CHARLES UNIVERSITY

FACULTY OF SOCIAL SCIENCES

Institute of Political Studies
Department of Security Studies

Master's Thesis

2021 Hana Utinková

 CHARLES UNIVERSITY
FACULTY OF SOCIAL SCIENCES
Institute of Political Studies
Department of Security Studies

Cyber-attacks Against Iran As Instruments

of Hybrid Warfare

Master's thesis

Author: Hana Utinková

Study programme: Security Studies
Supervisor: Mgr. Petr Špelda, Ph.D.
Year of the defence: 2021
Declaration
1. I hereby declare that I have compiled this thesis using the listed literature and resources
only.
2. I hereby declare that my thesis has not been used to gain any other academic title.
3. I fully agree to my work being used for study and scientific purposes.

In Prague on 4th May 2021 Hana Utinková

References

UTINKOVÁ, Hana. 2021. Cyber-attacks Against Iran As Instruments of Hybrid Warfare.

Praha, 2021. 68 pages. Master’s thesis (Mgr.). Charles University, Institute of Political
Studies, Department of Security Studies. Supervisor Mgr. Petr Špelda, Ph.D.

Length of the thesis: 105 940 words

Abstract
Cyber security is quickly becoming one of the most important issues in the field of
global politics. For this reason, it is vital to pay attention to topics in this field since they can
impact international relations in a major way. Inspired by this, the thesis is focused on
analysis, characterization, and categorization of cyber-attacks, which had been aimed at the
Islamic Republic of Iran since 2007. The goal of the thesis is dual: to provide a complex
picture of such incidents, and also to decide whether those attacks can be considered as
evidence of hybrid warfare of some states against Iran. Data and reports about cyber-attacks
were analyzed using AVOIDIT taxonomy in order to outline their basic characteristics. The
characteristics were then contrasted with the definition of hybrid warfare. The final result of
the analysis is that the cyber-attacks against Iran cannot be considered as hybrid warfare,
because they do not meet the basic tenets of the concept of hybrid warfare. The aspiration of
the thesis is to provide a clearer insight into the topic of cyber-attacks and global politics and
can serve as a guide for future discussions since the topic of hybrid warfare has become very
divisive.

Abstrakt
Kybernetická bezpečnost se rychle stává jedním z nejdůležitějších témat v oblasti
globální politiky. Z tohoto důvodu je nezbytné věnovat tématům z této oblasti pozornost,
protože mohou zásadním způsobem ovlivnit mezinárodní vztahy. Inspirována touto
skutečností se práce zaměřuje na analýzu, charakteristiku a kategorizaci kybernetických
útoků, které byly od roku 2007 zaměřeny na Íránskou islámskou republiku. Cíl práce je
dvojí: poskytnout komplexní obraz těchto incidentů a také rozhodnout, zda lze tyto útoky
považovat za důkaz hybridní války některých států proti Íránu. Data a zprávy o
kybernetických útocích byly analyzovány pomocí taxonomie AVOIDIT s cílem nastínit
jejich základní charakteristiky. Tyto charakteristiky byly následně porovnány s definicí
hybridní války. Konečným výsledkem analýzy je, že kybernetické útoky proti Íránu nelze
považovat za hybridní válku, protože nesplňují základní principy konceptu hybridní války.
Aspirací této práce je poskytnout jasnější vhled do tématu kybernetických útoků a globální
politiky a aby sloužila jako vodítko pro budoucí diskuse, neboť téma hybridní války se stalo
velmi rozdělujícím.
Keywords
Cyber-Attacks, Hybrid Warfare, Iran, Stuxnet, APT

Klíčová slova
Kybernetické Útoky, Hybridní Válka, Írán, Stuxnet, APT

Title
Cyber Attacks Against Iran As Instruments of Hybrid Warfare

Název práce
Používání Kybernetických Útoků Proti Íránu Jako Nástroj Hybridní Války
Table of Contents

TABLE OF CONTENTS .............................................................................................................1

LISTS OF ABBREVIATIONS ....................................................................................................2
INTRODUCTION .......................................................................................................................3
1. HYBRID WARFARE AND ITS CYBER DIMENSION ........................................................6
1.1 Hybrid warfare .....................................................................................................................6
1.2. Cyber-attacks .................................................................................................................... 10
1.3. Cyber dimension of hybrid warfare .................................................................................... 14
2. INTERNATIONAL RELATIONS IN REGARDS TO CYBERSPACE .............................. 16
2.1. United States and Iran Relations ........................................................................................ 16
2.2. Israel and Iran Relations .................................................................................................... 19
2.3. Saudi Arabia and Iran Relations......................................................................................... 22
3. CHARACTERISTICS OF CYBER ATTACKS AGAINST IRAN ...................................... 24
4. RELATION OF CYBER ATTACKS TO THE CONCEPT OF HYBRID WARFARE...... 33
4.1. Cyber Attacks from 2007 until 2015 .................................................................................. 33
4.2. Cyber-attacks from 2015 until 2020 ................................................................................... 36
4.3. Cyber-attacks and hybrid warfare ...................................................................................... 37
CONCLUSION .......................................................................................................................... 41
MASTER'S THESIS SUMMARY ............................................................................................ 43
LIST OF REFERENCES .......................................................................................................... 44
LIST OF APPENDICES ............................................................................................................ 53

1
Lists of abbreviations

APT Advanced Persistent Threat

AVOIDIT Attack Vector, Operational Impact, Defense, Information Impact, and

Target

CNA Computer Network Attack

COT Cyber Operations Tracker

DDoS Distributed Denial of Service Attack

DoD Department of Defense

DoS Denial of Service Attack

HW Hybrid Warfare

IAEA International Atomic Energy Agency

ICS Industrial Control System

IDF Israel Defense Forces

IRGC Islamic Revolutionary Guard Corps

JCPOA The Joint Comprehensive Plan of Action

PLO The Palestine Liberation Organization

RPG Rocket-Propelled Grenades

SCADA Supervisory Control and Data Acquisition

SCI Significant Cyber Incidents

WMD Weapons of Mass Destruction

2
Introduction
Cyber security is quickly becoming one of the most important strategic fields in
global politics. Governments across the globe are increasing their defense budgets and
securing critical infrastructure and strategic sectors, which are necessary for a proper
functioning of the state. Due to an unprecedented interdependency of global
telecommunication networks and virtual space, critical infrastructure can be easily targeted
by attackers. Any incident, which was successful in breaching critical infrastructure can have
far-reaching effects on the economy, politics, and security. Hence, it is essential to pay
attention to the activity, which is occurring on a global scale and at an increasing pace.
One of the most notoriously known instances of malicious cyber operation is the case
of Stuxnet. It became worldwide-know in 2010 when researchers discovered that there has
been an ongoing activity in the nuclear facilities of the Islamic Republic of Iran. As was later
revealed, the attack damaged Iranian centrifuges used for the separation of nuclear material,
which delayed the development of the Iranian nuclear program. As Mazanec points out:
“the Stuxnet attack is believed to be of U.S. origin and represents the most highly engineered
CNA1-style attack to date (Mazanec, 2015, p. 186).” Such technically sophisticated attack,
which was undetected for years was unprecedented at the time and had lasting effects on
international relations and state strategies. For example, the Iranian strategy for cyber
security was overhauled and the new one placed extra emphasis on securing critical
infrastructure as well as using cyberspace to the state’s advantage.
Since cyber-attacks such as Stuxnet have a long-lasting effect and significant impact
on the development of relations between actors, the thesis will aim to analyze, whether the
attacks against Iran can be categorized as instruments of hybrid warfare. Determining,
whether such categorization is possible would help us to better understand the nature of
interactions between the states and improve the assessment of reactions to possible future
conflicts. In a case that the cyber-attacks cannot be categorized as hybrid, the thesis can help
to clarify terms in the discussion and the discourse.
The methodology of the diploma thesis will be a case study analysis of cyber-attacks
against critical infrastructure and strategic objects of the Islamic Republic of Iran. Cyber-
attacks will be contextualized with the concept of hybrid warfare with the aim of determining
how these attacks interact with the framework of hybrid warfare. In other words, the analysis

1
Computer Network Attack

3
will provide a further understanding of the topic of cyber-attacks in relation to hybrid
warfare and whether the attacks against Iran can be considered as signs of hybrid warfare
from Iran’s opponents. For this reason, the thesis will aim to answer two research questions.
The first aims to describe the primary sources of analysis, which are cyber-attacks against
Iran. By identifying the characteristics, it will be possible to answer the second research
question, aimed at finding out, how do the cyber-attacks interact with the framework of
hybrid warfare. For this reason, both research questions are formulated as follows:

RQ1: What are the main characteristics of cyber-attacks against Iran?

RQ2: How do the characteristics of cyber-attacks against Iran interact with the
framework of hybrid warfare?

The thesis will use several types of academic sources to achieve a balanced approach
to the analysis. Secondary sources will be the basis of information for the thesis. Academic
books, journals, research papers, and articles will be used for the theoretical as well as
analytical section, while news reports and articles will be used to illustrate certain specific
sections of the thesis, such as historical events. Furthermore, primary sources will be used
for the description of the historical events, which will provide an authentic overview,
however, they will not be the main body of the thesis. The thesis will also utilize two
databases, Significant Cyber Incidents - SCI (CSIS, 2020) and Cyber Operations Tracker -
COT (CFR, 2020a), which both provide information about cyber-attacks and will be used
mainly in the analytic section. Both databases are secondary types of sources, SCI database
contains records of significant cyber incidents since 2006, as the title implies, while COT
records known state-sponsored incidents with their target and type of attack. For this reason,
COT and SCI databases will provide a useful foundation for the analytical section.
For the purpose of the analysis, the timeframe of gathered data and information will
be limited to a period from 2007 until late 2020. Understandably, historical events that
predate this period illustrate how have relations between countries formed, which is why
they will be considered as well, however, the main source of information will be the period
above. The year 2007 was chosen due to the nature of both research fields, cyber-attacks,
and hybrid warfare. Both are relatively new fields with rapid development since the 2000s,
for instance, the concept of hybrid warfare was first used by Frank G. Hoffmann in 2007.
Similarly, Stuxnet as the first major cyber-attack of this kind was discovered in 2010, though,

4
reportedly its earliest version has been deployed already in 2007. Therefore, all these facts
indicate that the above-mentioned period is best suited for this thesis.
After the collection, the data will be analyzed through a description of characteristics
of cyber-attacks against the Islamic Republic of Iran, identification of recurring themes and
patterns, suspected attackers as well as attack types. Cyber-attacks will be categorized
according to Attack Vector, Operational Impact, Defense, Information Impact, and Target
(AVOIDIT) taxonomy, specifically according to their informational impact, which will
provide an insight into attackers’ intentions. Moreover, the thesis will examine, which
industries or sections of the government were targeted by these cyber-attacks. Following the
description, the characteristics will be referenced with the concept of hybrid warfare which
will provide an answer to the second research question. For this reason, geopolitical events
will be taken into account, since they provide an important insight into reasons, why would
a cyber-attack be conducted. Furthermore, the nature of the informational impact of cyber-
attacks from the AVOIDIT taxonomy will show, whether the characteristics of cyber-attacks
coincide with the concept of hybrid warfare. Characteristics of cyber-attacks will be
contrasted with the theoretical section, more concretely the conditions for the determining,
whether a conflict is hybrid or not. The answer for the second research question will mainly
originate from the nature of cyber-attacks and if they meet basic tenets of the concept of
hybrid warfare, which will be described in the following chapter.
This thesis contributes to an existing research and brings a new understanding of
relations between two fields, cyber-attacks and hybrid warfare. Due to their relative novelty,
there is not a substantial body of research as with concepts that have been around for decades
or centuries. Furthermore, this approach provides a new outlook on relations between Iran
and its opponents, mainly the United States, and examines historical undercurrents of
contemporary events. As George and Bennett state, case studies are “useful means to closely
examine the hypothesized role of causal mechanisms in the context of individual cases
(George and Bennett, 2005, p. 25).” For this reason, it is a perfect method with which this
thesis will be conducted. Nonetheless, as with the majority of studies, the design of the
current thesis is subject to two potential limitations, the problem of attribution and
limitations of the concept of hybrid warfare. Both will be addressed in further sections of the
thesis to avoid any ambiguity in the conceptualization and to explain the inherent nature of
cyberspace, which makes it more difficult to attribute cyber-attacks and how researchers aim
to overcome the problem of attribution.

5
1. Hybrid Warfare and Its Cyber Dimension
The first part of the theoretical section of the thesis consists of the definition of hybrid
warfare (HW) and of cyber-attacks. It is also focused on distinguishing amid the terms
‘cyber-attack’, ‘cyber-warfare’ and ‘cyber-crime’. Subsequently, the cyber dimension of the
hybrid warfare is defined based on the characteristics of the previous two concepts. Finally,
a discussion of possible criticism of the concept of hybrid warfare is provided and limitations
of the concept are addressed.

