National Cyber Warfare Foundation (NCWF)

AI Enhanced Iran s Asymmetric Playbook During the 2026 Conflict


0 user ratings
2026-07-16 12:56:01
milo
Blue Team (CND)
Explore how Iran utilized AI to enhance its asymmetric playbook during the 2026 conflict. Learn how AI acts as a force multiplier for Iranian cyber operations, influence campaigns, and domestic surveillance.

Executive Summary


Between January and June 2026, Tehran survived unprecedented military, economic, and political pressure by relying on its longstanding hybrid warfare model: blending asymmetric military operations, cyber operations, information warfare, proxy attacks, and coercive state control. Artificial intelligence (AI) enhanced these capabilities, acting as a force multiplier and almost certainly increasing the speed, scale, and effectiveness of Iranian operations. Ultimately, Iran demonstrated that its strategic resilience does not depend on possessing the most advanced AI capabilities; rather, the source of Iranian power remains the asymmetric playbook itself.


During these crises, Iran compensated for conventional military and economic disadvantages through scalable, low-cost, and deniable asymmetric capabilities. Iran’s use of AI almost certainly improved its cyber capabilities, accelerated the production of propaganda and influence narratives, and expanded the reach of information campaigns. AI’s impact on Iranian military operations is less clear, as Iran’s battlefield use of AI has not been independently confirmed. However, the support Russia provided to Iranian military operations increases the likelihood that AI-enabled tactics and capabilities, refined in Ukraine, contributed to Iranian drone attacks against Israel and Persian Gulf states. Domestically, AI-driven surveillance systems deployed during and after the 2022 “Woman, Life, Freedom� protests likely facilitated the Iranian regime’s violent suppression of unrest in January 2026.


As low-level conflict persists and the risk of a return to war with the United States (US) and Israel remains heightened, Iran’s expanding use of AI-enabled cyber operations will likely pose an elevated threat to Western and regional critical infrastructure and vital industries. Iran’s rapid production and dissemination of AI-generated propaganda expose corporate and state entities to highly targeted influence operations (IOs), risking erosion of customer and citizen trust. As Iran rebuilds its military arsenal, its acquisition of Russian-backed drone capabilities will pose an ongoing risk to critical infrastructure and maritime logistics in the region. Across all sectors, Iran’s hybrid warfare capabilities will likely continue to pose a risk to digital and physical assets, requiring organizations to build resilience against AI-enhanced asymmetric threats that are more scalable and harder to attribute.


Key Findings



  • In 2026, AI technologies very likely accelerated existing Iranian capabilities across cyber, influence, military, and domestic repression domains, rather than creating new ones.

  • AI’s clearest strategic impact for Iran has been in its information warfare, as AI content generation enables Iran to shape perceptions of the conflict by rapidly producing widely resonant propaganda and influence content.

  • Iran’s AI advances appear tied to foreign partnerships — Russian military AI and drone innovations, as well as Russian and Chinese surveillance technologies; Tehran will likely seek to incorporate these foreign AI innovations into its established playbook.

  • Organizations and governments should strengthen defenses against AI-enhanced Iranian tradecraft — including AI-assisted phishing, cyber intrusions targeting operational technology, and IO campaigns — while ensuring resilience against combined cyber and physical disruption efforts.

  • Post-conflict, Iran is likely to prioritize rebuilding the missile, drone, and maritime capabilities that underpin its asymmetric deterrence model while integrating AI, where possible, to improve efficiency and effectiveness.


Following a directive issued by former Supreme Leader Ali Khamenei in 2021, Iran pursued a centralized national AI strategy intended to expand domestic research and development, reduce technological dependence on foreign actors, and position the country as a regional technological power. However, Tehran’s AI ambitions have faced severe economic constraints and technological limitations as a result of sanctions and isolation.


Background


Between the 2021 directive and the 2026 conflicts, Tehran prioritized developing AI for use in cyber operations, influence campaigns, intelligence and military systems, and domestic repression. Iranian threat actors incorporated generative AI and large language models (LLMs) into spearphishing, social engineering, and online IOs, while Iranian officials publicly emphasized AI-enabled drone, missile, and intelligence capabilities. More broadly, Iran appears to view AI not only as an economic and technological imperative, but also as a tool for preserving regime security and offsetting the strategic constraints imposed by its international isolation.


