Understanding Russia-Iran Collaboration in Cyberspace

Reports of Russia-Iran collaboration in the U.S.-Iran conflict are a real and live source of concern. Russia has shared intelligence with Iran that purportedly led to the targeting of U.S. soldiers in the Middle East, as well as drone technologies that have given Iran a substantive asymmetric edge in targeting regional adversaries. However, collaboration on cyber operations has been repeatedly misread and misunderstood, including claims that Russia has supplied Iran with cyber support and that pro-Russia actors have formed a coalition with Iranian hackers, both of which have only a thin evidence base.

Based on the types of collaboration identified between the two countries, more evidence is needed before declaring that Russia and Iran’s cooperation in cyberspace reaches the heights of collaboration portrayed through media reporting. Moreover, more nuanced language is needed in understanding the cyber threat and ecosystems of both states. Russia and Iran are uneasy strategic partners; there are risks inherent in sharing their best technical capabilities with a partner they do not fully trust, and the types of cyber activity identified in media reporting, based on the way the activity has been described, would do little to provide any meaningful edge or asymmetric advantage in either the Russia-Ukraine conflict or U.S.-Iran war. It is possible that Moscow and Tehran are engaging in or could engage in closer cyber cooperation now or in the future—across state agencies, private sector firms, universities, and more—but the currently cited evidence does not substantiate what some headlines have suggested. Different degrees of cooperation between Russia and Iran on cyber issues pose different challenges to the United States and allies, and would likely lead to different response options for policy and decisionmakers.

Understanding Russia and Iran’s Cyber Ecosystems

Russia’s cyber ecosystem is expansive. State intelligence agencies, state-created front companies, state-coerced cybercriminals, relatively state-independent cybercriminals, private sector contractors, patriotic hackers, and many other actors form a complex, thorny web. But this nuance is often lost in open-source and media reporting, making it easy to forget that a “Russian hacker” can in fact mean one of many different things. Each Russian cyber actor is different, has its own sets of incentives, and brings its own capabilities to bear that threaten Western security in different ways. These cyber actors are neither a monolith nor the same threat.

Moscow has established some clear rules for its cyber ecosystem, such as that cybercriminals or patriotic hacking collectives should not undermine the Kremlin’s objectives. But there is no one-size-fits-all model for how these groups interact with the state, and those interactions can vary widely. Some entities, such as cyber units of the Federal Security Service (FSB), are part of the government itself. Others, such as ransomware groups with ties to the FSB, are fused with the state but also subject to their own financial motives. And yet others benefit from state protection and corruption but may operate their own activities, such as patriotic hackers with genuinely nationalist views or cybercriminals who want to make money and do not support state hacking in the process.

Iran possesses an equally complex, though decentralized, cyber ecosystem. This comprises state actors across its military and civilian intelligence agencies, especially the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS); cyber criminals; proxy actors or hacktivist groups of widely varying affiliations; and private sector companies that provide services or capabilities into the state. The Iranian hacktivist landscape itself is fluid and fast-moving, where different groups possess differing degrees of affiliation with the Iranian state and diverse ideological motivations. This includes state-sponsored hacktivists linked to advanced persistent threats, such as Handala Hack (thought to be a front for the MOIS) and CyberAv3ngers (thought to be directly linked to the IRGC); pro-Iran regional hacktivists; and domestic, anti-regime hacktivists that allegedly operate from exiled communities outside Iran and target Iranian state institutions. Iran’s state and non-state actors are supported by a robust private sector that provides technical capabilities and infrastructure into the state, offers a steady talent pipeline, can serve up contractors and front companies for cyber operations, and facilitates technology transfers and sanctions evasion. With the exception of the anti-regime hacktivists, these actors reflect Iran’s historical use of proxy actors as an asymmetric advantage to achieve its broader strategic objectives: They enable domestic social control, regime survival and power projection, and the destabilisation of Iran’s international adversaries.

Therefore, not specifying which specific actor or type of actor is supposedly involved in an activity undercuts a practical assessment of the threat it poses, what responsibility the state has, and which options are available to respond to or shape that type of cyber activity.

Historical to Current Collaboration

Russia and Iran’s strategic partnership is fundamentally driven by self-interest and shared Western adversaries. In strategic terms, both states are working to distract the international community from their own respective conflicts (against Ukraine, and the United States and Israel, respectively) while also depleting U.S. weapons stocks. Moreover, they are also partners in both sanctions evasion and the provision of proprietary military technology, where the war in Ukraine is regarded by some as a particular turning point in the relationship, owing to cooperation on drone technology, the provision of Russian satellite imagery to inform Iranian targeting of U.S. assets, and the formation of working groups and commissions to share military learning from current conflicts. These are just some points of engagement.

In cyberspace, Russia and Iran’s history of cooperation includes engagements such as:

  • The 2001 signing of a treaty establishing a framework for future interstate cooperation;
  • An agreement in 2021 formalizing cooperation on cyber and information security, which was largely defensive in nature and focused on thwarting threats to regime control;
  • Russian private sector companies’ provision of advanced digital surveillance and censorship software to the Iranian government in 2022–23, enhancing the Iranian state’s ability to surveil its citizens, dissidents, and adversaries; and
  • A Comprehensive Strategic Partnership Treaty agreed in 2025 that included strengthening state control of the internet.