1.1 Hybrid warfare

With the aim or providing a clear definition of the concept of hybrid warfare, the
thesis utilizes the definition of Frank G. Hoffman, since he is the most referenced and cited
researcher. His definition is as follows: “[h]ybrid threats incorporate a full range of different
modes of warfare including conventional capabilities, irregular tactics and formations,
terrorist acts including indiscriminate violence and coercion, and criminal disorder. Hybrid
Wars can be conducted by both, states and a variety of non-state actors, with or without
sponsorship (Hoffman, 2007, p. 8).” As is apparent from the word itself, if something is
‘hybrid’ then it is a mix of different approaches, tactics, or methods. In the case of hybrid
warfare, the mix is presented by the merger of conventional and unconventional forms of
warfare. The conventional part of the definition encompasses the use of modern military
training, organizational structures, and coordination such as command and control. As far as
the unconventional warfare, different forms can be combined, such as economic, diplomatic
or political warfare. The concept is predominantly “based on the ability to target distant
objects and processes through non-traditional means, particularly those critical to state and
military functions (Danyk et al., 2017, p. 6).” More specifically, according to D’Agostino’s
brief for the U.S. Department of Defense (DoD), unconventional warfare entails “[a] broad
spectrum of military and paramilitary operations, normally of long duration, predominantly
conducted through, with, or by indigenous or surrogate forces who are organized, trained,
equipped, supported, and directed in varying degrees by an external source (D'Agostino,
2010, p. 25).” Some of such unconventional tactics can entail terrorist acts, criminal
activities including cyber-attacks or the use of other advanced tools and tactics. To bring
both aspects of the concept of hybrid warfare together, Florence Gaub provides an overview
of how both conventional and unconventional methods of conducting war manifest in the

6
nature of military units. Firstly, the organization of the unit is based on moderately
centralized command structure with units up to battalion-size. Secondly, weapons usually
used by a hybrid force are small arms, rocket-propelled grenades (RPGs) and short-range
rockets together with longer-range rockets or anti-tank missiles (Gaub, 2015, p. 2).
In addition to Hoffman’s definition, Reichborn-Kjennerud and Cullen provide a
model on how to work with the fact, that both state and non-state actors can be part of hybrid
warfare. Hybrid warfare conducted by non-state actors has two main characteristics. Firstly,
the non-state actors which use hybrid tactics display a certain level of technical
sophistication. Technologies and strategies used by the non-state actors can include modern
weapons systems, technologies (cyber, secure communication, sophisticated command and
control), and tactics. The second characteristic of hybrid warfare conducted by non-state
actors is the expansion of the conflict beyond traditionally military domains. Such expansion
away from a traditional battlefield provides the non-state actor an asymmetric advantage
against a militarily superior state (Reichborn-Kjennerud and Cullen, 2016, p. 2).
Another part of Reichborn-Kjennerud and Cullen’s model looks at hybrid warfare
conducted by a state actor in which they note that the main advantage of using such strategies
is the ambiguity, which awards the states with the ability to deny ever using such tactics. “At
the strategic level, state HW is designed to avoid conventional war. It targets perceived ‘red
lines’ or thresholds of its opponents and operates below them; it finds ‘gray zones’ where
these red lines are not articulated and exploits these undefended spaces; and it hides its
military means while emphasizing non-military means to achieve its political goals.
Ambiguity in the form of plausible deniability can be achieved by hiding and denying agency
through the use of proxies, non-attributable forces (e.g. little green men) and attacks (e.g.
cyber) (Ibid.).” Moreover, state actors can employ different tactics while coordinating and
synchronizing their moves, which magnifies the scope of their efforts and creates a synergy
of forces.
To further define the hybrid warfare, Laura-Maria Herta comments on its multi-
modal nature. She claims, that “hybrid warfare is an aggregate of blended strategies
(facilitated by globalization and revolution in communications and internet, also triggering
the instantaneity of attacks) employed by some military actors, which perceive themselves in
an asymmetric conflict with an opponent, in an attempt to keep up with the uneven conditions
(Herta, 2017, p. 140).“ Moreover, she states that the multi-modal characteristic distinguishes
the hybrid warfare from other types of irregular warfare such as compound warfare or

7
guerilla tactics (Ibid., p. 138). By fusing irregular strategies, opponents seek victory or at
least advantage, which might not be possible if they had to resort only to conventional
strategies. Furthermore, this blending of strategies allows for faster utilization of new
technologies and recently acquired capabilities. To illustrate, Hoffman gives an example of
states blending anti-satellite weapons with terrorism and cyber warfare (Hoffman, 2009, p.
37) as a way to exploit modern capabilities through hybrid means. Florence Gaub provides
even further examples of this multi-modality, with the example of the use of elements
ranging from regular tactics and formations, to terrorist attacks, criminal activities, and more
(Gaub, 2015, p. 1).
According to Ducaru, the aim of an actor, who uses hybrid warfare is to “a) generate
surprise; b) seize the initiative; c) generate deception and ambiguity; d) avoid attribution of
action; maximize deniability of responsibility for aggressive actions (Ducaru, 2016, p. 10).”
Nonetheless, the main objective of the actor is the disruption of the targeted state. Some of
the activities, which can be taken are described by Danyk et al. and include the
encouragement of the destabilization of the economy, frustration and disaffection of the
population, splintering of minorities or aggrieved populations, creation of conditions
encouraging controlled and uncontrolled migration, suppression of civil resistance, and
disruption of critical infrastructure (Danyk et al., 2017, p. 6). As such, actors targeting the
state are taking advantage of vulnerable points in institutions, military, and infrastructure,
which can lead to a fundamental change in the economy and political situation in the state.
To summarize the definition of the hybrid warfare, Andersson and Thierry provide
a clear overview of the basic characteristics of the concept: “the combination of conventional
and unconventional, military and non-military, overt and covert actions; the aim of creating
ambiguity and confusion on the nature, the origin and the objective of the threat; the ability
to identify and exploit the vulnerabilities of the targets; the capacity to keep the level of
hostility below the ‘threshold’ of conventional war (Andersson and Thierry, 2015, p. 2).”
The concept of hybrid warfare has become widely used in media, politics and
academic community. As Caliskan and Cramers point out, 70% of authors, who use the term
in fact imply the meaning of another concept (Caliskan and Cramers, 2018, p. 12), such as
information warfare, propaganda, fake news or irregular warfare. This ambiguity means that
the term hybrid warfare became a catch-all phrase for many outlets and created grounds for
criticism of the concept itself. To avoid the ambiguity, the thesis uses the definition of Frank
G. Hoffman, Florence Gaub and Andersson and Thierry as stated in the section above and

8
does not include terms such as propaganda etc. Criticism of the concept of hybrid warfare is
extraneous to this thesis since most of the criticism is based on the usage of the concept in
relation to disinformation, propaganda, or media. As Reichborn-Kjennerud and Cullen
argued, “[t]he real issue with hybrid warfare is not so much the problem of defining the term
as how to clarify the concept so to make it useful (Reichborn-Kjennerud and Cullen, 2016,
p. 1).” Furthermore, as Weissmann argues, the lack of conceptual clarity is not a unique
problem for hybrid warfare, but is shared with “the lack of agreement on what war is, how
its character is evolving and what this means for distinctions between peace, conflict, and
war (Reichborn-Kjennerud and Cullen, 2016, p. 1 as cited in Weissmann, 2019, p. 18).”
With regards to cyber dimension of hybrid warfare, the same clarity of definition is needed
as well. In order to avoid similar ambiguity as in its core concept, the focus in the cyber
domain will be limited to cyber-attacks. They can take form of the spread of malware,
disruption, information leaking, espionage, sabotage, infrastructure disruption etc. Likewise,
this avoids the ambiguity, which would come with terms stated above associated with the
‘catch-all’ and vague approach to defining hybrid warfare.
In order to properly conceptualize the theory, it is necessary to delimitate some
conditions, which would exclude cyber-attacks from being characterized as hybrid. Firstly,
the concept of hybrid warfare has always included blending of tactics or its multi-modal
nature. As was stated in previous sections, this means the convergence of conventional and
unconventional, military and non-military, and overt and covert actions (Andersson and
Thierry, 2015, p. 2). For this reason, if cyber-attacks are taken without any military action,
conventional or unconventional, they cannot be considered hybrid. As such, these cyber-
attacks act as a lone operation(s) without the support of conventional military and are not
part of a broader campaign to undermine or dismantle the target. The use of conventional
military together with cyber-attacks and other hybrid tactics would put an enormous pressure
on the target and create a synergy of forces, which would be a real threat to the existence
and the stability of the targeted entity. A cyber-attack conducted without its hybrid
‘companions’ would not have such undermining effect as the whole hybrid campaign. With
the same logic, a terrorist group using covert actions and suicide bombers cannot be
considered hybrid due to the fact, that the conventional aspect of the theory is missing.
Secondly, we cannot forget the fact, that actions of intelligence agencies are an
inseparable part of conventional military affairs for decades, and even centuries. They
operate on the threshold of covert and overt actions, and official and unofficial status.

9
Nevertheless, they are usually not regarded as hybrid threats, but as extended powers of the
state acting for the benefit of the state beyond its usual means. For this reason, we cannot
automatically merge the activities of the intelligence services, and by extension cyber-
attacks, with the term hybrid warfare. To illustrate, the most recent events around Vrbětice
bombing in 2014 serve as a reminder of lengths intelligence agencies are willing to go to. In
April 2021, it came to light that Russian agents presumably caused two explosions in
ammunition storage depots in Czech Republic and killed two Czech citizens (BBC, 2021),
which triggered an immense rise in tensions between both countries. Some might argue that
these attacks are acts of hybrid warfare, however that would omit fundamental parts of the
concept.

1.2. Cyber-attacks
The second part of the theoretical section of the thesis focuses on cyber-attacks. The
term, however, is in many discussions used vaguely or interchangeably with ‘cyber-warfare’
and ‘cyber-crime’. To avoid confusion of the terms, a clear distinction between them will be
made in the following paragraphs. A frequently used definition of cyber warfare is by
Richard A. Clarke, which states, that cyber war is “actions by a nation-state to penetrate
another nation’s computers or networks for the purposes of causing damage or disruption
(Clarke and Knake, 2010, p. 6).” There are, however, shortcomings with Clarke’s approach,
mainly that the definition does not include actions by non-state actors, which are very often
associated with cyber-attacks. Additionally, non-state actors can often act on behalf of
nation-states, which provides deniability and cover for the state. Thus, the definition used in
the thesis is by Hathaway et al., which encompasses all necessary attributes of the term:
“A cyber-attack consists of any action taken to undermine the functions of a computer
network for a political or national security (Hathaway et al., 2012, p. 826).”
As was said previously, in discussions around cyberspace, many sources do not
acknowledge the difference between terms ‘cyber-attack’, ‘cyber-war’, and ‘cyber-crime’,
therefore such distinction has to be made. Firstly, cyber-crime is an activity, which violates
criminal law, committed through the means of a computer system, namely fraud,
unauthorized access, child pornography, or cyberstalking (Gordon and Ford, 2006, p. 14).
Since this activity usually does not aim to undermine the computer system it is aiming at and
involves mainly non-state actors (see Table 1), cyber-crime is not related to the topic of this
thesis.

10
 Secondly, the distinction between cyber-attack and cyber-warfare is whether the
effect must be equivalent to an armed attack. “Only cyber-attacks with effects equivalent to
those of a conventional ‘armed attack,’ or occurring within the context of armed conflict,
rise to the level of cyber-warfare (Hathaway et al., 2012, p. 837).” As such, certain cyber-
attacks can fall under a cyber-warfare, however, as Hathaway et al. stated, “not all cyber-
attacks are cyber-warfare (Ibid.),” mainly, because the cyber-attacks do not meet the
condition of being conducted in the context of armed conflict. Consequently, the term cyber-
attack is used in the thesis and needs to be distinguished from other terms used in the
literature and debates on cyber-related issues.
According to Ducaru, an attack in cyberspace can take the form of: “data ex-filtration
and espionage; info and data manipulation for deception effects or negative impact on
institutional prestige (DDoS attacks, defacements of web-sites, identity theft or simulations
for deception);cyber-attacks aimed at degrading or disrupting critical infrastructure or
operational enablers / assets; cyber-attacks aimed at physical destruction of networks or
critical infrastructure / operational assets. (Ducaru, 2016, p. 17).” However, a far more
organized and exhaustive is a taxonomy by Simmons et al. (2009). Their model provides a
cyber-attack taxonomy called AVOIDIT (Attack Vector, Operational Impact, Defense,
Information Impact, and Target). A useful part of the taxonomy is their classification
according to informational impact since information, its destruction, or modification is the
most common target of any attacker. Moreover, by assessing what effect the attack had, it is
possible to evaluate the actor’s intentions and end goals. The classification uses five
characteristics to distinguish cyber-attacks by informational impact, distortion, disruption,
destruction, disclosure, and discovery. Simmons et al. define these terms as follows:
• Distort – “A distortion in information, usually when an attack has caused a
modification of a file. When an attack involves distort, it is a change to data within
a file, or modification of information from the victim.”
• Disrupt – “A disruption in services, usually from a Denial of Service. When an attack
involves disrupt, it is an access change, or removal of access to victim or to
information.” In other words, the information was temporarily made unavailable or
access to the network was not possible for a limited amount of time, however, the
disruption does not mean a complete destruction of the network or information. As
is stated above, an example of a disruptive attack is a DoS (Denial of Service) or
DDoS (Distributed Denial of Service), which is a large-scale version of DoS.

11
 • Destruct - “A destruction of information, usually when an attack has caused
a deletion of files or removal of access. Destruct is the most malicious impact, as it
involves the file deletion, or removal of information from the victim.” By contrast to
disruption, destruction therefore, involves deletion of information and even physical
destruction of networks and information.
• Disclosure – “A disclosure of information, usually providing an attacker with a view
of information they would normally not have access to.” In attacks, which fit this
characterization, the attacker gains access to sensitive, classified, or confidential
information and leaks it on the Internet or through another channel of
communication.
• Discovery – “To discover information not previously known. For example, when a
scanning tool probes for information, the information discovered can be used to
launch an attack on a particular target.” (Simmons et al., 2009, p. 6) Another way
of describing this characteristic is espionage, which is an unauthorized gaining of
information for the purpose of using it later for other malicious activities. Because of
the new information, the attacker gains an advantage in future attacks.

Considering the rapid development and expansion of forms of cyber incidents, it is

not possible to develop an exhaustive typology, which would encompass all possible attacks.
Attackers are constantly inventing new ways of achieving their goals and the volume and
variety of every-day attacks is considerably large. Chapman et al. in Taxonomy of Cyber
Attacks and Simulation of their Effects (2011) have provided an extensive overview of
different types of cyber-attacks based on level of access to the system, which is required in
order to launch an attack, as well as delivery methods, which are used to implant these cyber-
attacks (see Table 2). Chapman et al. also note that this taxonomy is not applicable to all
possible attacks, since “[s]ophisticated attackers, such as intelligence services or military
forces of certain nation states, can mount precisely targeted attacks against very narrowly
focused targets (Chapman et al., 2011, p. 74).” An example of such precise attack would be
Stuxnet, since it is beyond classification of lower-level attacks due to its complexity,
sophistication, and technological advancement.
Some of the sophisticated attacks can be classified as Advanced Persistent Threat
(APT). These attacks differ from other cyber-attacks by their customization, which makes
them precisely designed to infiltrate the target. APTs usually rely on exploits in

12
infrastructure and prior information intelligence which grants them access to opponent’s
system. The so-called ‘zero-day vulnerabilities’ are some of the most valuable exploits,
because the weakness of the system is not known to the owner of the system, while the
attacker can use it to their own advantage. For instance, Stuxnet used four of these zero-day
vulnerabilities. As a result of high demand on expertise and resources to develop APTs, the
only entities likely to use them are states, rather than hacktivists or terrorists (DeVore and
Lee, 2017, p. 41). In order to keep the terminology clear, the thesis will refer to the entities,
which use APTs as ‘threat actors’. A threat actor is someone with malicious intent who is
responsible for the attack and aims to implement the APT into the target’s network to gain
access. In other words, APT is the tool and the threat actor is the entity behind the attack
which initiated it. The last term, which is commonly used in discussions about cyber security
is malware. It is a short form for the phrase ‘malicious software’ and according to Robert
Moir, it is “a catch-all term to refer to any software designed to cause damage to a single
computer, server, or computer network, whether it's a virus, spyware, et al. (Moir, 2009).”
It can be categorized according to the way it enters the computer or the system, the most
common types of malware in this categorization are worms, viruses or Trojan horses.
Another categorization can discern, what does the malware do once it enters the system.
Malware according to this characterization can be spyware, ransomware or rootkit.
However, an in-depth discussion of types of malware is beyond the topic of this thesis,
nevertheless, it is important to keep in mind, that such malicious software exists.
There is one potential limitation to a research, when working with cyber-attacks, and
that is the problem of attribution. It inherently lies in the fact, that cyber-attacks can be
conducted while using many different methods to hide identity of the attacker. Due to the
open nature of the Internet, attackers can therefore “route malware via servers in uninvolved
countries to cloak their actions under a veil of anonymity (DeVore and Lee, 2017, p. 43).”
Among the techniques, which researchers use in order to attribute the attack are for example
storage-based analysis, RAM-based analysis, static analysis, similarity-based attribution,
machine-learning techniques and neural networks, attribution through social networks or
linking with geopolitical scenarios (Shamsi et al., 2016).
The problem of attribution is not as prevalent with advanced persistent threats, since the
technological sophistication of the attack usually indicates, which state is the perpetrator,
because only a small number of entities can reach such sophistication. Additionally, due to
their high-development cost, attackers are incentivized to use APTs against their geopolitical

13
opponents and not ‘waste’ them on lesser targets. Developers also need to be highly trained
and work in teams in order to create an ATP (DeVore and Lee, 2017, p. 44), which is why
there can be coding patterns pointing to the origin of the attack. Altogether, these
characteristics of APTs create a higher likelihood, that the attribution will be possible than
with other low-level cyber incidents. Nevertheless, there is still a possibility of researchers
being unable to attribute a cyber-attack to a specific attacker with an absolute certainty due
to, for example, attackers deliberately trying to obfuscate data in order to avoid detection.
For this reason, databases such as COT or SCI list potential attackers according to a
combination of technical data, open-source information, and an understanding of the threat
actor’s foreign policy priorities (CFR, 2020b).