AI Enhancing Iran’s Asymmetric Capabilities


Insikt Group analyzed cybersecurity and AI threat reports, social media, Iranian state-run messaging and government/military statements, and activist investigations to illuminate Iran’s AI use, or lack thereof, during 2026. While Iran’s unprecedented internet blackouts create significant gaps in open-source understanding of Iran’s AI capabilities during domestic crises and wartime, one theme is clear: AI has almost certainly enhanced Iran’s asymmetric tactics and hybrid warfare doctrine, but has not fundamentally altered the strategic logic underpinning Iran’s approach to the conflict.


Cyber Operations


Iran’s use of AI to support the cyber dimension of its conflict with the US and Israel predates the January 2026 protest crackdown and the February 28, 2026, coordinated US-Israeli airstrikes, known as Operation Epic Fury / Roaring Lion. The 2026 crises likely prompted Iranian state-sponsored and state-aligned threat actors to leverage generative AI to gain productivity and tradecraft improvements across reconnaissance, code/malware development, social engineering, and translation. However, AI has not fundamentally shifted Iranian cyber capability. Iran's 2026 campaign has remained anchored in the same baseline TTPs — including spearphishing, wiper malware, credential theft, abuse of legitimate enterprise tooling, and hack-and-leak operations — that pre-date the AI era. The pattern is consistent with what Google, OpenAI, and other AI developers have documented since 2024: AI accelerates and scales what Iranian actors were already doing, rather than enabling new capabilities.


Reconnaissance and Operational Research


In October 2024, OpenAI reported that Iran-linked hacktivist persona “CyberAv3ngers� used ChatGPT to conduct reconnaissance on programmable logic controllers (PLCs), a use case that has continued to bolster Iranian capabilities against industrial control systems (ICS) during 2026. According to CloudSEK, AI is accelerating the research phase in ICS attacks: “An actor can move from intent to a list of accessible US ICS devices with known default credentials in under five minutes.� CloudSEK researchers recreated CyberAv3ngers's research on vulnerable US-based ICS systems in an unspecified AI LLM agent and identified an additional exposed ICS portal, highlighting a critical infrastructure “playbook that other groups can now replicate much more easily with the help of AI.� Using this research playbook, Iranian threat actors can not only identify vulnerable ICS systems but also understand the unique properties of the specific technologies they are targeting.


In May 2026, an attack attributed to “Cyber Isnaad Front� targeted an Israeli industrial refrigeration system, sabotaging the system by programming it to fail. While there is no direct evidence of AI use in this incident, the attack required expertise in both Windows internal coding and refrigerant physics to ensure maximum damage, suggesting in-depth research into the target system. The targeting selection demonstrates that Islamic Revolutionary Guard Corps (IRGC)-backed cyber personas are concentrated on identifying vulnerabilities in adversaries’ supply chains, logistics, industrial operations, and food production. By facilitating research, AI lowers the level of expertise required to target ICS systems across multiple critical industries.


Code Writing and Malware Development


Iranian-linked threat actor groups also use AI to accelerate their malware development capabilities. In February 2026, Google’s GTIG AI Threat Tracker reported that GreenBravo (also known as APT42, Charming Kitten, Mint Sandstorm) has been using Gemini “as an engineering platform to accelerate the development of specialized malicious tools,� including for debugging, code generation, and researching exploitation techniques. Another example is Operation Olalampo, first observed on January 26, 2026, and attributed to GreenGolf (also known as MuddyWater, Mango Sandstorm) in a Group-IB report. The campaign delivered four novel malware families (CHAR, GhostFetch, GhostBackDoor, HTTP_VIP) against MENA targets via spearphishing. Group-IB’s analysis of the Rust-based CHAR backdoor identified debug strings containing emojis — “a trait rarely seen in human-authored code� — across four separate instances. Group-IB assessed that the emojis indicate the operator used an AI model to generate code segments and failed to sanitize debug strings before compilation. Group-IB explicitly tied this to Google's earlier reporting that MuddyWater was already experimenting with Gemini for file transfer and remote execution code.





screenshot of lines of code



Figure 1: Emojis used in CHAR malware suggest AI use (Source: Group-IB)




Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/iran-ai-asymmetric-playbook


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.