Inside the Cyber Battlefield
Iranian Cyber Operations from an FBI Perspective
Wednesday, August 27, 2025
1:00 pm - 2:00 pm
Nation-state and cyber criminals pose a growing threat across the globe for cyber espionage and cyber attacks. The FBI leverages its unique authorities, world-class capabilities, and enduring partnerships to impose costs on cyber adversaries. This session with FBI Cyber Division Assistant Director Brett Leatherman discussed the evolution of Iranian-based cyber threats in recent years and covered the tactics and objectives of Iran’s cyber-enabled influence operations, including discussion of case studies and global efforts by law enforcement, intelligence communities, and industry to detect, deter, and counteract these sophisticated threats. This event was moderated by Senior Research Fellow, Jennifer Baker.
On August 27th, 2025, the Program on Extremism at The George Washington University hosted a webinar titled Inside the Cyber Battlefield: Iranian Cyber Operations from an FBI Perspective. The session was moderated by Senior Research Fellow Jennifer Baker and featured Brett Leatherman, Assistant Director of the FBI’s Cyber Division.
Baker opened by situating the discussion within the Program’s broader research on Iran, recalling the 2024 report Propaganda, Procurement, and Lethal Operations: Iran’s Activities Inside America, which documented the Islamic Republic’s covert activities on U.S. soil. She emphasized that Iran’s cyber operations now represent a critical extension of its global influence and hostile posture, targeting U.S. infrastructure, companies, and government entities. She introduced Leatherman as the FBI’s senior executive charged with developing strategies to impose costs on nation-state cyber adversaries, highlighting his career as a special agent, pilot, hostage negotiator, and cybersecurity leader.
Leatherman began by noting the global scope of cyber conflict, pointing out that all major adversaries - including China, Russia, North Korea, and Iran - leverage cyber operations to advance intelligence and military objectives. He described the FBI’s unique dual role as both an intelligence and law enforcement agency, with authorities that allow it not only to assist victims but also to conduct offensive disruption operations. The Bureau, he stressed, is committed to imposing costs through indictments, sanctions, technical takedowns, and public attribution of malicious actors.
Focusing on Iran, Leatherman outlined four major categories of Iranian cyber activity: espionage against government agencies, corporations, and dissidents; prepositioning capabilities on U.S. critical infrastructure for potential manipulation in a crisis; destructive cyberattacks, which he said remain a “red line” not yet crossed directly by the regime; and influence operations, including the high-profile 2024 hack-and-leak campaign aimed at interfering in the U.S. presidential election. He emphasized that this campaign, attributed publicly to three Iranian actors, demonstrated Tehran’s willingness to directly attack the integrity of American democratic processes.
Leatherman also discussed the FBI’s concern about Iran’s use of cyber tools in support of lethal plotting, including surveillance of dissidents and U.S. officials abroad. By exploiting personal devices and accounts of targets or their family members, Iran seeks to gather patterns of life data to enable assassination or kidnapping attempts. He stressed that this integration of cyber and kinetic operations makes Iran’s cyber threat distinct from other adversaries.
In a wide-ranging Q&A, Leatherman fielded questions on multiple issues. He explained that Iran’s cyber posture following the Israel-Hamas war involved attempts to gain intelligence and probe Israeli and global critical infrastructure, though not yet destructive attacks. He described how offensive cyber actions by Iran are treated as part of the “gray zone” - below the threshold of open conflict - but warned that a cyberattack causing loss of life or impairing military command systems could trigger a kinetic response.
He acknowledged the risks posed by emerging technologies such as artificial intelligence and quantum computing, which adversaries may use to scale attacks or break encryption. He also highlighted cases where the FBI, often in partnership with international allies, disrupted Iranian campaigns through indictments, advisories, and industry alerts, stressing that cooperation with private companies is essential since they own and operate much of the targeted infrastructure.
Comparing Iran to other adversaries, Leatherman argued that Iranian operations tend to be less sophisticated than those of Russia or China, often leaving visible signs of intrusion or damage. Yet this same facy makes them dangerous, as their tools can have unintended destructive consequences. He noted that Iran uniquely combines cyber operations with state-sponsored terrorism, and the FBI’s creation of an Iran Threat Mission Center reflects the breadth of this challenge. He also confirmed that the IRGC and Ministry of Intelligence likely coordinate closely, taking a “whole-of-government” approach to hacking.