1.3. Cyber dimension of hybrid warfare

Throughout the years, cyber-attacks have become more prevalent since technological
innovations and globalization have made them more accessible, even for non-state actors to
use and misuse. As Ducaru indicates cyber capabilities with military hybrid operations is
one of the three major concerns which could dramatically affect the cyber threat landscape,
especially because of the quickly changing global environment. The other two concerns are
“cyber pirateering” and the growing nexus between cyber and terrorism (Ducaru, 2016, p. 9).
Technological advancement enables states, which do not have a conventional
strength of the same capacity as their opponents to launch attacks against them. According
to Simons et al. (2020) the connection between hybrid warfare and cyber-attacks is
highlighted by the similar nature of cyber-attacks, which complements strategies used in
hybrid warfare. They state, that “cyber-attacks are part of the system of the non-standard
and unconventional warfare found in the concept of hybrid warfare […]. It enables an
indirect attack upon the target that does not involve a physical intrusion and is therefore
somewhat deniable and is less likely to reach the threshold that would trigger a state-on-
state conventional war (Simons et al., 2020, p. 3).” The fact, that the perpetrator of the cyber-
attack can deny their involvement in the incident makes it an ideal tool in the hybrid warfare
toolkit. Moreover, the multi-modal nature of hybrid warfare makes cyber-attacks a perfect
instrument, which can be used to achieve disruption of the state and exploitation of its
vulnerabilities. Aggregation of multiple strategies comes hand in hand with the nature of the
Internet and as Ducaru asserts, cyber capabilities are uniquely attractive as ‘weapons of
choice’ in any future hybrid warfare scenario (Ducaru, 2016, p. 22). As Tsaruk and Korniiets

14
note in their article, the nexus of international relations and cyberspace reveal a number of
emerging hybrid threats. They list several ways cyberspace intersects hybrid warfare, some
of which are cyber leverages to diplomacy, cyber sabotage and espionage, retaliation for
cyber-attacks, cyber troops, weapons and arms race (Tsaruk and Korniiets, 2020, p. 71).
Since cyber-defense is difficult to achieve perfectly, often the response to a cyber-attack
would be a retaliation attack, or attack-as-a-defense. More specifically, information gathered
through espionage can be used as a leverage in diplomacy, such as public blaming for a
cyber-attack.

15
2. International Relations in Regards to Cyberspace
The following chapter will recount significant events in the history of the Iranian
relationship with the US, Israel, and Saudi Arabia. As will be described further in the chapter,
these three states are the most important rivals to Iran in global politics and for this reason,
they are the most likely candidates for perpetrating a cyber-attack as well. Current relations
heavily depend on historical events thus the chapter aims to illustrate why there would be
a reason for a potential attack and what would be the historical background for it.
Subsequently, there will be an account of cyber-attacks that have transpired previously and
the context in which they occurred.

2.1. United States and Iran Relations

The especially strained relations between the United States and the Islamic Republic
of Iran, which have come close to the edge of armed conflict several times, are undoubtedly
an evergreen of international politics. There was a relatively stable partnership between the
US and the Imperial State of Iran until the year 1978, which was particularly valuable for
the US administration due to Iran’s position and because of the geopolitical situation during
the Cold War. Everything changed with Enqelâbe Irân also known as the Islamic
Revolution, which overthrew Shah Pahlavi in 1979 and Ayatollah Khomeini was established
as the leader of the theocratic state. As early as the end of the year, it became clear in full
what direction the two countries' future relations would take when an unprecedented attack
by an Iranian mob on the US Embassy in Tehran in November and the imprisonment of its
staff for several months transpired, which was entirely against the international law. The
Carter administration immediately responded by imposing economic sanctions and even
considered military intervention at the height of the crisis.
The crisis was somewhat mitigated with Ronald Reagan's arrival to the White House
and the adoption of the Algerian Accords in January 1981, which ended the hostage crisis.
This set of agreements has an important role in US-Iranian relations because it encompassed
the following points of the previous contention and resolved conflicts regarding them:
freezing of Iranian assets by the US, termination of litigation between both sides and their
citizens, and establishment of Iran - United States Claims Tribunal for arbitration purposes,
Iranian debts to US institutions would be paid and the US pledged not to intervene in Iran’s
internal affairs (Islamic Republic of Iran and United States of America, 1981).

16
 This set of agreements therefore significantly reduced the risk of open armed conflict,
which was very possible at the time. Nevertheless, it was apparent, that apart from traditional
regional rivals, the US is the main enemy of the new anti-Western Iranian regime. Such
rivalry was caused primarily by the US’ previous support of Shah’s secular regime. It is
important to mention that despite its relationship with the US, Shah’s regime has violated
the human rights of its citizens and committed many crimes against its political opponents
throughout its existence.
Similar to Iran, the US made its antagonistic attitudes clear shortly after the
revolution of 1979. During the Iran – Iraq war of 1980 - 1988, the US provided material
support for the Iraqi side. Moreover, in 1984 the U.S. State Department placed Iran on a list
of states that directly sponsor terrorist organizations, because of a terrorist attack on the US
- French base in Beirut the year earlier. The perpetrator of this attack was indicated to be
Hezbollah financed and supported by Iran (CFR, 2020c). The year 1988 can be considered
a truly critical moment in US – Iran relations, because of an escalation followed by a military
confrontation between American and Iranian navy forces. On the 14th of April 1988, the
USS Samuel B. Roberts was damaged by an Iranian sea mine and several of its crew
members were injured. For this reason, the US Navy launched Operation Praying Mantis
four days later as a response to this attack. The operation was “the largest of five major U.S.
Navy surface actions since World War II (NHHC, 2007).” Two Iranian ships were sunken
during the operation and several others were damaged, when the US navy used surface-to-
surface missile fire for the first time since World War II. (Ibid.). Even though both sides
decided to de-escalate the conflict and not to continue with retaliatory actions, Iranian
civilian aircraft with 290 people on board was shot down two months later by a US missile.
Supposedly, the American crew mistakenly took the aircraft as an attacking fighter jet and
shot it down even though it was still in the Iranian air-space. It is important to note, that this
incident illustrates the high risk of involuntary escalation of the conflict, which can happen
in the case of inadvertent or mistaken use of force.
Compared to the 1980s, when the risk of a military clash was fairly high as was stated
above, it is possible to link the state of the mutual relationship from the end of the Gulf War
until the 1990s with the US’ politics of economic pressure which took the form of an
increasing number of sanctions against Tehran. Sanctions culminated in 1995 and 1996 with
trade and oil export embargo and by the adoption of the 1996 Iran and Libya Sanctions Act
(CFR, 2020c). Whereas the turn of the millennium saw a certain improvement of relations,

17
after 2002 when President Bush named Iran as part of the ‘axis of evil’ (Fayazmanesh, 2008,
p. 113), the relations have deteriorated due to Iran’s efforts to develop weapons of mass
destruction (WMD).
The history of the Iranian nuclear program dates back to Shah’s regime when in the
1970s Iran pursued the development of nuclear facilities, which were going to have civilian
usage. Already at the time, there were concerns, whether this program can be misused for
the purpose of developing nuclear weapons, which is why the United States signed a treaty
with Iran, which limited the supply of nuclear fuel. The new Islamic regime inherited the
nuclear efforts, however as Fiore states, due to brain drain and freezing of financial resources
Iran did not have the capacity in the 1980s to develop it further (Fiore, 2011, p. 3). The
interest itself, however, remained and in the mid-1980s Iran tried to start its nuclear program
once again with the help of China and North Korea and later in cooperation with Russia in
1995 (Ibid.). The Second Gulf War denoted a significant warning for Tehran since it showed
a willingness of the United States to intervene in a country, whose development efforts to
gain WMD can be considered by Washington as an endangerment of US interests and global
security. As Fiore further explains, Tehran realized that the deterrence potential of WMD is
questionable if instead of determent, its enemies can be provoked into intervention and an
attack. This was most likely the reason why in 2003 the U.S. National Intelligence Estimate
stated that Iran has paused its nuclear program even though it continued with uranium
enrichment (CFR, 2020c).
Following inspections of Iranian nuclear program by International Atomic Energy
Agency (IAEA), the US increased the pressure on Iran to curb its uranium enrichment and
to stop its nuclear program. US’, as well as Israel’s efforts, culminated in UN Security
Council Resolution 1696 signed in July 2006, which demanded suspension of all
“enrichment-related and reprocessing activities, including research and development, to be
verified by the IAEA (UN Security Council, 2006).” During a United Nations General
Assembly in 2007, Iranian president Ahmadinejad announced, that the nuclear program of
his country is halted, however, he denied the possibility of terminating further enrichment
of the uranium. Only a year earlier, Ahmadinejad wrote a letter to Bush, which was the first
direct communication between the two powers since the Islamic Revolution in 1979. Many
authors such as Kissinger consider this letter as an attempt to lower tensions between both
countries, however, it was met with a cold American reaction (RFE/RL, 2006; Kissinger,
2016, p. 165). Although Iran expressed a willingness to negotiate the terms no compromise

18
was reached, and the US pushed to impose UN sanctions, which started to be lifted in 2013
following initial negotiations about the nuclear deal. Further sanctions have been lifted in
2015, when Iran, P5 +1 (UN Security Council plus Germany), and the EU reached an
agreement and signed a Joint Comprehensive Plan of Action (JCPOA).
Iran began to limit its nuclear program and IAEA confirmed its compliance with the
treaty (Tureček, 2016, p. 179), which resulted in a gradual lifting of sanctions by the
international community in 2016. The signing of JCPOA meant a new phase in international
relations with Iran as well as economic growth as a result of the revocation of sanctions. It
will remain unanswered, whether the nuclear agreement from 2015 had the potential to
change the trajectory of the relations between the United States and the Islamic Republic of
Iran, similar to Iran’s international position, which is considered by many countries to be a
pariah of the international system. In May of 2018, President Trump announced the United
States are backing out of the treaty, despite the fact, that IAEA had found Iran to be
compliant with the treaty. At the same time, the US sought to impose the so-called ‘maximum
pressure sanctions’ (Seliktar, 2020, p. 5), which gradually resulted in a worsening economic
situation in Iran as well as social unrests. Since 2018, tensions between Iran and the US
significantly increased compared to previous years and the tensions culminated in January
2020, when Iranian major general Qasem Soleimani was killed by US drone. Such
unparalleled attack sparked major protests against the US interference and the fact, that
Soleimani was killed on Iraqi soil. After the US withdrawal Iran has entered negotiations
with the E3 (France, Germany and the UK) in order to preserve JCPOA, however its future
is uncertain. Joe Biden has expressed his willingness to return to JCPOA as it was in 2015
(Rome, 2020), but whether it will be possible politically is unsure.

2.2. Israel and Iran Relations

During many negotiations, Israel has been on the side of the table with the US. For
instance, Israel persistently lobbied for UN sanctions in 2006 and Israeli Defense Minister
Ephraim Sneh even discussed the possibility of Israel’s preemptive attack against Iran’s
nuclear program (Fayazmanesh, 2008, p. 210). Over the more than seventy years of its
history, Israel was in a state of war with most of the countries in the Near East and in several
cases, its existence was even threatened. Consequently, it is a paradox that so far, Israel has
not been in a direct armed conflict. In any case, the conflict has been indirect as Iran has

19
supported and armed Sunni groups such as Hamas in a fight against Israel similar to the
Taliban in Afghanistan (Kissinger, 2016, p. 163).
Prior to 1979, Israel had very close diplomatic relations with Iran which were based
on shared geopolitical interests. Fear of Soviet Communism was one of them (Kaye et al.,
2011, p. 9) and led both states to cooperate in military and economic areas. Due to the fact
that Israel was surrounded by hostile neighboring countries, it was logical from a geopolitical
perspective that the two countries were willing to overcome differences and to cooperate.
For this reason, it was clear at the time, that the enemy of my enemy is my friend. Concretely,
as Rezaei and Cohen write, Iran was “the only country that kept Israel from suffering an
energy shortage during oil crises and provided it with oil after the 1956 Suez crisis. Iran
was the only Islamic country that rejected the demand of the Arab states to destroy Israel
and expressed its support for recognizing the Jewish state as a sovereign and independent
state. Later, during the Yom Kippur War of 1973, Iran also gave Israel much needed support
and supplied it with oil (Rezaei and Cohen, 2014, p. 443).“ But that relationship was badly
shaken in the immediate aftermath of the overthrow of the secular shah and the advent of the
theocratic regime. This was also true of relations between other former partners of pre-
revolutionary Iran, especially of the United States. The new regime, led by Ayatollah,
abandoned realpolitik in the early years of the Islamic Republic’s existence because of
religious divisions. He immediately sided with the Jewish state’s traditional enemies and
began loudly supporting militant Palestinian organizations such as The Palestine Liberation
Organization (PLO), as well as efforts to create an independent Palestinian state. Rezaei and
Cohen, therefore, call the period of Iranian Israeli relations after the Islamic Revolution
"Cold War". Although there was no direct armed conflict, Iran had mostly conducted a proxy
war against Israel. In addition to the PLO mentioned above, this was reflected in the support
of Islamist anti-Jewish (anti-Zionists) organizations such as Hamas and Hezbollah, as well
as extremely aggressive rhetoric centered around the thesis of Israel’s future annihilation
(Ibid., p. 444).
Although the rhetoric and war of words remained de facto constant from 1979 to the
present day, tensions between the Persian and the Jewish state eased significantly during the
1980s, again because of the urgency of realpolitik. Despite Iran’s anti-Semitic propaganda,
it was clear to both countries that there was still another enemy knocking on the backdoor.
This is evidenced by Israel’s support for Iran during the Iran - Iraq War. Moreover, Israeli
politicians have also tried to persuade the United States to remain open to informal channels

