conversation.
  • Fake News Websites and Blogs: Iran creates and promotes fake news websites and blogs that mimic legitimate news sources. These platforms publish articles and stories that align with Iranian government narratives and deceive readers into believing they are consuming factual information.
  • Targeting Dissident and Activist Communities: Iranian influence operations often focus on targeting dissidents, human rights activists, and opposition groups. Iranian actors aim to disrupt their networks, sow discord, and gather intelligence on their activities by monitoring their online activities and engaging with them through fake accounts or profiles.
  • Astroturfing and Amplification: Iran has engaged in astroturfing, which creates the illusion of grassroots support for specific causes or perspectives. By artificially amplifying messages, posts, or campaigns through coordinated efforts, they seek to create a false perception of widespread public support for their agenda.
  • Diplomatic Pressure: Iran has pressured host countries to prevent the PMOI from organizing their conferences. The pressure tactics include lobbying host governments, making formal protests, and using diplomatic channels to discourage or prevent the events from taking place. The pressure involves sending formal objections, issuing diplomatic statements, and engaging in behind-the-scenes negotiations to discourage hosting the events.
  • Legal Actions: Iran has pursued legal actions against individuals or organizations associated with the PMOI to impede or halt their conference activities. The actions seek legal injunctions, filing lawsuits, or utilizing international legal mechanisms to challenge the legitimacy of the conferences.
  • Propaganda Campaigns: Iran has launched propaganda campaigns against the PMOI and its conferences. Iran spreads disinformation, false narratives, and negative publicity through state-controlled media, online platforms, and affiliated organizations to undermine the group's reputation and discourage participation.
  • Diplomatic Isolation: Iran has sought to isolate the PMOI and discourage other countries from hosting or participating in their conferences. Diplomatic isolation involves diplomatic efforts to discredit the group and dissuade foreign governments from supporting or attending the events. Portray them as a terrorist organization and discourage attendance or support from other countries.
  • Alleged Covert Operations: There have been reports and allegations of covert operations by Iranian intelligence agencies to disrupt or sabotage PMOI conferences. These actions include surveillance, cyber-attacks targeting conference-related infrastructure, and even attempted attacks or assassinations against PMOI members.
  • Espionage and Surveillance: Iran's intelligence agencies have allegedly conducted espionage and surveillance activities against the PMOI/PMOI and their conferences. Iran monitors and infiltrates the group's networks, gathering intelligence on conference participants and attempting to disrupt their organizational structures.
  • Espionage and Surveillance: Iran's intelligence agencies have allegedly conducted espionage and surveillance activities against the PMOI/PMOI and their conferences. Iran monitors and infiltrates the group's networks, gathering intelligence on conference participants and attempting to disrupt their organizational structures.
  • Reports of threats, intimidation, and targeted killings of PMOI members by Iranian security forces or affiliated groups.

Disruption of the PMOI (People's Mujahedin of Iran) conference in 2018 held in Villepinte, France

According to the reports, the plot involved an attempted attack on the conference by individuals with alleged links to the Iranian government.

On June 30, 2018, during the PMOI conference, Belgian authorities arrested two individuals in Brussels found in possession of explosives and intended to conduct an attack. Belgian authorities identified an Iranian diplomat stationed in Vienna and an accomplice. They planned to bomb the conference venue in Villepinte.

The incident caused significant concern and diplomatic tensions between Iran and European countries. The Iranian government denied involvement in the plot and condemned the accusations as baseless. However, multiple European countries, including France, supported Belgium's investigation and took diplomatic actions in response to the incident.

2022 Albania

A cyberattack on the Albanian government knocked out state websites and public services for hours. With Russia's war raging in Ukraine, the Kremlin might seem like the likeliest suspect. However, the threat intelligence firm Mandiant published research on Thursday, attributing the attack to Iran. And while Tehran's espionage operations and  meddling have shown up all over the world,

The  attacks targeting Albania on July 17 came ahead of the "World Summit of Free Iran," a conference scheduled to convene in Manëz in western Albania on July 23 and 24. The PMOI canceled the Iran Free Summit. The PMOI postponed the conference the day before it began because of reported, unspecified "terrorist" threats.

Attackers deployed ransomware from the Roadsweep family and may have used a previously unknown backdoor, dubbed Chimneysweep, and a new strain of the Zeroclear wiper.

Iran executed a coercive attack to pressure the Albanian government against the PMOI.

Iran conducted aggressive hacking campaigns in the Middle East, particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply, and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to an array of networks related to transportation, health care, and public health entities, among others. "These Iranian government-sponsored APT actors can use this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion," the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency wrote at the time.

However, Tehran has limited how far its attacks have gone, mainly focusing on data exfiltration and reconnaissance on the global stage. The country has, however, participated in influence operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the US.

Overall, Iran uses strategies to suppress dissident voices and online opposition. The Iranian government employs sophisticated methods of internet censorship, including blocking access to thousands of websites, particularly those associated with foreign media, human rights groups, and political opposition. During heightened political tension, Iran has even shut down the internet entirely. Iran maintains intrusive surveillance on its citizens' online activities, using this information to target dissidents. Allegedly, the government has also used cyberattacks against opposition websites and has spread disinformation to discredit opposition movements. Iran detains and imprisons activists, journalists, and others who express dissenting views. Charges often include vaguely defined crimes like "acting against national security" or "spreading propaganda against the system." Iran's laws limit freedom of speech and the press, making it risky to express opposing views. There are strict regulations on media and online platforms, and violations can result in severe penalties. Dissidents and opposition members in Iran face harassment, threats, and sometimes violence or execution. These actions create a climate of fear that can silence opposition voices.

Human rights organizations and Western governments condemn the suppression of dissident voices. However, the emboldened regime continues to expand tactics, introduce new techniques, and push methods beyond any international rules of decorum. What will they do this month?

Contact Treastone 71

Contact Treadstone 71 Today. Learn more about our Targeted Adversary Analysis, Cognitive Warfare Training, and Intelligence Tradecraft offerings.

Contact us today!