Moreover, this cooperation is not confined to the state-to-state level. Russian universities have hosted delegations from Iranian state institutions, including its National Cybersecurity Authority. Russian companies have conducted business-to-business negotiations in information and communications technology with Iranian commerce delegations. And Iranian companies linked to the MOIS have attended Russian hacking competitions.

In the 2026 U.S.-Iran conflict, reporting suggested outright Russian and Iranian collaboration in cyberspace. These claims—stemming from an unverified Ukrainian intelligence assessment—include interactions between a variety of Russian groups, including Z-Pentest Alliance, NoName057(16), and DDoSia Project, and Iranian hacktivist group Handala Hack via Telegram, such as simultaneously publishing information about targeting Israeli energy facilities. There was also a suggestion that Iranian hacktivist actors used technical services by a hosting provider based in Chelyabinsk. Other reporting has also suggested the convergence of technical infrastructure, whereby Iranian cyber actors allegedly used Russian technical infrastructure to transmit their data.

Mitigating Factors to Consider

There is no one-size-fits-all approach to the nature of Russia-Iran cyber cooperation, and understanding which actors are engaging—and how—is vital to accurately understanding this partnership. Indeed, some researchers argue that the Russia-Iran cyber relationship is a partnership of strategic convenience, characterized by “mutual suspicion, ideological differences, and competition.” However, there are important mitigating factors that future research or reporting should bear in mind from an analytical standpoint when examining future cyber activity between the two states, though they by no means constitute a comprehensive list:

  • Hacktivist or criminal actors coordinating their activity do not necessarily equate to state-to-state collaboration. This is true even where a cyber actor has links back to a state agency. Both states operate with different degrees of state knowledge or approval, varied levels of closeness and duration, and even more varied degrees of operational or tactical alignment that need to be identified and understood.
  • Oversight matters within state institutions. Some scenarios could unfold with ostensibly very little knowledge by their respective governments, such as Russian cybercriminal groups targeting Iran’s perceived enemies of their own volition for financial reasons. Other scenarios would almost certainly require higher levels of state approval, such as close tactical cooperation between Russian and Iranian military cyber units, which open-source information does not currently corroborate.
  • There is likely a history of distrust between the two states in cyberspace. This stems from when Russian cyber actor Turla” commandeered Iranian cyber espionage infrastructure to launch its own cyber operations—posing as Iranian actors to avoid attribution, effectively a “false-flag” operation. With this in mind, it may be unlikely that Russia or Iran would be willing to share their most sophisticated cyber capabilities with a partner, as these could be repurposed and used against them.
  • Each state will have its own counterintelligence concerns and changing intelligence requirements. This includes suspicion of where the other may be conducting cyber espionage on its infrastructure or taking over technical infrastructure for its own purposes. Therefore use of technical infrastructure may not necessarily indicate joint capability development or deployment.

Conclusion

It is clear that there is some degree of cyber collaboration taking place between Russia and Iran. However, this does not necessarily amount to closely coordinated operations or joint capability development seen in other areas, such as drone technology or satellite imagery sharing. It is possible that some collaboration is ongoing, but the existing evidence cited to date does not substantiate a broader claim about Iranian-Russian cyber cooperation.

This has important policy implications. First, overstating the degree and types of Russia-Iran cyber engagement risks overinflating their partnership in cyberspace. In turn, this risks leading policymakers down the wrong path regarding the U.S.-Iran conflict; the low-level cyber activity reported by the media is highly unlikely to result in a high-impact cyberattack or game-changing event that will alter the trajectory of the conflict, especially relative to other technologies such as drones that have demonstrated high impact in the war. Second, in a period of U.S. overstretch and finite resources, chasing ill-defined activity in cyberspace risks detracting from other priorities; instead, for example, intelligence, diplomatic, and economic levers could be brought to bear to restrict Russia-Iran supply chains for drone capability development. In the longer term, on the assumption that the Russia-Iran partnership is likely to deepen, this presents a significant opportunity for a targeted and focused response by the United States to drive a wedge between the two states (whether in cyberspace or beyond), using offensive cyber operations, influence operations, and diplomatic and military levers to shape the conditions for distrust between them.

Over-interpreting Russia and Iran’s activity does not lead to security-beneficial outcomes. Instead, U.S. and Western policymakers and practitioners are best served by clarifying the Russian and Iranian cyber entities in question; their degree of independence from the state; the level of the state at which they operate, if applicable; the specific activities undertaken; and the current and future impact on specific threats to the United States and the West. This is especially true as both states will continue to work together in current, and future, conflicts. As with all adversaries, it is vital to break down and understand their ecosystems with nuance based on verifiable evidence rather than mirror-imaging how we think they might operate.

Nikita Shah is a senior fellow with the Intelligence, National Security, and Technology Program at the Center for Strategic and International Studies in Washington, D.C. Justin Sherman is the founder and CEO of Global Cyber Strategies, a research and advisory firm based in Washington, D.C.

Senior Fellow, Intelligence, National Security, and Technology Program

Justin Sherman

Founder and CEO, Global Cyber Strategies