20
of communication between the Islamic Republic of Iran and the US, despite aggressive anti-
American and anti-Israel rhetoric. These informal relations were weakened by the end of the
war and by Israel’s gradual entente with many neighboring Arab countries, and they were
definitively ended by the First Gulf War, which paralyzed Iraq as a potential aggressor. Thus,
hostilities between the two countries continued to grow throughout the 1990s,
notwithstanding the fact that Iran was increasingly isolated in the region because of
geopolitical clashes with Arab countries. Therefore, many Iranian officials have come to
believe that, with its anti-Israel policies and support for the Palestinian resistance movement,
Iran is harming its interests.
Despite the extremely strained relations, the likelihood of a conflict between the two
countries at the end of the 20th century can be assessed as very low. Iran has repeatedly
escalated its rhetorical threats, just as Israel has publicly declared Iran the number one enemy
for peace in the Middle East. However, the situation began to change in the context of the
first indications of Iran’s nuclear program and the pursuit of weapons of mass destruction
(WMD). From Israel’s point of view, the Iranian WMD would completely change the
strategic and security situation, which had to be avoided at all costs from the point of view
of Israel Defense Forces (IDF) command.
On the other hand, many authors and US military officials have insisted that, despite
rhetorical threats, Iran is a very rational geopolitical actor that seeks the ownership of WMD
not because of their use, but because of the possibility of deterrence. One of the main pieces
of evidence of Iranian rationality is that the country has significantly reassessed and
temporarily suspended its nuclear program at a time when neighboring Iraq has been
attacked by the United States for alleged ownership of nuclear weapons. As was written
above, Tehran has most likely calculated that its enemies would not allow, even at the cost
of war, for Iran to achieve the ownership of these weapons. Relations became increasingly
tenser around 2006 when it became apparent to what extent did Iran support Hezbollah. Iran
considered Hezbollah to be its “‘southern command’ against Israel (Seliktar and Rezaei,
2020, p. 44)” and the proxy received a military transformation as well as financial support.
During the 2006 Israel-Hezbollah War, also known as the Second Lebanon War, Iran took
advantage of Hezbollah’s position and used it as a deterrence strategy against Israel’s
preemptive attack on Iran’s nuclear facilities.
Between 2010 and 2020, at least five Iranian nuclear scientists have been
assassinated and one was wounded (Maher, 2019, p. 4). Although there are not many

21
unclassified documents regarding these attacks, a history of this practice, journalistic reports
and information from government officials all point in the direction of Israel as a perpetrator.
In one case, Iran had arrested and executed Majid Fashi, who confessed of being trained by
Mossad (Macintyre, 2012), however both US and Israel denied any involvement.
Reportedly, the killings of scientist have had an effect on Iranian nuclear program by slowing
down the development, scaring new scientists from joining the field and raising the cost of
the development (Koring, 2012). The most recent attack took place on November 27th of
2020, but because the attack occurred only recently, no reliable information has been
released, yet (as of April 2021).

2.3. Saudi Arabia and Iran Relations

The nature of relations between Saudi Arabia and Iran consists of many issues, which
resulted in their rivalry and tensions between them. Structural factors influence their
relationship in a profound way, most importantly their demography and ideological
differences. Since Iran’s population is predominantly Shia and Saudi Arabia of Sunni Islam,
both aspire to be the leading power among the international Muslim community and to have
the global influence that comes with it. Iran’s Islamic Revolution in 1979 established Shia
theocracy, while Sunni Islam forms the basis of the Kingdom of Saudi Arabia, more
concretely, Wahhabi Islam. According to Iran’s constitution, “all Muslims form a single
nation, and the government of the Islamic Republic of Iran has the duty of formulating its
general policies with a view to cultivating the friendship and unity of all Muslim peoples,
and it must constantly strive to bring about the political, economic, and cultural unity of the
Islamic world (the Islamic Republic of Iran, 1979).” As such, the unification of the Islamic
world directly threatens Saudi Arabia’s role in the Islamic world as a protector of Mecca and
Medina, two of the holiest Islamic places.
Another point of contention for both countries is the competition over oil export
policies. Saudi Arabia with its large reserves and oil supply has the incentive to keep oil
prices low, whereas Iran aims for the opposite oil export policy, due to its large population
and international sanctions. Revenue from oil export needs to facilitate missed revenues due
to international sanctions, Iran, therefore aims to keep oil prices high. As a strategic
commodity, oil shapes international politics in a profound way, which can be seen in Saudi
Arabia’s and Iran’s case as well. The most prominent event, which shows the current state
of relations is the drone attacks on Saudi Arabian oil facilities Khurais and Abqaiq in

22
September 2019. Overall, attacks caused a 5% decrease in global production of oil,
destabilized the Saudi Arabian oil industry, and damaged its biggest facilities. Although the
Houthi movement in Yemen has claimed the responsibility, Saudi Arabia as well as the US
blamed Iran (BBC, 2019). Even if Iran did not commit the attack, the reaction illustrates the
competitiveness of both countries and the state of their relations. Furthermore, the US
influence in the Middle East is an undercurrent, which shapes the way both countries deal
with security in the region. Saudi Arabia and the United States have been strong allies since
1945 mainly due to a common interest in stable oil production and the global market. The
US has built its global dominance on the basis of oil as a strategic commodity and worked
relentlessly to maintain this position. As Cildir states, “the US aimed to open up and
transnationalise oil rich economies in the Global South such as Saudi Arabia and Iran, to
both promote its national interests and solidify its privileged position within the current
system (Cildir, 2019).” Iran diverged from this system in 1979 with the Islamic Revolution,
but Saudi Arabia continued through state-owned Aramco, which consolidated both states as
opposed sides.

23
3. Characteristics of Cyber Attacks Against Iran
Following the accounts of historical events, this section of the thesis is focused on
cyber-attacks against Iran and their characteristics. Table 3 provides an overview of
significant cyber-attack in the period between 2007 and late 2020 and summarizes their core
characteristics, suspected states responsible, and suspected victims of these attacks. During
the first three years of the period, seemingly, not much has happened from the point of view
of Iranian cyber security. Appearances are deceptive, however, as it turned out in June 2010,
when Belarusian malware-detection firm first discovered Stuxnet. As Symantec later
reported, there were several different versions active even earlier than 2010. Nevertheless,
the malware was able to operate without being noticed. The oldest known version is called
Stuxnet 0.5, which was active in 2007 and developed as early as 2005 (McDonald et al.,
2013, p. 1). If we put this timeline into perspective with international events at the time, Iran
was being pressured by the US and Israel to curb its nuclear program and the pressure
culminated in UN sanctions in 2006. Around the same time, assassinations of Iranian nuclear
scientists started happening, which put even further pressure on Iran’s nuclear program. It is
widely accepted, that the US developed Stuxnet together with Israel (Craig and Valeriano,
2016, p. 150; Baezner, 2019, p. 12), because of its coding, technical attributes, and the use
of the above mentioned ‘zero-day vulnerabilities’, therefore the attribution, in this case, is
not an issue. Of course, both countries never publicly commented on the cyber-attack since
efforts like this are usually part of covert actions.
Because of the extent of its operation, its bold usage, and the element of surprise,
Stuxnet’s impact was significant. Not only on the nuclear program itself, but also on
international relations, development of strategies, and the field of cyber security as a whole.
Although there were some cyber-attacks with higher technical ability until 2010, no cyber-
attack had reached this scope of operation until then and it still amazes researchers around
the world. As was revealed later, Stuxnet’s purpose was to delay and sabotage the Iranian
nuclear program. It targeted supervisory control and data acquisition (SCADA) systems,
which were used for example in Natanz nuclear facility to control centrifuges for uranium
enrichment. By manipulating the speed of the centrifuges and showing the supposedly
correct data, the malware caused gradual wearing out of the centrifuges and their eventual
destruction. Reportedly, the attack destroyed one-fifth of the facility centrifuges and
significantly slowed the program down (Craig and Valeriano, 2016, p. 150), however, it is
not entirely clear, whether the long-term effect of Stuxnet was a success since the attack

24
made Iran more aware of its vulnerabilities (Barzashka, 2013). Nevertheless, from the
Iranian side, failures looked like incompetence of the Iranian scientists and many were fired
for their lack of progress in the development of the nuclear program.
Aside from the infection of computers in nuclear facilities, the malware spread to
other countries as well. Overall, it infected over 100 000 computers all over the world by the
end of 2010, however, Iran was its primary target. The method of successful infection
required a complex process, which started with obtaining of technical parameters of
industrial control systems (ICS), specifically of the previously mentioned SCADA systems
by Siemens. As Falliere et al. from Symantec stated in their Stuxnet Dossier (Falliere et al.,
2011, p. 3), this was most likely achieved by previous reconnaissance or through a previous
version of malware. Because facilities with highly sensitive information such as Natanz are
usually ‘closed systems’, which are not connected to the Internet, Stuxnet itself was either
brought in via USB or a compromised computer, or the malware was delivered through a
third-party software supplier. Once inside the facility’s system, Stuxnet replicated itself until
it found computers, which ran software controlling the centrifuges. After this, the final step
of the operation was the manipulation with the speed of the centrifuges and concealing, that
any change was made. The fact, that Stuxnet spread even outside of the facility was probably
not the initial intention of the attacker, since it increased the chance of it being discovered.
This world-wide spread was most likely caused by its quick and highly efficient ability to
penetrate the whole network. The technical sophistication of Stuxnet originated mainly from
the use of ‘zero-day vulnerabilities’. As was stated in previous chapters, these vulnerabilities
are one of the most valuable exploits of software and are usually employed by APTs. Since
nobody, but the attacker knows, that the vulnerability exists, this grants them the opportunity
to intrude the system for an extended period of time. For instance, one of the zero-day
vulnerabilities used by Stuxnet was the ability to pose as a legitimate Microsoft Windows
driver without being detected as malware. Another one allowed the malware to gain
Administrative rights in the infected computer, through which Stuxnet gained a greater
access to the system. Apart from the four zero-day vulnerabilities, Stuxnet also used two
digital certificates which are used to verify the legitimacy of software. These certificates are
similarly hard to obtain and most likely were stolen from the original software companies.
In September 2011, another threat was discovered and named Duqu after the prefix
‘~DQ’ it gave its files. As was later revealed there was an even earlier version of Duqu, a
virus called ‘Stars’, which operated since April of the same year. Four years later, in 2015,

25
another version appeared and was named Duqu 2.0. The intention behind the attack was
made obvious by the fact, that the attack targeted computers of hotels, companies, and
individuals in Switzerland and Austria which were connected to entities under P5 + 1 (UN
Security Council and Germany), which were in the middle of negotiations on Iran’s nuclear
program. An analysis by Symantec revealed that Duqu is nearly identical to Stuxnet, only
with a different purpose. As their report notes, “the creators of Duqu had access to the source
code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to
gather intelligence from a private entity that may aid future attacks on a third party
(Symantec, 2011, p. 3).” Therefore, its goal was to gather data, intelligence, and design
projects from industrial manufacturers and infrastructure entities, which would facilitate
information necessary for future attacks similar to Stuxnet (Ibid., p. 1). Additionally, the
difference between Stuxnet and Duqu was in the ability to remotely transmit data instead of
sabotaging the industrial control systems.
Another threat actor using a malicious tool was discovered in May 2012 and became
known as Flame. It spread mostly through the Middle Eastern countries and Iran was among
the most affected. Even though Stuxnet previously astonished researchers with its technical
complexity and its specialization in SCADA systems, Flame surpassed the amazement with
its capabilities. As Alexander Gostev, chief security expert at Kaspersky Lab stated, "[i]t
took us half a year to analyze Stuxnet […]. This is 20 times more complicated. It will take us
10 years to fully understand everything (Zetter, 2012)," which illustrates the complexity of
the malware. It can be characterized as a toolkit, which means that it used several different
tools in order to achieve its goal. This is what made it a powerful instrument for infecting
systems, whose set of operations include “sniffing the network traffic, taking screenshots,
recording audio conversations, intercepting the keyboard, and so on (Gostev, 2012).”
Another astounding feature of Flame included turning the infected device into a beacon,
which would turn on Bluetooth and scan for other Bluetooth devices in its proximity.
Moreover, the functions of the malware were able to be expanded if the threat actor decided
to upload more tools to the infected system. It was also able to cover its tracks, because after
the transmission of stolen data, Flame would delete all files, delete itself and destroy the
disk. Overall, the main functionality of the cyber-attack was to gather and transmit data, in
other words, cyber-espionage. Not long after the discovery of Flame, a nation-state cyber-
attack was revealed to be operational in the Middle Eastern countries once again. It was
named Gauss and its characteristics closely resembled Flame. Due to its connection to the

26
previous malware, the researchers concluded that the attack was sponsored by a nation-state
(Global and Research & Analysis Team, 2012), specifically the US and Israel. Curiously,
the modules of the malware had internal names “which appear to pay tribute to famous
mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and
Joseph-Louis Lagrange (Ibid.).” Nonetheless, a unique feature of Gauss was the ability to
steal banking information, which was never previously used by a nation-state sponsored
cyber-attack. The attack targeted mainly banks based in Lebanon, however, infected systems
were found in many Middle Eastern countries including Iran. Although not confirmed, there
is a possibility, that the objective of the attack was to gather data about banking connections
of Hezbollah, which has ties to Iran (Williams, 2012).
As researchers analyzed the code and compared it to other cyber-attacks, which were
conducted in later years, they made the connection between Stuxnet, Duqu, Flame, and
Gauss. All shared similarities, some of which can be seen in Figure 1. The figure shows that
they used two coding platforms or shared certain modules, such as USB infection module,
which caused the initial infection of the computer and spread further through the network.
They were probably created in the same ‘factory’ since the developers had access to the
source code and previous versions of the malware. One possible explanation of the origins
of the malware connected to Stuxnet is the existence of the Equation group. Its activity was
revealed in 2015, however, it was possibly active since 2001. Operations of the group
specialized on the infiltration and subsequent self-destruction of systems, which made it very
difficult to trace the group’s activity. It is widely believed, that the group is sponsored by an
agency of a nation-state, possibly U.S. National Security Agency, or that it exists as joint
effort with ‘Five Eyes’ allies (an alliance of intelligence agencies of the US, Canada, the
UK, Australia, and New Zealand; CFR, 2020a). Signs also point towards a unit of Israel
Defense Force (IDF), also known as Unit 8200. The unit has a long history of conducting
cyber-attacks against Iran (and vice-versa) and it is estimated that its size is about 5000
members, which specialize in signal intelligence, cyber-operations, and technological
research and development (Baezner, 2019, p. 12).
The above-mentioned cyber-attacks and threat actors can be labeled with one
umbrella term, Operation Olympic Games, also known as Campaign Nitro Zeus. The first
mention of the Operation Olympic Games was by David Sanger, who claimed, that the
operation was a joint action of the US and Israel, which was meant to disrupt the Iranian
nuclear program. The operation supposedly started during the Bush administration and

