Iran’s Islamic Revolutionary Guard Corps has waged a sustained campaign of cyberattacks against American political targets, critical infrastructure, and federal networks, according to a series of U.S. government advisories, indictments, and sanctions actions. These digital operations, which range from election interference to ransomware strikes on hospitals, represent a strategic threat that runs parallel to Tehran’s missile capabilities and may prove harder to deter.
Stolen Campaign Files as a Weapon
The most politically charged episode in Iran’s recent cyber offensive targeted the 2024 U.S. presidential race directly. A joint statement from the Office of the Director of National Intelligence, the FBI, and CISA confirmed that Iran-linked actors sent unsolicited emails in late June or early July 2024 containing excerpts from stolen, non-public material belonging to the Trump campaign. Those emails were directed at individuals associated with Biden’s campaign, an apparent effort to seed discord between rival political camps using pilfered documents.
Federal prosecutors followed up by charging three IRGC cyber operatives with orchestrating that hack-and-leak scheme. The indictment detailed a chain of IRGC-sponsored spearphishing and social engineering that led to unauthorized access to personal accounts tied to a U.S. presidential campaign, theft of non-public campaign documents and emails, and subsequent attempts to leak the material to media organizations and political actors. The playbook echoed Russia’s 2016 interference but carried a distinct Iranian signature. The operation was designed not to boost a preferred candidate but to erode confidence in the electoral process itself by showing that even top-tier campaign communications could be compromised and weaponized.
U.S. officials have framed this activity as part of a broader effort to undermine democratic institutions. By targeting both the Trump and Biden camps in different ways, Iranian operators signaled that no side could assume immunity from foreign manipulation. The hack-and-leak campaign also illustrated how relatively low-cost intrusions into personal email or cloud accounts can generate outsized political impact when timed around a high-stakes election.
92 Fake News Domains Seized
Election hacking was only one piece of a broader information warfare effort. The U.S. Department of Justice executed seizure warrants against 92 domains allegedly used by the IRGC for covert propaganda and disinformation. The sites masqueraded as legitimate news outlets while actually functioning as mouthpieces for Iranian intelligence, violating the Foreign Agents Registration Act and U.S. sanctions law.
The scale of that seizure is significant because it reveals how Tehran invested in building a durable infrastructure for influence operations, not just one-off hacks. Maintaining dozens of separate domains across multiple languages and target audiences requires sustained funding, editorial staffing, and technical upkeep. That level of commitment suggests Iranian planners view information warfare as a permanent front, not a temporary tactic tied to any single crisis or election cycle.
These pseudo-media outlets provided a flexible platform for amplifying narratives that aligned with Iranian foreign policy goals, from undermining U.S. sanctions to stoking distrust of American allies in the Middle East. By disguising state-directed content as independent journalism, the operators behind the domains sought to reach audiences that might ignore overt government propaganda, further blurring the line between authentic and manipulated online discourse.
Brute-Force Attacks on Hospitals and Power Grids
Beyond political interference, Iranian cyber actors have repeatedly targeted the systems that keep American daily life running. A joint advisory from CISA, the FBI, the NSA, and allied agencies in Canada and Australia documented Iranian actors using brute force and credential access techniques against critical infrastructure in healthcare, government, information technology, engineering, and energy sectors. The advisory mapped specific tactics and provided indicators of compromise, giving defenders a clearer picture of how these intrusions unfold.
According to that technical guidance, Iranian operators often rely on large-scale password-guessing campaigns, exploitation of publicly known software vulnerabilities, and abuse of remote access tools. Once inside a network, they move laterally to identify sensitive systems and data, sometimes maintaining a low profile for extended periods. For hospitals and utilities with limited cybersecurity staff, this combination of persistence and stealth poses a serious challenge.
A separate CISA advisory noted that as of August 2024, Iran-based cyber actors continued exploiting organizations across education, finance, healthcare, defense, and local government entities in the United States and abroad. The breadth of targeting matters because it means a single Iranian cyber unit can simultaneously probe a rural hospital’s billing system, a city government’s network, and a defense contractor’s email server. Each intrusion creates options: intelligence collection, ransomware deployment, or pre-positioned access that could be activated during a future military confrontation.
