Iran's Cyber Army: Missing in Action
U.S. intelligence gave inflated grades to Tehran’s cyber war capability
Iran’s vaunted cyber war capability turns out to be not so vaunted afterall. It’s been the dog that didn’t—or hasn’t so far—barked in the war Israel launched against it last week.
For years, intelligence assessments have portrayed Iranian cyber capabilities as fearsome.
The U.S. intelligence community’s most recent annual threat assessment, as presented by National Intelligence chief Tulsi Gabbard to Congress in March, branded Iran’s cyber capabilities “a serious threat to U.S. networks and data” and ranked its operations alongside those of cyber heavyweights China, Russia and North Korea.
Similarly, in April 2024 the cyber analytical firm Citanex composed a portrait of Iran’s “significant and growing cyber warfare capabilities, particularly in the realm of offensive cyber operations.” The readout specifically cited the ability of Iran’s cyber warriors to carry out espionage, destructive malware attacks on infrastructure, influence operations and asymmetric warfare.
“Its capabilities are rapidly advancing, and its strategic approach to cyber warfare makes it a persistent threat,” it said, adding, “Its willingness to engage in aggressive cyber operations, coupled with its focus on asymmetric tactics, poses ongoing challenges for global cybersecurity.”
But many experts and former officials scoffed.
“Iran doesn’t have the sophisticated cyber armies that you might find in a place like Russia or China,” a former official involved in Iran talks told SpyTalk in an email. “Its efforts, while sometimes savvy and damaging, tend to be more ragtag and the work of individuals, rather than PLA-like nodes. That’s not to say they wouldn’t be able to do damage, but what they can do wouldn’t hold a candle to what we might face from a more sophisticated adversary.”
Likewise, Yelisey Bohuslavskiy, a cyber intelligence threat expert with the New York-based firm Red Sense, told SpyTalk that he was always surprised by the reporting on Iran’s cyber capabilities. “All the threats from Iran’s cyber operations that I’ve seen have been defacement and cyber vandalism, which seem to be the top of their capabilities,” he said in an email. Maybe the threat was pumped up by U.S. defense entitities.
Cyber experts say Iran’s fearsome reputation as a cyber threat grew after 2010, when the United States and Israel planted the Stuxnet virus inside Iran’s nuclear program, causing the destruction of a large number of its centrifuges. In the decade that followed, Iranian affiliated actors targeted Western and Gulf infrastructure and U.S. financial institutions.
But many of those attacks simply announced the presence of these actors within the targeted systems, rather than taking their penetrations further to denial-of-service (DNS) or wiper operations, cyber experts say.
“What they did was essentially change a screen to include a warning,” John Hultquist, the chief analyst at Google Cloud security, said in a telephone interview. “What’s really important to know about Iranian activity is that oftentimes it’s about the psychological impact rather than the practical impact.”
Faking It
On Sunday, researchers at Radware, another cyber security firm, pointed to a 700 percent increase in cyberattacks against Israeli targets over the first two days of fighting by Iranian state actors and pro-Iranian hacker groups. The attacks included denial of service attempts , infiltration attempts targeting critical infrastructure, data theft and malware distribution campaigns. But there has been no evidence nor acknowledgement from Israeli officials or businesses so far that any of these attacks have succeeded.
In addition, Radware has observed claims by pro-Iranian actors, including a group called Arabian Ghost, which said it had shut down Israeli radio stations while another claimed it had blocked the Mossad website. Both claims turned out to be untrue.
Radware also reported that a pro-Iranian outfit called Team Bangladesh warned Jordan and Saudi Arabia to expect cyberattacks on their infrastructure if they supported Israel’s military campaign against Iran. And a cyber actor called #OpIsrael claimed it had attacked Tzofar, an Israeli public address system that alerts civilians to incoming missiles. Those claims also remain uncorroborated.
“I have no doubt that there is a cyber component to this conflict, but Iran is currently not having a degree of success such that it’s coming out and being noticeable,” Michael Daniel, who served as President Barack Obama’s top cybersecurity adviser on the National Security Council, told SpyTalk. “In other words, you’re not getting reports of Israeli utilities being knocked offline by Iranian hackers.”
Daniel and other cyber security experts attribute the failure of Iran’s cyber attacks to the sophistication of Israel's cyber defenses. “Israel is one of the most advanced countries in the world in terms of cybersecurity, if not the most advanced,” said Hultquist.
Israeli Cyber
Meanwhile, Israel, which has been covertly waging cyber war against Iran for decades, appears to have landed two major cyber blows against Iran since the current fighting began.
On Tuesday, a group whose name means “predatory sparrow,” said it carried out cyberattacks which destroyed the data of Tehran’s Bank Sepah. The bank was “an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program,” the group said in a post on X. Iran’s state-run Fars news agency acknowledged the attack.
And on Wednesday, Hultquist said the same suspected Israeli group eliminated $80 million worth of cryptocurrency from an Iranian exchange.
“It appears that, rather than stealing the cryptocurrency, they carried out the attack in such a way that the cryptocurrency is no longer available at all. It’s been sent to an address where nobody can recover it,” he told SpyTalk.
In the most recent attack, unidentified cyber warriors hacked the satellite signal for Iran’s state-run television.
According to a post on X by OSINTdefender, all of Iran’s channels are now playing messages and videos calling for freedom and revolution inside Iran against the regime.
Iranian hackers were expected to mount at least a noticeable cyber campaign on Israel, and perhaps even the U.S., but it turns out those fears may have been unjustified.
Let me be a little skeptical here. First, Iran has long been preparing for a U.S. attack, which it has consistently regarded as the primary threat.
Second, the media coverage of this conflict feels strangely off. We read and hear about the IDF’s tremendous successes, yet the U.S. ambassador’s plea suggests quite the opposite. (https://substack.com/inbox/post/166201499)
Since Israel is now under IDF-imposed censorship, we lack an objective picture of events. Meanwhile, observers in neighboring countries report a very different reality.
Witnesses in Jordan say they heard explosions from modern variants of Iranian ballistic missiles, identifiable by the steeper angle at which they descend.
In my humble opinion, it will take time — but the truth, whatever it may be, will eventually surface.
At the same time, neighboring states are rightly alarmed by the risk of contamination.
(https://edition.cnn.com/2025/06/18/middleeast/gulf-anxiety-iran-strikes-nuclear-contamination-latam-intl)
I have spent time, from the age of five, at an institution that — aside from other fields — also conducted nuclear research alongside my father. From what I learned there, the reasons for forbidding attacks on nuclear sites are compelling. Only an imbecile — dangerous not only to himself but to every nation in the region — would contemplate such a strike. I was in one of the European countries affected by the Chernobyl disaster at the time; the lesson learned was a brutal one.
It’s fair to say that the greatest threat to the region right now is Israel — held hostage by a group of absolute lunatics. It pains me to admit it, but we must acknowledge this fact.