27
continued until Obama’s. Before its activities were revealed, the operation gathered
information about Iranian activities, aimed to curb the program or to ultimately destroy it.
Even after its existence was revealed and international negotiations started in 2013 about the
end of sanctions against Iran or eventual agreement, the operation continued. As Baezner
writes, Operation Olympic Games, later known as Nitro Zeus “prepared a contingency plan
in case the negotiations failed. It planned for an offensive cyber-operation attacking Iranian
networks with the aim to disable computers in the nuclear facility of Fordo, but also Iranian
air defense, communications and power grids in the event of kinetic attacks (Ibid.).”
The activity of another threat actor called Operation Parliament became apparent in
2017. The researchers were not able to discern the origins of the attack or the identity of the
attacker. To link this operation with Stuxnet and its other versions would be speculative,
nevertheless, this threat actor’s targets were mostly of high strategic value, such as
governments, ministries, institutions, media, and companies in the Middle East. Due to this
fact, these attacks cannot be disregarded as unrelated to the Iranian situation, even though
the attacker is unknown as is sometimes the case with cyber-attacks.
In October of 2018, which was three years after the last cyber-attack connected to
the Operation Olympic Games, information about a new version of Stuxnet was announced.
The validity of the information cannot be verified, since it was announced solely by the head
of the Iranian civil defense agency, Gholamreza Jalali, who did not give many details
(Reuters, 2018). No further information was given than the fact that Iran was able to defend
against an infiltration of Stuxnet 2.0. In order to attribute the attack with a higher certainty,
more information would be needed, such as technical parameters, code of the malware, or
its primary targets. Furthermore, Israel as an accused perpetrator did not respond to the
allegations. It is understandable, however, that the Iranian side did not release any technical
details due to the highly sensitive subject. Nevertheless, Stuxnet 2.0 was the last of known
cyber-attacks seemingly connected to the original Stuxnet and the Operation Olympic
Games.
Although there were no traces of cyber-attacks connected to Stuxnet since 2018,
there were still major geopolitical and cyber security events. As tensions started to rise again
between the two countries during the Trump administration, especially after the US
withdrawal from the JCPOA announce on May 8th, 2018, so did Iran see an increase in
cyber-attacks. The most significant escalation ensued in April 2019, when the US
categorized Islamic Revolutionary Guard Corps (IRGC), which is a branch of Iranian Armed

28
Forces, as a terrorist organization. Two months later, on 13th of June 2019 an altercation
transpired in Strait of Hormuz, after which the IRGC shot down a U.S. spy plane. The US
later announced that it has conducted a series of cyber-attacks directed at Iranian computer
system which operates missile and rocket launches as a retaliation for the downing (Barnes
and Gibbons-Neff, 2019). Not many exact details are known about the attack, only that the
Iranian systems have been offline for a couple of hours. As such, the effect is only temporary,
which is why, this kind of attack is usually more effective along with other kinds of strategic
measures.
The rising of tensions continued since September 14th, 2019 when Saudi Arabian oil
facilities Khurais and Abqaiq were damaged in an attack which caused an unprecedented
surge in oil prices. As was described in the previous chapter, the US, Germany, France and
the UK as well as the United Nations investigators stated, that Iran was behind the attack.
Iran denied involvement in the strike, while the Houthis claimed responsibility, nevertheless
the attacker is not known with a definite certainty. The US announced shortly after the strike,
that it carried out cyber-attacks in an attempt to curb Iranian propaganda, which would allow
it to control the narrative. Moreover, the US announced that the attack affected physical
hardware, however, no more details were released.
In between these major cyber-attacks which are frequently connected to a
geopolitical event, cyber-attacks of a lesser significance transpired as well. One example of
this is a series of attacks on Iranian port, organizations related to it, and other government
agencies, which came to light between May and October 2020. Israel claimed that the attacks
were a retaliation for Iranian targeting of Israeli command and control systems of water
treatment facilities earlier that year. Furthermore, in November 2020, the US conducted
cyber-attacks targeting Iranian hacker group connected to Islamic Revolutionary Guard
Corps, a branch of Iranian Armed Forces. Director of national intelligence, John Ratcliffe
stated, that Iran tried to influence the US presidential election by sending spoofed emails and
text messages intended to denigrate Donald Trump (Sanger and Barnes, 2020). For this
reason, the US launched offensive cyber-attacks aimed at stopping the propaganda ahead of
the election and forced Iranian tools, networks and ransomware offline. This new proactive
approach was described by General Paul Nakasone, the commander of U.S. Cyber Command
and the director of the National Security Agency, as a ‘persistent engagement’ and
‘defending forward’, which refers to “going deep inside the computer networks of
adversaries, whether that means the Internet Research Agency, the Russia-based group that

29
mounted the 2016 influence campaigns; the G.R.U., Russia’s military intelligence agency;
or Iran’s increasingly active cybercorps (Ibid.).”

The previously described cyber-attacks are summarized in Table 3 in the

attachments. In order to reflect with what certainty was it possible to attribute the attack to
the perpetrator, each suspected state sponsor was placed into one of the three categories:
a) The attacker is unknown, the characteristics of the attack do not provide any
hints of who the attacker may be, the victim did not release enough data,
and/or the report cannot be verified from multiple sources.
b) The attacker is unknown, however, attributes of the attack (such as code used,
global events preceding the attack, victims of the attack, geopolitical facts,
etc.) provide an implication about the goal of the attacker and its origins.
c) The attacker is known, a large part of researchers agrees on a suspected
nation-state as a perpetrator, and/or the attacker claimed the responsibility for
the attack.
This categorization helps to keep in mind, that the identity of the attacker cannot
always be determined with complete certainty. Cyber-attack usually did not occur as a single
case of malware infecting one target, but as multiple attacks, sometimes over the course of
many years. For this reason, the table is listed according to the date, when the attack was
discovered or announced.
Now, that a thorough description of cyber-attacks has been made, a few
characteristics have become apparent. Simmons et al. provided a model for the analysis of
cyber-attacks called AVOIDIT, which is described in more detail in the theoretical section
of the thesis. In short, cyber-attacks against the Islamic Republic of Iran are analyzed
according to the model’s categorization by informational impact, which is ‘distort, disrupt,
destruct, disclosure’ and ‘discovery’. Cyber-attacks, which are described above and
summarized in Table 3 were analyzed and categories of AVOIDIT were allocated to each
one. At times, more than one category fits the nature of the cyber-attack and for this reason,
the cyber-attack is listed in several categories. In some cases, no concrete information was
available and therefore the attack is in the category of ‘unknown’. For example, on
December 11th, 2019 Iran had announced its successful defense from “really massive” and
“highly organized cyber-attack (Paganini, 2019)”, however, no other information was given.
The source of information for the categorization of cyber-attacks according to AVOIDIT

30
model was open-source information, official statements, and analyses by experts in the field.
For example, researchers from Kaspersky Lab are the leading experts in the industry, which
provide first-hand analyses, since their team was the one, who led research into Stuxnet and
Equation Group’s activities.
If we analyze cyber-attacks according to the informational impact, the most common
impacts are ‘discovery’ and ‘destruction’, closely followed by ‘disruption’. Figure 2 shows
the ratio of the different categories of informational impact according to AVOIDIT. Firstly,
it is evident from the ratio, that the main types of activities conducted against Iran were
designed to gain information previously unknown to the attacker (espionage), which could
be possibly used in subsequent attacks. The ‘discovery’ characteristic has been present in
12 cyber-attacks making it the most common. The second most common characteristic
of cyber-attacks is aimed to destruct the information or in other words delete data, networks,
or even cause physical damage. Thirdly, cyber-attacks which can be described as disruptive,
intended to remove access to information for a limited amount of time or caused a disruption
of the network such as a DDoS attack. The two remaining characteristics from the AVOIDIT
model have not been as present as the previous three. This fact implies, that the distortion
(of modification) of information and the disclosure of information (information leaking) has
not been a predominant aim in many of the attacks. Furthermore, as was noted previously,
three cases had to be marked as ‘unknown’.
Apart from the categorization of informational impact, Table 3 also lists attack types.
The most common type of cyber-attack directed at Iran was the advanced persistent threat
(APT) with 11 different attacks out of 23. They include several versions of Stuxnet, Flame,
Gauss, and Duqu as well as threat actors such as the Equation Group. Even if threat actors
responsible for Operation Parliament or ProjectSauron are not counted because of lack of
information available, the number is still significant if compared to the overall number of
cyber-attacks conducted against Iran. Another type, which was confirmed to be directed at
Iran are two DDoS attacks, however, the number is significantly lower than number of APTs.
The exact type of cyber-attack could not be confirmed with nine cyber-attacks, because of a
lack of verifiable information. For example, even when the US confirmed that they directed
an attack on Iran, they usually released information about the approximate target, not what
tools they used. As far as the sectors of the state, which have been targeted by the attackers
(as noted in the section Victim – sector in Table 3), the most commonly attacked has been
the government and military with 11 counts of attack each. Attacks were directed towards

31
the private sector seven times and less towards infrastructure or industry, which were
targeted two times each.
To conclude this chapter and answer the first research question, gathered data
suggests that characteristics of cyber-attacks against the Islamic Republic of Iran are most
commonly as follows: the majority of cyber-attacks are advanced persistent threats (APTs);
aim to disrupt and destruct information and systems; intend to discover information
unknown to the attacker which can be used in other instances; target mainly the government,
military, and the private sector.

32
4. Relation of Cyber Attacks to the Concept of Hybrid Warfare
The data gathered in previous chapters, as well as the data demonstrated in Table 3,
suggest a certain division of the types of cyber-attacks conducted against Iran. For the
purpose of the analysis, two periods of cyber-attacks will be distinguished, attacks defined
as advanced persistent threats (APTs) prior 2015, and cyber-attacks since 2015 until late
2020. This division is based on fact that the latter ones are not technically and geopolitically
related to each other to such an extent such as APTs. This separation also stems from the
data, which shows different characteristics for each period and also from an equally different
geopolitical situation before and after the signing of The Joint Comprehensive Plan of
Action. For each of the two periods, geopolitical events, which surround the cyber-attacks,
and characteristics noted in the previous chapter will be taken into account. Following the
analysis of the two periods, a final assessment will be provided with the answer to whether
cyber-attacks analyzed in this thesis can be considered hybrid warfare and arguments
supporting this reasoning.

4.1. Cyber Attacks from 2007 until 2015

If we focus on the first period, which is from 2007 until 2015, the data shows that
the majority of attacks were APTs (8 out of 10 cyber-attacks). The reason for the division in
the year 2015 is that the last confirmed attack of a threat actor using APT was in this year
with the discovery of the Equation group and Duqu 2.0. In this case, Stuxnet 2.0 announced
in 2018 cannot be counted, since its existence has not been confirmed by multiple sources
and not enough information has been released. This is reflected in the Table 5 by being in
the ‘uncertain’ category of attribution.
Historically and understandably, the US and Israel have been concerned about the
fact that their enemies might have access to weapons of mass destruction (WMD). For
example, the prospect of Cuba having nuclear weapons garnered a furious reaction by the
US and almost ended in a nuclear disaster. From the Israeli perspective, the fact that Iran
would be on its way to obtain WMD is generally viewed not only as a national security risk,
but basically as an existential threat. These attitudes are also increased by Iranian permanent
rhetoric attacks. For instance, former Iranian President Mahmoud Ahmadinejad was quoted
as saying, that “[t]he very existence of the Zionist regime is an insult to humankind and an
affront to all world nations,” and “[c]onfronting Zionists will also pave the way for saving

33
the whole humankind from exploitation, depravity and misery (Gladstone, 2012).” Hence,
Israel considers Iran its archenemy, so the continuing development of nuclear weapons was
unacceptable. Based on what has been mentioned above, it is not surprising that the
development of Iranian nuclear program had caused several tensions, which started to rise
around 2003.
APTs are very difficult and expensive to develop, which is why they serve long-
term purposes. Furthermore, they are at times tailored to their target which further limits the
possibility of the attack being used for another purpose and does not make them suitable for
short-term goals. For example, Stuxnet 0.5 is thought to be developed as early as 2005, which
was at the height of pressure on Iran to stop its nuclear program. After years of development,
several versions of Stuxnet were deployed and operated until 2010, when its activity was
revealed. It is still debated whether the long-term effect of Stuxnet truly was a slowing down
of the Iranian program or whether it encouraged faster development of Iranian capabilities
(Barzashka, 2013; Gladstone, 2012). Nevertheless, after its reveal, Stuxnet acted as a
reminder, that the US and Israel are willing to act. As far as the motivation why an actor
would use measures such as APTs to achieve their political goals, Tobey writes, “[w]hen the
potential negative consequences of inaction are perceived to be infinite, otherwise
reasonable doubts about the quality of intelligence, or the negative consequences associated
with unsavory action may seem irrelevant. The specter of annihilation dramatically changes
risk-benefit analyses. Under such circumstances, doing something will nearly always appear
better than doing nothing (Tobey, 2012, p. 64 - 65).” He writes this about the assassinations
of Iranian scientists and reasons a state could have for killing them, however the same kind
of reasoning might be applied, when contemplating a potential cyber-attack.
The signing of the JCPOA opened a door for a potential decrease of tensions. The
US gave Iran a chance to prove its commitment to the treaty and the United States briefly
had a chance to control the Iranian nuclear program through international monitoring. For
this reason, the need to use APTs to achieve political goals decreased as well. Moreover, if
the US continued with cyber-attacks of this ‘caliber’, their eventual detection and reveal
could potentially destroy the trust needed for Iran to adhere to the agreement. Since Israel
opposed the agreement, it is possible that it chose wait-and-see tactics, or prepared and
carried out other attacks that are not known to date. Nevertheless, there is a possibility, that
Israel or even the US conducted further APT-type cyber-attacks against Iran, and they have
not been revealed until today. Activities of APTs are often covert with technical

34
sophistication and for this reason, the time required to reveal them is higher than with normal
cyber-attacks. In the case of Stuxnet, for instance, it took three years to detect any malicious
activity in Iranian facilities.
In criminal investigations or trials, the principle of cui bono is often mentioned. It
helps to discern, who would be the beneficiary of outcomes of a certain act. In the case of
Stuxnet, the US and Israel are the ones, who clearly gain from its successful operation.
Russia, for example, which is a known and experienced actor in the field of cyber-attacks
might be technically capable of conducting such an attack, however, Russia would not
benefit from slowing down of Iranian nuclear program. On the contrary, both countries have
a relatively close relationship, since they have strategic and military ties and have become
closer trading partners due to Western sanctions. Another option to answering the question
of who would benefit could be a non-state actor such as a cyber-crime group. In this case,
the group would have to have access to zero-day vulnerabilities and appropriate a lot of
resources, which would ultimately result in no or low gain for the group, since it does not
have an interest in damaging centrifuges in the Natanz facility and expending an enormous
amount of resources to do so. The US and Israel on the other hand do have a significant
interest and motive in disrupting nuclear activities as is clear from historical events and
geopolitics.
If we look at data gathered through the AVOIDIT taxonomy, the ‘discovery’,
‘destruction’, and ‘disruption’ are the three most common characteristics of cyber-attacks
associated with the whole period of 2007 until 2020. Until 2015, the total statistic was true
for ‘discovery’ and ‘destruction’ as is demonstrated in Table 4, however, ‘disruption’ was
not as prevalent with only two cases. In other words, the attackers intended to mostly gather
previously unknown information through espionage, to use for future attacks or they aimed
to delete data or even cause physical destruction. A disruption or temporary loss of access
to networks or information which is often connected to DDoS attacks was not the most
prevalent in this period. The reason why is that a temporary loss of access might not be
enough to achieve a long-term effect. DDoS attacks are effective in disrupting networks in
the short-term for a specific reason, such as disruption of websites before an election.
However, if an operation needs to be successful in the long-run and aims to achieve a
significant goal such as to limit Iranian enrichment of uranium, first, intelligence is needed
(hence the significant amount of ‘discovery’/espionage attacks in Table 4). Secondly, attacks
with a long-term effect are more likely to delete data or cause physical destruction, which is

35
more impactful than a temporary disruption. Distortion, which was used three times in this
period was mostly intended to hide the activities of the APT to prolong the period of its
operation.