Officials and security researchers warn that this kind of pre-positioning raises the risk of cascading failures. A ransomware attack that disables a regional health system, for example, could coincide with a diplomatic crisis or kinetic exchange elsewhere, amplifying pressure on U.S. decision-makers. Similarly, compromises of municipal networks may allow for disruption of emergency services or local elections at moments of heightened tension.
Ransomware Tied to the IRGC
The financial dimension of these operations adds another layer of concern. The U.S. Treasury Department’s Office of Foreign Assets Control sanctioned IRGC-affiliated cyber actors for their roles in ransomware campaigns, noting that the group had been compromising networks since at least 2020. Those actors exploited known software vulnerabilities to gain access, then deployed ransomware, extracted data, and demanded payment.
This blending of state-sponsored espionage with criminal ransomware complicates the standard deterrence calculus. When an IRGC-linked group locks down a hospital’s records and demands cryptocurrency, the victim faces an immediate operational crisis regardless of whether the motive is profit, intelligence gathering, or strategic disruption. Treasury’s sanctions action tried to raise the cost of that behavior by freezing assets and restricting financial access, but the individuals named in the action operate from Iranian territory, well beyond the reach of U.S. law enforcement.
Ransomware tied to state-backed groups also creates difficult choices for victim organizations. Paying a ransom may restore operations more quickly but can violate sanctions regimes and effectively funnel resources back into hostile intelligence services. Refusing to pay can mean extended downtime, data loss, and potential exposure of sensitive information if attackers follow through on threats to leak stolen files.
Allied Warnings and Federal Network Breaches
The threat is not confined to American shores. The United Kingdom’s National Cyber Security Centre, working alongside U.S. partners, issued a joint alert warning that Iranian state-linked actors were conducting spear-phishing campaigns against officials, think tanks, journalists, activists, and lobbyists. The U.K. alert also noted U.S. observations of targeting connected to American political campaigns, reinforcing the election interference thread from a second allied government’s vantage point.
These phishing operations typically use tailored emails that impersonate trusted contacts or institutions, luring recipients into clicking malicious links or opening weaponized attachments. Once a target is compromised, attackers can exfiltrate documents, monitor communications, or use the account to launch further attacks within a network or across an organization’s professional contacts. For policy experts and activists working on Iran-related issues, such intrusions can expose sources, strategies, and advocacy plans.
Iran’s cyber operators have also penetrated federal networks directly. Public incident reporting from CISA has described how Iranian government-sponsored advanced persistent threat actors used known vulnerabilities, weak credentials, and misconfigured systems to gain a foothold on U.S. government networks, then attempted to escalate privileges and access sensitive resources. These cases underscore that even agencies with dedicated security teams remain attractive and achievable targets when basic cyber hygiene lapses.
Such intrusions serve multiple purposes for Tehran. Access to federal systems can yield intelligence on U.S. policy deliberations, law enforcement investigations, and sanctions planning. It can also provide leverage in future crises, as persistent access may allow for disruptive or destructive actions at a time of Iran’s choosing. The combination of espionage, potential sabotage, and information operations makes the IRGC’s cyber portfolio a versatile tool in Iran’s broader confrontation with the United States.
A Persistent and Adaptive Threat
Taken together, the stolen campaign files, fake news domains, brute-force attacks, ransomware schemes, and federal network breaches depict an adversary that is both opportunistic and strategic. Iranian cyber units exploit unpatched systems and human error wherever they find them, but they also align operations with political milestones, diplomatic disputes, and regional flashpoints.
U.S. and allied responses (indictments, domain seizures, sanctions, and technical advisories) have imposed costs and exposed tradecraft, yet they have not halted the underlying activity. As long as relatively modest investments in cyber capabilities can threaten elections, hospitals, and government agencies, the IRGC is likely to keep expanding its digital arsenal. In any U.S.-Iran confrontation, these intrusions can shape the conflict by disrupting services, gathering intelligence, and pressuring decision-makers alongside missiles and other military tools. For defenders, that reality means treating Iranian cyber operations not as isolated incidents but as a long-term campaign that demands sustained vigilance, coordinated international action, and continuous improvement in basic security practices.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
