Iran is a significant actor in the Middle East and also in cyberspace. Because of its history, economy, religion and political ambitions, Iran cannot be ignored as a regional power and is considered as a threat by its neighbors. While access to certain internet content is strictly controlled inside Iran, Iranian Advanced Persistent Threats (APTs)3 have become infamous for targeting energy companies in neighboring countries with destructive malware4and cyberespionage campaigns. However, Iran is also known for being the target of highly sophisticated cyberattacks, the most famous being Stuxnet, which was jointly developed by the US and Israel. This Hotspot Analysis analyzes cyber-activities in relation to Iran in the context of its regional rivalry with its neighbors and its relationship with the US, which has come under renewed strain. In this context, cyberattacks are instruments that states can deploy in case of tensions, whether to defuse heightened tension (e.g. Stuxnet), to harass, to spy on rivals and dissidentsor as a warfare technique. Cyber-activities also enable weaker states to cause damage to more powerful states in asymmetrical warfare. The objective of this Hotspot Analysis is to better understand the dynamics of cyber-activities in regional rivalries and broader international tensions related to Iran.Iranian-related cyber-activities are primarily focused on spear phishing and credential theft with occasional destructive attacks. These cyberattacks, which are relatively low-level, are rooted in the regional rivalry between Iran and its neighbors and in the tensions with the US. Additionally, while current open-source research suggests that Iranian threat actors are highly active, it is in reality more likely that Iranian systems are regularly targeted by Western states. Information on these latter cyberattacks is unfortunately very limited.This Hotspot Analysis is organized in four sections. Section 2 gives an account of the historical and international context of Iranian cyber-activities and cyberattacks against Iran. The goal of the chronology in this section is to place cyber-activities relating to Iran within their political and historical setting.Section 3 describes first some of the multiple actors involved in cyber-activities related to Iran. This section only examines the main APTs from Iran, the main Iranian patriotic hackers, and actors in the US and Israel. It details targets of cyber-activities related to Iran and shows that Iranian APTs have targeted Iranian opposition groups both in Iran and abroad, while alsocarrying out cyberespionage and destructive campaigns against companies in multiple states in the Middle East. Iranian APTs also conducted cyberespionage campaigns 3 Abbreviations are listed in Section 10.against industries, government institutions and Non-Governmental Organizations (NGOs) in Western statesand in the Middle East. Finally, the section looks at tools and techniques used in the Iranian context. This section demonstrates that Iranian patriotic hackers used Distributed Denial of Service (DDoS) attacks, that Iranian APTs created fake personas on social media for spear phishing campaigns and used a mix of freely available, commercialand custom-made malware in their cyberattacks, and that Western actors used sophisticated malware against Iranian targets.Section 4 examines the effects of cyber-activities at the national and international levels. The first subsection analyzes the effects of Iranian authorities’ control over internet content and online surveillance of dissidents. The second subsection details the economic effects of destructive cyberattacks on energy companies and the economic effects of DDoS attacks. The third subsection examines the fact that Iranian APTs are not technically sophisticated but still manage to achieve their strategic goals. This subsection also looks at how the discovery of Stuxnet was a wakeup call for the international community. The final subsection looks at the effects of cyber-activities related to Iran on international relations. First, Iran considers cyberspace as a space for asymmetrical warfare against its regional rivals and its more powerful adversaries. Second, proxy wars between Iran and its regional rivals unfold primarily in the physical realm but are also transposed to cyberspace. Third, after the Joint Comprehensive Plan Of Action (JCPOA) between Iran, the US, China, France, Germany, Russia and the UK was signed in 2015, malicious cyber-activities between the US and Iran seemed to diminish but restarted after the US withdrawal. This change in malicious activities shows that cyber-activities evolvetogetherwith the development of relations between the two states.Fourth, Iranian APTs started to conduct online influence campaigns targeting US citizens. They copied Russian tactics and tried to influence political opinion in favor of Iranian interests. Finally, Section 5 contributes some generic policy recommendations for mitigating the risks of being impacted by cyberattacks from the Iranian context. This section recommends that cybersecurity be improved, information about Iranian APTs be shared, awareness about Iranian influence campaigns be raised and US-Iran relations be monitored. This Hotspot Analysis will be updated as new information concerning cyber-activities relating to Iran is published. The goal is to keep the Hotspot Analysis as accurate as possible. This report will also be integrated in a broader study comparing multiple Hotspot Analyses.