4.2. Cyber-attacks from 2015 until 2020

The operation of APTs has not been confirmed by multiple sources to be active since
the year 2015. Cyber-attacks that have been conducted since the year 2015 aimed for short-
term goals, as opposed to goals of APTs. They are more reactionary in nature since they
usually respond to current events. For example, cyber-attacks in May 2020 were an Israeli
retaliation for Iranian cyber-attacks on water-treatment facilities. Similarly, cyber-attacks
from June 2019 were connected to a shoot-down of a US spy plane, attacks from September
2019 to a damaging of Saudi Arabia’s oil facilities, and the most recent attacks in November
2020 which were in connection to the US presidential election and aimed to prevent Iranian
interference in the voting. Due to this short-term nature, the most common informational
impact according to AVOIDIT taxonomy was the disruption (see Table 5 in the
attachments). The reactionary nature and the fact that the attacks cause mainly disruption
indicate that the attackers do not seek to fulfill a broader political goal, such as when Stuxnet
sought out one continuous objective. Since Trump’s withdrawal from the JCPOA in 2018,
the number of cyber-attacks against Iran has increased (as demonstrated in Figure 3).
However, this increase does not mean that the technical sophistication is comparable to
cyber-attacks before 2015. Although cyber-attacks conducted after 2018 are more frequent,
their targets do not require the same technical sophistication as nuclear facilities. For
instance, Iranian Port and Maritime Organization targeted in October 2020 appears to be an
easier target than Natanz nuclear facility solely from the fact, that the port facility it is not a
‘closed system’, which is a system that does not allow transfer of information with the
outside world (RFE/RL, 2020; Ports & Maritime Organization, 2021). Natanz nuclear
facility, on the other hand, is such ‘closed system’ making it a much more difficult target to
infiltrate.

36
4.3. Cyber-attacks and hybrid warfare
Nowadays, most of the general public understands the potential impact and effects
of cyber threats, but still few experts understand in depth the principles and technical aspects
of cybernetics. This imperviousness of the phenomenon of cyber-attacks is apparent not only
from the technical perspective, but also from the understanding of motivation of the
attackers. For this reason, cyber-attacks also represent something of a grey area for many
security and political science academics as well as the public, and many authors tend to
automatically categorize attacks in cyberspace as acts of hybrid warfare. However, I consider
this general approach to be flawed, as the specific incidents I have examined should still be
considered as ‘routine’, albeit increasingly sophisticated, activities of the intelligence and
security services of states. The fact that this activity takes place in virtual cyberspace does
not change this. In other words, if Clausewitz writes that war is a continuation of politics by
other means, then cyber-attacks are merely a continuation of conflict by other than
conventional means. From this logic, then, follows my further argument that even the
activities of intelligence agencies cannot be confused with the term hybrid warfare.
The fact, that some cyber-attacks against Iran are activities of intelligence agencies
of foreign powers and cannot be considered as hybrid is especially apparent for the first
period of cyber-attacks. Of course, not all cyber-attacks have intelligence agencies of foreign
powers behind them, as some stem from the activity of hackers, cybercriminals or other
unknown entities. Nevertheless, the period between 2007 and 2015, which was described
above in more detail, can be characterized with the use of ATPs and intelligence gathering.
Moreover, as was already discussed in previous chapters, Stuxnet is widely believed to be
created by intelligence agencies of the United States and Israel. There is thus a certain
parallel between the cyber-attacks against Iranian nuclear facilities and the 2014 explosions
in Vrbětice. Although the operations differ in the means used, their purpose is identical - to
disable or destroy a tactical or strategic target. In the case of the Stuxnet, it was uranium
enrichment centrifuges, while in Vrbětice it was the delivery of ammunition and weapons.
Nevertheless, both should not be considered as hybrid warfare, but a malicious activity of
intelligence agency of foreign power against certain object of interest.
Even though both periods of cyber-attacks can be distinguished by characteristics
described above, they do not share many similarities with the definition of hybrid warfare.
More specifically, the attacks were not accompanied by unconventional hybrid tactics such
as terrorism, military or paramilitary operations with advanced tools and tactics. To be

37
considered hybrid, a conventional element would have to be also present, such as modern
organization and training of forces and command and control. Clashes between conventional
forces in the Middle East region have taken place but have been extremely limited in territory
and purpose. These attacks were mostly directed at Iranian proxies in Syria, so there was no
open armed conflict between Iran and United States, Israel or other countries.
Most cyber-attacks were highly targeted (information espionage related to the UN
conference, the Natanz nuclear facility, port informational systems...) and although their
strategic impact was in some cases significant, their social or economic impact was limited
or incidental. If we compare this with the most mentioned case of hybrid warfare (Hezbollah
in Lebanon, 2006), we find a large number of cases of the use of conventional and non-
conventional military, information warfare and activities aimed at disrupting the state. As
Piotrowski states, “Hezbollah shows all the elements of hybrid warfare: the simultaneous
use of a conventional arsenal, irregular forces and guerrilla tactics, psychological warfare,
terrorism and even criminal activities, with support from a multi-dimensional organisation
and capable of integrating very different sub-units, groups or cells into one united, large
force (Piotrowski, 2015, p. 1).” In the case of Iran case, attacks have had a limited impact
and did not appear to have a goal of undermining the whole political system, society, or
military. Example of such undermining tendencies could be cyber-attacks and malicious
activity aimed at sparking a revolution together with military conflict of unconventional and
conventional forces. The scope of cyber-attacks against Iran was limited in a sense that the
attacks targeted objects and entities, whose existence did not form a basis of the state or
society. Moreover, some of the cyber-attacks could be characterized more closely as
preventative attacks aimed at slowing down or disruption of Iranian activities in the region.
The reactive and preventative nature can by illustrated with offensive cyber operations
conducted by the United States in November 2020, which were made in connection to the
upcoming U.S. presidential election, which explicitly targeted Iranian ability to spread
propaganda.
Another argument for why cyber-attacks analyzed in this thesis cannot be
characterized as hybrid is the fact, that new and modern technologies and tools cannot be
automatically described as hybrid either. To expand upon this statement, I would like to also
mention a historical example, which could be compared as a parallel with Iranian case
studies analyzed in this thesis. Starting in the late 1920s, the German army began using a
new mobile encryption system for its military dispatches and telegrams, which became

38
commonly known as Enigma (Copeland, 2019). This was then intended to enable the
German Reichswehr to maintain the security of its communications networks from
adversaries. However, even before Hitler came to power and began the rearmament of
Germany, Polish cryptanalysts managed to secretly decrypt the Enigma, which was an
extraordinary achievement of the Polish secret services. After the beginning of the Second
World War and the invasion of Poland, the information about Enigma was successfully
transported to France and later to England. This was a great advantage for British scientists,
whose task during the war was to decrypt new, much more sophisticated versions of the
Enigma. It had in the meantime become one of Germany’s main weapons in the ongoing
Battle of the Atlantic from 1940 and 1941, with Kriegmarine submarines, among other
things, coordinated to inflict heavy losses on Allied convoys thanks to encrypted
communications with other vessels and their headquarters. One of the scientists working on
breaking the Enigma and later the Tunny system was Alan Turing, who, in collaboration
with mathematicians and Polish cryptanalysts, developed the "Bombe" machine in 1939, an
electromechanical code breaker and also one of the first military uses of electronic computers
(Ibid.). Several dozens of these machines were developed and put into operation during the
war, and they made a significant contribution to the decryption of German military messages.
Their use can thus be considered a very early form of cyberwarfare, or more preciously
‘radio warfare’. Although the Enigma was decrypted by, among other things, the poor
practices of German operators and the hijacking of several original receivers from German
damaged submarines, these computers were of particular importance in the Allies’
cryptanalytic operations.
At the time of the Second World War, there is no doubt that the Bombe computer
machines, but also the German Enigmas, represented the peak of high technology at the time,
just as modern information systems or malware like Stuxnet do from today’s perspective.
Although very different in their means and mechanisms, their purpose is the same - to
infiltrate, disrupt or destroy an enemy’s communications network or critical infrastructure
and gain the upper hand in a particular area. So, I find it very objectionable to describe the
cyber-attacks against Iran solely as hybrid warfare, whereas the historical parallels are not
described as hybrid. I find irrelevant the possible argument that the difference between the
cyber-attacks I analyzed, and the Bombe machines is that the latter did not cause any
damage. Undoubtedly, these machines contributed greatly to the victory in the naval war,
for example, and many German vessels were destroyed thanks to the decrypted messages.

39
Similarly, the attacks against Iran must be assessed in terms of their wider impact, i.e. that
the attacks did not merely destroy the centrifuges themselves physically but had a major
impact both in Iran and globally. Moreover, the Enigma case then reaffirms my argument
that if the activities of intelligence and special forces in the early days of cyber were not even
considered hybrid threats more than 80 years ago, it is not accurate to label them as such
today.

40
Conclusion
Although the thesis is concerned with hybrid warfare, it should be stressed in the first
place that my aim is not to confirm or refute the theory in general. On the contrary, the
premise of this thesis is that I am convinced of the relevance and validity of hybrid warfare
theory, which in my opinion reflects the development and shape of many armed conflicts of
the last 20 years. Therefore, the goal of the thesis was to determine whether cyberattacks
against Iran fall within the hybrid warfare concept and whether the attacks should therefore
be referred to as hybrid. To this end, I have analyzed individual cyber incidents in detail and
then positioned them in a broader geopolitical and regional context. Based on this, I have
made the arguments that these incidents cannot be considered evidence of an ongoing hybrid
conflict between certain countries and Iran. Moreover, cyber-attacks against Iran can be
more accurately be viewed as ‘routine’, although extremely sophisticated, subversive
activities by the intelligence services of foreign states against Iran that are merely conducted
by modern cyber means.
The first research question was aimed at the nature of cyber-attacks directed at Iran,
which helped to discern which characteristics can best describe cyber-attacks in question.
All relevant and available data was gathered in Table 3, which provided an overview of
significant cyber threats. The table presented key information about each cyber-attack: 1)
year; 2) suspected state actor; 3) suspected victim; 4) informational impact (AVOIDIT); 5)
attack type; 6) victim – sector; 7) name and a brief description of the attack. In order to
reflect how reliable is the compiled information about the suspected state sponsor, three
colors were assigned according to the certainty of the attribution. Cyber-attacks were then
categorized according to informational impact, or in other words, what the intended effect
of the attack was. The AVOIDIT taxonomy was used to allocate each cyber-attack one or
more informational impact category (distort, disrupt, destruct, disclosure and discovery),
which helped to analyze the data in a uniform way. Through the analysis of data provided
mostly by SCI and COT databases as well as official statements and media coverage, the
most common characteristics of cyber-attacks turned out to be ‘discovery’, ‘destruction’ and
‘disruption’. Furthermore, the data indicated a difference in two periods, between 2007 –
2015 and 2015 – 2020. The first period was best characterized by the activity of advanced
persistent threats (APTs), which are focused on long-term malicious activity with high
technical sophistication. Stuxnet, a malware directed at Iranian nuclear program, is one
example of such technically demanding covert cyber operation. The second period of cyber-

41
attacks consisted of a number of shorter attacks, which were connected to recent geopolitical
events and are not as interconnected as APTs. As opposed to Stuxnet, these cyber-attacks
did not require such technological sophistication and aimed at much smaller targets than
Iranian uranium enrichment facility.
The data together with geopolitical events and international relations was then
contrasted with the concept of hybrid warfare, which provided an answer to the second
research question, which was concerned with the relation of cyber-attacks and hybrid
warfare. Given the historical parallels and the absence of other defining and necessary
features of hybrid warfare, I argue that cyber-attacks against Iran cannot be described as
hybrid. To be more specific, some cyber-attacks, but not all, can be considered as operations
of foreign intelligence agencies, which alone does not fit the definition of hybrid warfare.
If similar activities of one state against another were not described as hybrid warfare
50 or even 80 years ago, it is irrelevant to consider the current ones as hybrid, even though
they are waged in cyberspace. Nevertheless, the thesis did not refute the existence of hybrid
warfare in other cases and still considers the concept to be useful for future research. In terms
of future work, further research could be focused on cyber dimension of hybrid warfare in
other global powers, for example China. Although China might not be the most prevalent
player in the cyber field, research into its activities might reveal, whether or not it uses hybrid
tactics and how its cyber activities affect global politics.

42
Master's Thesis Summary
In this diploma thesis, I focused on cyber-attacks against Iran, concretely between
2007 and 2020. My objective was to analyze and discern whether the attacks can be
considered as part of hybrid warfare. In order to answer this, it was necessary define hybrid
warfare and cyber-attacks in the first place, and then to describe, how both concepts could
interact with each other. The definition of hybrid warfare mainly drew from the works of
Frank G. Hofmann, Andersson and Thierry and Florence Gaub. In addition to the theoretical
definition, limitations of the concept were addressed as well. Following the
conceptualization of hybrid warfare, I provided a definition of cyber-attacks and described
a taxonomy by Simmons et al. called AVOIDIT (Attack Vector, Operational Impact,
Defense, Information Impact, and Target), which was used to analyze the data.
To provide context to the empirical section of the thesis, I first recounted significant
events in the history of the Iranian relationship with the US, Israel, and Saudi Arabia. In the
following chapter, I summarized the timeline of cyber-attacks against Iran and their
connection to the historical events and gathered the data in Table 3 (Significant Cyber
Threats). These cyber-attacks were then categorized according to the AVOIDIT taxonomy,
which provided a uniform data for the analysis. The outcome of the analysis was that the
majority of the cyber-attacks can be categorized as advanced persistent threats (APTs); the
cyber-attacks mainly aim to disrupt, destruct information and systems; aim to discover data,
which can be used in subsequent attacks and that the attacks target mainly government,
military and the private sector. Additionally, I distinguished two periods of attacks, from
2007 - 2015 and 2015 – 2020. Such distinction of the two periods was based on the different
characteristics and geopolitical events as a context. In the final assessment of the thesis, I
took into account the analyzed data, geopolitical context, historical parallels and
characteristics of the cyber-attacks and concluded that cyber-attacks against Iran cannot be
considered as hybrid warfare.

43
List of References

ANDERSSON, Jan Joel and THIERRY, Tardy. 2015. Hybrid: what’s in a name?
European Union Institute for Security Studies. [online]. [cit. 2021-04-25]. Available
from:
https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief_32_Hybrid_warfare.pdf

BAEZNER, Marie. 2019. Hotspot Analysis: Iranian cyber-activities in the context of

regional rivalries and international tensions. Zurich: Center for Security Studies.
[online]. [cit. 2020-12-26]. Available from:
https://www.researchgate.net/publication/333339073_Hotspot_Analysis_Iranian_cyber
-activities_in_the_context_of_regional_rivalries_and_international_tensions

BARNES, Julian E. and GIBBONS-NEFF, Thomas. 2019. U.S. Carried Out

Cyberattacks on Iran. The New York Times. [online]. [cit. 2020-12-29]. Available from:
https://www.nytimes.com/2019/06/22/us/politics/us-iran-cyber-attacks.html

BARZASHKA, Ivanka. 2013. Are Cyber-Weapons Effective? The RUSI Journal.

[online]. 158(2), pp. 48-56. [cit. 2021-01-01]. DOI: 10.1080/03071847.2013.787735.
Available from:
https://www.tandfonline.com/doi/pdf/10.1080/03071847.2013.787735?needAccess=tru
e

BBC. 2019. Saudi Arabia oil attacks: UN 'unable to confirm Iranian involvement'.
[online]. [cit. 2020-12-13]. Available from: https://www.bbc.com/news/world-middle-
east-50742224

BBC. 2021. Russia expels Czech diplomats over spying row. [online]. [cit. 2021-04-25].
Available from: https://www.bbc.com/news/world-europe-56796324

CALISKAN Murat and CRAMERS, Paul-Alexander. 2018. What Do You Mean by

"Hybrid Warfare"? A Content Analysis on the Media Coverage of Hybrid Warfare
Concept. [online]. 14 p. [cit. 2020-11-20]. DOI 10.31175/hi.2018.04. Available from:
https://www.researchgate.net/publication/329782285_What_Do_You_Mean_by_Hybri
d_Warfare_A_Content_Analysis_on_the_Media_Coverage_of_Hybrid_Warfare_Conc
ept

44
CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES (CSIS). 2020.
Significant Cyber Incidents Since 2006. Center for Strategic and International Studies.
[online]. [cit. 2020-12-25]. Available from: https://www.csis.org/programs/technology-
policy-program/significant-cyber-incidents

CHAPMAN, Ian M. et al. 2011. Taxonomy of cyber attacks and simulation of their
effects. In: Proceedings of the 2011 Military Modeling & Simulation Symposium. San
Diego, CA, USA. [online]. pp. 73-80. [cit. 2020-11-23]. Available from:
https://dl.acm.org/doi/pdf/10.5555/2048558.2048569

CILDIR, Sukru. 2019. How Saudi-Iranian oil rivalry has been shaped by American
power. The Conversation. The Conversation Trust (UK) Limited. [online]. [cit. 2020-
12-13]. Available from: https://theconversation.com/how-saudi-iranian-oil-rivalry-has-
been-shaped-by-american-power-124123

CLARKE, Richard A. and KNAKE, Robert K. 2010. Cyber War: The Next Threat to
National Security and What to Do About It. Ecco. 306 p. ISBN 978-0-06-196224-0.

COPELAND, B. J. 2019. Ultra. Encyclopedia Britannica. [online]. [cit. 2021-04-27].

Available from: https://www.britannica.com/topic/Ultra-Allied-intelligence-project

COUNCIL ON FOREIGN RELATIONS (CFR). 2020a. Cyber Operations Tracker.

[online]. [cit. 2020-12-25]. Available from: https://www.cfr.org/interactive/cyber-
operations

COUNCIL ON FOREIGN RELATIONS (CFR). 2020b. Cyber Operations Tracker,

Our Methodology. [online]. [cit. 2020-12-18]. Available from:
https://www.cfr.org/cyber-operations/#OurMethodology

COUNCIL ON FOREIGN RELATIONS (CFR). 2020c. U.S. Relations With Iran.

[online]. [cit. 2020-12-07]. Available from: https://www.cfr.org/timeline/us-relations-
iran-1953-2020

CRAIG, Anthony and VALERIANO, Brandon. 2016. Conceptualising cyber arms

races. 8th International Conference on Cyber Conflict (CyCon). Tallinn: NATO CCD
COE Publications. [online]. pp. 141-158. [cit. 2020-04-19]. DOI:

45
10.1109/CYCON.2016.7529432. Available from:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7529432&isnumber=75294
14

DANYK, Yuriy et al. 2017. Hybrid War: High-tech, Information and Cyber Conflicts.
Connections. [online]. 16(2), pp. 5-24. [cit. 2019-10-07]. Available from
http://www.jstor.org/stable/26326478

D'AGOSTINO, Davi M. 2010. Hybrid warfare. DIANE Publishing. [online]. [cit.

2021-04-26]. GAO-10-1036R. Available from: https://www.gao.gov/products/gao-10-
1036r

DEVORE, Marc and LEE, Sangho. 2017. APT (Advanced Persistent Threat)s and
Influence: Cyber Weapons and the Changing Calculus of Conflict. The Journal of East
Asian Affairs. [online]. 31(1), pp. 39-64. [cit. 2020-11-24]. Available from:
http://www.jstor.org/stable/44321272

DUCARU, Sorin Dumitru. 2016. The cyber dimension of modern hybrid warfare and
its relevance for NATO. EUROPOLITY. [online]. 10(1), pp 1-17. [cit. 2019-10-07].
Available from: http://europolity.eu/wp-content/uploads/2016/07/Vol.-10.-No.-1.-
2016-editat.7-23.pdf

FALLIERE, Nicolas et al. 2011. W32.Stuxnet Dossier. Symantec. [online]. Version

1.4 (February 2011). [cit. 2020-12-28]. Available from:
https://media.kasperskycontenthub.com/wp-
content/uploads/sites/43/2014/11/20082206/w32_stuxnet_dossier.pdf

FAYAZMANESH, Sasan. 2008. The United States and Iran: Sanctions, Wars and the
Policy of Dual Containment. New York: Routledge Studies in Middle Eastern Politics.
272 p. ISBN 1135976864.

FIORE, Massimiliano. 2011. Israel and Iran’s Nuclear Weapon Programme: Roll Back
or Containment? Istituto Affari Internazionali (IAI). [online]. 16 p. [cit. 2020-12-05].
ISBN 978-88-98042-23-4. Available from: http://www.jstor.com/stable/resrep09765

46
GAUB, Florence. 2015. Hizbullah’s hybrid posture: three armies in one. European
Union Institute for Security Studies. [online]. [cit. 2021-04-24]. Available from:
https://www.iss.europa.eu/sites/default/files/EUISSFiles/Alert_7_Hizbullah_hybrid_wa
rfare.pdf

GEORGE, Alexander L. and BENNETT, Andrew. 2005. Case studies and theory
development in the social sciences. Cambridge, MA: Belfer Center for Science and
International Affairs. [online]. 343 p. [cit. 2020-12-18]. ISBN 0-262-07257-2. Available
from: https://mitpress.mit.edu/books/case-studies-and-theory-development-social-
sciences

GLADSTONE, Rick. 2012. Iran’s President Calls Israel ‘an Insult to Humankind’. The
New York Times. [online]. [cit. 2021-01-02]. Available from:
https://www.nytimes.com/2012/08/18/world/middleeast/in-iran-ahmadinejad-calls-
israel-insult-to-humankind.html

GLOBAL RESEARCH & ANALYSIS TEAM. 2012. Gauss: Nation-state cyber-

surveillance meets banking Trojan. AO Kaspersky Lab. [online]. [cit. 2020-12-26].
Available from: https://securelist.com/gauss-nation-state-cyber-surveillance-meets-
banking-trojan-54/33854/

GLOBAL RESEARCH & ANALYSIS TEAM. 2016. ProjectSauron: top level cyber-
espionage platform covertly extracts encrypted government comms. AO Kaspersky Lab.
[online]. [cit. 2020-12-29]. Available from: https://securelist.com/faq-the-projectsauron-
apt/75533/

GORDON, Sarah. and FORD, Richard. 2006. On the definition and classification of
cybercrime. Journal in Computer Virology. [online]. 2, pp. 13–20. [cit. 2020-11-25].
Available from: https://doi.org/10.1007/s11416-006-0015-z

GOSTEV, Alexander. 2012. The Flame: Questions and Answers. [online]. [cit. 2020-
12-27]. Available from: https://securelist.com/the-flame-questions-and-answers/34344/

HATHAWAY, Oona A. et al. 2012. The Law of Cyber-Attack. AO Kaspersky Lab.

California Law Review. [online]. 100(4), pp. 817-885. [cit. 2020-11-22]. Available
from: http://www.jstor.org/stable/23249823

47
HERTA, Laura Maria. 2017. Hybrid Warfare – A Form of Asymmetric Conflict.
International conference KNOWLEDGE-BASED ORGANIZATION. [online]. 23(1),
pp 135-141. [cit. 2020-04-19]. DOI: 10.1515/kbo-2017-0021. Available from:
https://www.researchgate.net/publication/318730850_Hybrid_Warfare_-
_A_Form_of_Asymmetric_Conflict

HOFFMAN, Frank. G. 2007. Conflict in the 21st century: The rise of hybrid wars.
Arlington: Potomac Institute for Policy Studies. [online]. 72 p. [cit. 2020-09-09].
Available from:
https://www.potomacinstitute.org/images/stories/publications/potomac_hybridwar_010
8.pdf

HOFFMAN, Frank. G. 2009. Hybrid warfare and challenges. Washington DC:

National Defense University. [online]. 15 p. [cit. 2020-09-09]. Available from:
https://apps.dtic.mil/dtic/tr/fulltext/u2/a516871.pdf

ISLAMIC REPUBLIC OF IRAN and UNITED STATES OF AMERICA. 1981.

Declaration of the Government of the Democratic and Popular Republic of Algeria.
[online]. [cit. 2020-12-05]. Available from:
http://www.parstimes.com/history/algiers_accords.pdf

ISLAMIC REPUBLIC OF IRAN. 1979. Constitution of the Islamic Republic of Iran.

[online]. 24 October 1979. [cit. 2020-12-09]. Available from:
https://www.refworld.org/docid/3ae6b56710.html [accessed 9 December 2020]

KAYE, Dalia Dassa et al. 2011. A Brief History of Israeli-Iranian Cooperation and
Confrontation. In Israel and Iran: A Dangerous Rivalry. Santa Monica, CA; Arlington,
VA; Pittsburgh, PA: RAND Corporation. [online]. pp. 9 - 18. [cit. 2020-12-11].
Available from: http://www.jstor.org/stable/10.7249/mg1143osd.7

KISSINGER, Henry. 2016. Uspořádání světa: Státní zájmy, konflikty a mocenská

rovnováha. Prostor. 400 p. ISBN 978-80-7260-335-0.

KORING, Paul. 2012. The undeclared war on Iran's nuclear program. The Globe and
Mail. [online]. [cit. 2020-12-29]. Available from:

48
https://www.theglobeandmail.com/news/world/the-undeclared-war-on-irans-nuclear-
program/article4210032/

MACINTYRE, Donald. 2012. Iran hangs 'Mossad spy' Majid Jamali Fashi for killing
scientist. The Independent. [online]. [cit. 2020-12-13]. Available from:
https://www.independent.co.uk/news/world/middle-east/iran-hangs-mossad-spy-majid-
jamali-fashi-killing-scientist-7754332.html

MAHER, Richard. 2019. The covert campaign against Iran’s nuclear program:
Implications for the theory and practice of counterproliferation. Journal of Strategic
Studies. [online]. 28 p. [cit. 2020-12-12]. DOI: 10.1080/01402390.2019.1662401.
Available from:
https://www.tandfonline.com/doi/pdf/10.1080/01402390.2019.1662401

MAZANEC, Brian M. 2015. The Evolution of Cyber War: International Norms for
Emerging-Technology Weapons. University of Nebraska Press, Potomac Books. 336 p.
ISBN 978-1612347639.

MCDONALD, Geoff et al. 2013. Stuxnet 0.5: The Missing Link. Symantec. [online].
Version 1.0 (February 26, 2013). [cit. 2020-12-27]. Available from:
https://docs.broadcom.com/doc/stuxnet-missing-link-13-en

MOIR, Robert. 2009. Defining Malware: FAQ. Microsoft. [online]. [cit. 2020-12-30].
Available from: https://docs.microsoft.com/en-us/previous-versions/tn-
archive/dd632948(v=technet.10)?redirectedfrom=MSDN

NARAINE, Ryan. 2011. Duqu First Spotted as ‘Stars’ Malware in Iran. AO Kaspersky
Lab. [online]. [cit. 2020-12-27]. Available from: https://securelist.com/duqu-first-
spotted-as-stars-malware-in-iran/31632/

NAVAL HISTORY AND HERITAGE COMMAND (NHHC). 2007. Operation

Praying Mantis. [online]. [cit. 2020-12-05]. Available from:
https://www.history.navy.mil/content/history/nhhc/browse-by-topic/wars-conflicts-
and-operations/middle-east/praying-mantis.html

49
PAGANINI, Pierluigi. 2019. Iran announced it foiled ‘really massive’ foreign cyber
attack. Security Affairs. [online]. [cit. 2020-12-31]. Available from:
https://securityaffairs.co/wordpress/94981/cyber-warfare-2/iran-foreign-cyber-
attack.html

PIOTROWSKI, Andrzej Marcin. 2015. Hezbollah: The Model of a Hybrid Threat.

The Polish Institute of International Affairs. [online]. 24(756). [cit. 2021-04-27].
Available from:
https://www.files.ethz.ch/isn/188946/Bulletin%20PISM%20no%2024%20(756)%202
%20March%202015.pdf

PORTS & MARITIME ORGANIZATION. 2021. Home. [online]. [cit. 2021-01-02].

Available from: https://www.pmo.ir/en/home

RADIO FREE EUROPE/ RADIO LIBERTY (RFE/RL). 2006. Iran: Text Of

Ahmadinejad's Letter To Bush. Radio Free Europe/Radio Liberty. [online]. [cit. 2020-
12-07]. Available from: https://www.rferl.org/a/1068319.html

RADIO FREE EUROPE/ RADIO LIBERTY (RFE/RL). 2020. Iranian Ports

Organization Says It Was Targeted By Cyberattacks. Radio Free Europe/Radio Liberty.
[online]. [cit. 2021-01-02]. Available from: https://www.rferl.org/a/iranian-ports-
organization-cyberattacks/30896607.html

REICHBORN-KJENNERUD, Erik and CULLEN, Patrick. 2016. What Is Hybrid

Warfare? Norwegian Institute of International Affairs (NUPI). [online]. 4 p. [cit. 2020-
11-24]. Available from: www.jstor.org/stable/resrep07978

REUTERS. 2018. Iran's Khamenei calls for fight against enemy 'infiltration'. [online].
[cit. 2020-12-28]. Available from: https://www.reuters.com/article/us-iran-
khamenei/irans-khamenei-calls-for-fight-against-enemy-infiltration-idUSKCN1N20CN

REZAEI, Farhad and COHEN, Ronen A. 2014. Iran's Nuclear Program and the
Israeli-Iranian Rivalry in the Post Revolutionary Era. British Journal of Middle Eastern
Studies. [online]. 41(4), pp. 442-460. [cit. 2020-12-09]. DOI:
10.1080/13530194.2014.942081. Available from:
https://www.tandfonline.com/doi/abs/10.1080/13530194.2014.942081

50
ROME, Henry. 2020. Reviving the Iran nuclear deal will be harder than it looks. The
Washinton Post. [online]. [cit. 2020-12-12]. Available from:
https://www.washingtonpost.com/politics/2020/11/23/reviving-iran-nuclear-deal-will-
be-harder-than-it-looks/

SANGER, David E. and BARNES, Julian E. 2020. U.S. Tried a More Aggressive
Cyberstrategy, and the Feared Attacks Never Came. The New York Times. [online]. [cit.
2020-12-26]. Available from:
https://www.nytimes.com/2020/11/09/us/politics/cyberattacks-2020-election.html

SELIKTAR, Ofira. 2020. The End of the JCPOA Road? Middle East Quarterly.
[online]. Summer 2020, 27(3). [cit. 2020-12-12]. Available from:
https://www.meforum.org/61034/the-end-of-the-jcpoa-road

SELIKTAR, Ofira. and REZAEI, Farhad. 2020. Iran, Revolution, and Proxy Wars.
Springer International Publishing. [online]. 245 p. [cit. 2020-12-13]. ISBN 978-3-030-
29418-2. Available from: https://link.springer.com/book/10.1007%2F978-3-030-
29418-2#toc

SHAMSI, Jawwad A. et al. 2016. Attribution in cyberspace: techniques and legal

implications. Security and Communication Networks. [online]. 9(15), p. 2886– 2900.
[cit. 2020-11-24]. DOI 10.1002/sec.1485. Available from:
https://onlinelibrary.wiley.com/doi/full/10.1002/sec.1485

SIMMONS, Chris et al. 2009. AVOIDIT: A Cyber Attack Taxonomy. Memphis, TN,
USA: University of Memphis. [online]. 10 p. [cit. 2020-12-30]. Available from:
https://www.researchgate.net/publication/229020163_AVOIDIT_A_Cyber_Attack_Ta
xonomy

SIMONS, Greg et al. 2020. Hybrid war and cyber-attacks: creating legal and
operational dilemmas. Global Change, Peace & Security. [online]. 32(3), pp. 337-
342. [cit. 2019-04-19]. DOI: 10.1080/14781158.2020.1732899. Available from:
https://www.tandfonline.com/doi/abs/10.1080/14781158.2020.1732899

51
SYMANTEC. 2011. W32.Duqu: The precursor to the next Stuxnet. Symantec. [online].
Version 1.4 (November 23, 2011). [cit. 2020-12-27]. Available from:
https://docs.broadcom.com/doc/w32-duqu-11-en

TOBEY, William. 2012. Nuclear scientists as

assassination targets. Bulletin of the Atomic Scientists. [online]. 68(1), pp. 61-69. [cit.
2021-01-01]. Available from:
https://journals.sagepub.com/doi/full/10.1177/0096340211433019

TSARUK, Oleksandr and KORNIIETS, Maria. 2020. Hybrid nature of modern

threats for cybersecurity and information security. Smart Cities and Regional
Development Journal. [online]. pp. 57-78. [cit. 2021-01-02]. Available from:
https://www.researchgate.net/publication/340173279_Hybrid_nature_of_modern_threa
ts_for_cybersecurity_and_information_security

TUREČEK, Břetislav. 2016. Blízký východ nad propastí: cesta od orientálních diktatur
ke svobodě a zase zpátky. First edition. Praha: Knižní klub. 279 p. ISBN:978-80-242-
5558-3.

UN SECURITY COUNCIL. 2006. Resolution 1696. Non-proliferation. [online]. 31

July 2006. S/RES/1696 (2006). [cit. 2020-12-08]. Available from:
https://www.refworld.org/docid/453786b00.html

WEISSMANN, Mikael. 2019. Hybrid warfare and hybrid threats today and tomorrow:
towards an analytical framework. Journal on Baltic Security. [online]. 5(1), pp. 17–26.
[cit. 2019-10-07]. DOI: 10.2478/jobs-2019-0002. Available from:
https://www.readcube.com/articles/10.2478/jobs-2019-0002

WILLIAMS, Christopher. 2012. Cyber espionage virus targets Lebanese banks. The
Telegraph. [online]. [cit. 2020-12-28]. Available from:
https://www.telegraph.co.uk/technology/internet-security/9466718/Cyber-espionage-
virus-targets-Lebanese-banks.html

ZETTER, Kim. 2012. Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian
Computers. Wired. [online]. [cit. 2020-12-30]. Available from:
https://www.wired.com/2012/05/flame/

52
List of Appendices
Appendix no. 1: Essential Characteristics of Different Cyber-Actions (table)
(Hathaway et al., 2012, p. 833)
Appendix no. 2: Taxonomy of Cyber-attacks (table) (Chapman et al., 2011)
Appendix no. 3: Significant Cyber Threats (table)
Appendix no. 4: The Relationship of Stuxnet, Duqu, Flame, and Gauss (figure)
(Global and Research & Analysis Team, 2012)
Appendix no. 5: The Cyber-attacks Against Iran According to Informational Impact
(figure)
Appendix no. 6: Informational Impact of Cyber-attacks, 2007 - 2015 (table)
Appendix no. 7: Informational Impact of Cyber-attacks, 2015 – 2020 (table)
Appendix no. 8: Number of Reported Cyber-Incidents, 2007 – 2020 (figure)

53
Appendix No. 1.
Table 1: Essential Characteristics of Different Cyber-Actions (Hathaway et al., 2012, p. 833)

Types of cyber-action
Cyber- Cyber- Cyber-
attack crime warfare
Involves only non-state actors x
Must be violation of criminal law, committed by means
x
of a computer system
Objective must be to undermine the function of a
x x
computer network
Must have a political or national security purpose x x
Effects must be equivalent to an “armed attack,” or
x
activity must occur in the context of armed conflict

54
Appendix No. 2.
Table 2: Taxonomy of Cyber-attacks (Chapman et al., 2011)

Cyber-attacks taxonomy
Tier 1: No Network or Computer Access Denial of Service Attack (DoS)
Distributed Denial of Service Attack
(DDoS)
Stack-Based Buffer Overflow Attack
Phishing
Tier 2: User Access with Password Hacking
Limited Privileges
Sniffing
Nuisance Attacks
Tier 3: Root Access/Administrative Backdoor
Privileges
Rootkit
Kernel-Level Rootkit
Spyware and Keyloggers
Adware
Various Malicious Attacks
Delivery methods Trojan Horses
Viruses
Worms
Scareware

55
 Year Suspected Suspected Informational Attack type Victim - sector Name Description
state victim impact
sponsor (AVOIDIT)
November 2020 U.S. Iran disrupt, destruct N/A government, "U.S. Cyber Command and the NSA conducted
military offensive cyber operations against Iran to prevent
interference in the upcoming U.S. elections (CSIS,
October 2020 Israel Iran N/A N/A private sector "Iran announced that the country’s Ports and
Maritime Organization and one other unspecified
government agency had come under cyberattack
May 2020 Israel Iran disrupt N/A private sector "Israeli hackers disrupted operations at an Iranian
port for several days, causing massive backups and
delays. Officials characterized the attack as a
retaliation against a failed Iranian hack in April
targeting the command and control systems of
March 2020 unknown Iran N/A N/A private sector "A suspected nation state hacking group was
nation-state discovered to be targeting industrial sector

56
February 2020 unknown Iran disrupt DDoS infrastructure companies
"Iran in Iranthat
announced (Ibid.)."
it has defended against a
DDoS against its communications infrastructure that
caused internet outages across the country (Ibid.)."
December 2019 unknown Iran N/A N/A government "Iran announced that it had foiled a major cyber
attack by a foreign government targeting the
Table 3: Significant Cyber Threats

country’s e-government infrastructure (Ibid.)."

September 2019 U.S. Iran disrupt destruct N/A government, "The United States carried out cyber operations
infrastructure against Iran in retaliation for Iran’s attacks on
Saudi Arabia’s oil facilities. The operation affected
physical hardware, and had the goal of disrupting
June 2019 U.S. Iran disrupt, destruct N/A military "The U.S. announced it had launched offensive cyber
operations against Iranian computer systems used to
control missile and rocket launches (Ibid.)."
June 2019 U.S. Iran discovery N/A N/A "Iran announced that it had exposed and helped
Appendix No. 3

dismantle an alleged CIA-backed cyber espionage

network across multiple countries (Ibid.)."
 Year Suspected Suspected Informational Attack type Victim - sector Name Description
state victim impact
sponsor (AVOIDIT)
October 2018 Israel Iran distort, destruct, APT military Stuxnet 2.0 "The head of Iran’s civil defense agency announced
discovery that the country had recently neutralized a new
version of Stuxnet (Ibid.)."
2018 U.S. Iran, North disrupt, N/A N/A Reported in July 2020: "Media reports say a 2018
Korea, Russia, disclosure Presidential finding authorized the CIA to conduct
China cyber operations against Iran, North Korea, Russia,
and China. The operations included disruption and
2017 unknown Iran + 26 discovery APT government, Operation "This threat actor uses spear-phishing techniques to
countries civil society Parliament target parliaments, government ministries,
academics, and media organizations, primarily in
the Middle East, for the purpose of espionage (CFR,
2016 unknown Russia, Iran, discovery APT private sector, Project "This threat actor compromises targets in the
nation-state Belgium, China, government, Sauron, Military, telecommunications, and financial sectors
(possibly the Sweden, military, Strider in Belgium, China, Iran, Russia, Sweden, and

57
U.S.) Rwanda telecom, finance elsewhere. Possibly in operation since 2011 (Global
2015 unknown Iran + 41 distort, APT government, Equation "In 2015, Moscow-based Kaspersky Lab published a
nation-state countries discovery military group report on the Equation Group, a threat actor
(possibly the active since 2001. Targeted systems ranged from the
U.S.) private to the public sector, from energy
departments to military operations to media outlets.
The tools and scope of the Equation Group suggest
that it is one of the most sophisticated threat actors
operating in cyberspace. Many believe that Equation
Group is a state-sponsored entity, such as the U.S.
2015 Izrael Iran destruct, APT government, Duqu 2.0 "A threat actor, using a tool dubbed Duqu 2.0,
discovery private sector targeted individuals and companies linked to the
P5+1 (the five permanent member states of the UN
Security Council, plus Germany), which was
May 2013 unknown Iran disrupt DDoS government, conducting
"An unknownnegotiations on Iran's
attacker utilized nuclear
a DDoS program
attack to
military bring down the website of the Iranian Basij military
branch (basij.ir) (CSIS, 2020)."
 Year Suspected Suspected Informational Attack type Victim - sector Name Description
state victim impact
sponsor (AVOIDIT)
2012 U.S., Israel Iran + 9 discovery APT private sector, Gauss A threat actor used a tool called Gauss to target the
countries finance accounts of several Lebanon-based banks, including
BlomBank, ByblosBank, Credit Libanais. The
evidence suggests, that it is connected to Flame and
May 2012 U.S., Israel Iran + 12 destruct, APT military, private Flame Stuxnet (Globaltoolkit
"An espionage and Research & Analysis
named 'Flame' Team, in
is discovered
countries (Iran discovery sector computers in the Iranian Oil Ministry, as well as in
hit the most) other Middle Eastern countries, including Israel,
Syria, and Sudan, and other nations around the
April 2012 Iran disrupt, N/A government, oil "Iran was forced to disconnect key oil facilities after
disclosure industry a cyberattack against internal computer systems. The
malware was found inside the control systems of
Kharg Island – Iran’s main oil exporting terminal.
Equipment at Kharg Island and at other Iranian oil

58
plants was disconnected from the internet as a
precaution. Iran reported that oil production was not
affected, but the websites of the Iranian oil ministry
and national oil company were forced offline and
September 2011 Israel Iran + 7 destruct, APT military, Duqu "Threat actors, using a tool dubbed Duqu, targeted
countries discovery industry industrial control systems in certain countries ( CFR,
systems 2020a)"
April 2011 Israel Iran discovery APT government, Stars virus Cyber attack reported by Iran's civil defence
military organization, later confirmed to be an earlier
October 2010 Israel, U.S. Iran + 11 distort, destruct, APT military version ofaDuqu
Stuxnet "Stuxnet, complex(Naraine,
piece of2011)
malware designed to
countries discovery interfere with Siemens Industrial Control Systems,
was discovered in Iran, Indonesia, and elsewhere,
leading to speculation that it was a government
cyber weapon aimed at the Iranian nuclear program
2007 Israel, U.S. Iran distort, destruct, APT military Stuxnet 0.5 Earliest detected version of Stuxnet as reported by
discovery Symantec (McDonald et al., 2013)
Footnote to Table 3: Attribution
a) The attacker is unknown, the characteristics of the attack do not
provide any hints of who the attacker may be, the victim did not
release enough data, and/or the report cannot be verified from
multiple sources.

b) The attacker is unknown, however, attributes of the attack (such

as code used, global events preceding the attack, victims of the
attack, geopolitical facts, etc.) provide an implication about the goal
of the attacker and its origins.

c) The attacker is known, a large part of researchers agrees on a

suspected nation-state as a perpetrator, and/or the attacker claimed
the responsibility for the attack.

59
Appendix No. 4.
Figure 1: The Relationship of Stuxnet, Duqu, Flame, and Gauss (Global and Research &
Analysis Team, 2012)

Appendix No. 5.
Figure 2: Cyber-Attacks Against Iran According to Informational Impact

Disclosure; 2

Unknown; 3

Discovery; 12

Distort; 4

Disrupt; 8

Destruct; 9

60
Appendix No. 6.
Table 4: Informational Impact of Cyber-Attacks, 2007 – 2015
Informational impact Number of attacks
Discovery 8
Destruct 5
Distort 3
Disrupt 2
Disclosure 1

Appendix No. 7.
Table 5: Informational Impact of Cyber-Attacks, 2015 – 2020
Informational impact Number of attacks
Disrupt 6
Discovery 4
Destruct 4
Unknown 3
Distort 1
Disclosure 1

61
Appendix No. 8.
Figure 3: Number of Reported Cyber-Incidents, 2007 - 2020

5
Number of reported cyber-incidents

0
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

62