The U.S. Cybersecurity and Infrastructure Security Agency (CISA), together with the FBI, NSA, and Defense Cyber Crime Center, have issued a joint alert urging U.S. critical infrastructure operators to be on guard.
Despite the news of a Middle Eastern ceasefire and negotiations, Iranian-aligned cyberhackers and hacktivist groups remain active, and remain a threat.
The warning is straightforward: Iranian cyber threat actors are highly likely to attack American networks in the very near future. Their preferred tactics remain the same, disruption, defacement, data leaks. What is new is that their focus is shifting to infrastructure and supply chains, particularly those linking Israeli research or defense organizations.
Sponsored or backed Iranian hacktivists continue to probe poorly defended systems across the U.S. They exploit low-hanging fruit: unpatched software, default passwords, and control systems exposed to the internet. Targets span several industries, from water treatment and energy to healthcare and manufacturing.
These actors typically rely on simple but effective tactics. Automated password guessing. Online cracking tools. Factory-default logins. In attacks against operational technology, they may use system engineering tools to tamper with operator devices or security systems.
The Damage is Growing
And the damage is growing. Over recent months, Iranian-linked hacktivists have escalated their use of website defacements and stolen data leaks. U.S. and Israeli targets are most at risk. Distributed denial-of-service (DDoS) attacks are also expected to rise.
The agencies reference precedent. Iranian Islamic Revolutionary Guard Corps (IRGC) cyber units hacked Israeli-made programmable logic controllers (PLCs) and human-machine interfaces (HMIs) between November 2023 and January 2024. Their effects were felt in the Middle East. Dozens of U.S. entities were affected, including water utilities, energy facilities, and healthcare networks.
These attackers didn’t need sophisticated tools. They found internet-connected control systems that didn’t use passwords, or used default ones. They accessed them through common ports and carried out attacks with relative ease. In one case, a U.S. IPTV provider was caught in the crossfire.
These hack-and-leak operations went beyond technical breaches. They were paired with social media campaigns and online harassment. The aim is to erode public trust and tarnish reputations.
The message from federal agencies is simple: strengthen your defenses now.
Recommended Actions
- Disconnect OT and ICS systems from the internet. Focus on remote access tools like RDP, SSH, VNC, and web interfaces.
- Adopt strict allowlists. If remote access is essential, deny all by default and permit only what’s required.
- Replace default and weak passwords. If multifactor authentication isn’t in place, make sure strong, unique credentials are.
- Use role-based access controls. Limit what service providers and users can do based on their role.
- Implement phishing-resistant MFA. Especially for access to critical systems or changes to high-value controllers.
- Patch internet-facing systems. Apply the latest manufacturer updates to block known vulnerabilities.
- Monitor access logs. Watch for unauthorized remote access or sudden changes to system configurations.
- Prepare for recovery. Keep current backups, rehearse restoration plans, and regularly test your incident response playbooks.
- Lock down control processes. Use safety systems, redundant sensors, and other protections to prevent unauthorized changes.
- Plan for data leaks. Know how stolen credentials or exfiltrated data might be used and mitigate accordingly.
The threat isn’t hypothetical. It’s active and evolving. U.S. infrastructure operators have been warned. Again.
Securing Remote Access
James Maude, Field CTO at BeyondTrust, says the CISA advisory makes the point that nation states and cyber criminals often actively collaborate, so it is important to consider the entire threat landscape and how it is evolving.
While looking at historic nation state attack techniques can be useful it is important to recognize that identity is the new perimeter and that identity compromise is that the heart of almost every major breach, adds Maude. “While the CISA guidance suggests some mitigations these should be considered a bare minimum and not and complete solution. For example deploying a VPN is an improvement over exposing devices directly to the internet but might also allow access to the network via a compromised identity.”
Maude adds that securing remote access remains one of the top priorities for many entities particularly in high risk, OT and ICS environments which need to be kept well away from the public internet. “Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors, and third parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors.”
Look Beyond Siloed Views
Beyond remote access an important defence is to reduce standing privileges in the environment so that in the event an identity is compromised the ‘blast radius’ is limited, explains Maude. “This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud that organizations weren’t aware of.”
He says organizations need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage. “The identity security debt accumulated by many organizations represents a far great risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment.”
Battered, Not Defeated
Bryan Cunningham, President at Liberty Defense, says the Iranian regime may be battered, but they’re not defeated.
Cunningham says there are at least two scenarios in which they might lash out at the West, and the US in particular:
- To retaliate for US strikes on their nuclear infrastructure and try to show their allies (Russia and China) they are still able to fight. In this scenario, cruise missile, suicide bombings, or other kinetic attacks are likely to be directed at military facilities and other US interests in the Middle East; and cyber-attacks against US infrastructure at home; OR
- If they feel their survival is threatened, they could activate “sleeper cells” in the US and/or try to inspire “lone wolf” actors here. We do not know how prevalent these cells or actors might be or whether sleeper cells would sacrifice themselves for a possibly dying regime
“In either case, the risk – cyber and physical – is higher today than at any recent time. Americans, at home and abroad, should be acutely aware of their surroundings and be especially vigilant at public gathering places, e.g., synagogues, churches, government events, and large entertainment or sports venues,” says Cunningham.
“If you see something, say something,” Cunningham advises. “And Cyber Shields Up: Significant businesses, especially critical infrastructure providers, should reinforce good cyber hygiene throughout the enterprise,” these are:
- DO NOT click on links unless you KNOW where they came from; Be especially careful of unsolicited communications of all kinds; Activate Multi-Factor Authentication (MFA) anywhere possible. This is good advice for individuals too.
- For the enterprise, lock down known vulnerabilities, update all security patches and software; and pay close attention to government warnings.
No More Isolated Conflicts
We live in a time where cyberattacks are no longer isolated to the countries directly involved in geopolitical conflict, adds Randolph Barr, Chief Information Security Officer at Cequence Security. “In the case of Iran, it’s not just about their known cyber capabilities, it’s about the broader network of proxy actors and aligned nations who may view recent U.S. actions as justification for retaliation. This dramatically increases the likelihood that the U.S. and its allies will become targets of cyberwarfare, especially from adversaries seeking to exploit regional instability.”
Barr says Iran has historically demonstrated a strong capability in cyber operations, often leveraging credential theft, social engineering, and access via federated identity systems. What makes their tactics especially dangerous is their tendency to abuse federated and third-party access, essentially exploiting trusted relationships and integrations to move laterally and persist undetected.
In light of the recent warnings, Barr says companies should focus on the following priorities:
- Review federation controls and third-party integrations: Ensure identity federation (SSO, SAML, OAuth) is hardened and validate that third-party applications only have the minimal access required
- Implement MCP-style continuous session validation: Move beyond one-time authentication and continuously verify trust throughout a session
- Simulate geopolitical threat scenarios: Test your incident response and business continuity plans against scenarios involving nation-state tactics, particularly those aligned with Iran’s known behaviors
A Formidable Adversary
Shane McGee, General Counsel and Chief Privacy Officer at Deepwatch, says Iran is a formidable cyber adversary that has been successfully attacking governments and private interests all over the world for well over a decade. “Known to actively support and cooperate closely with groups such as Hezbollah and Hamas, each with separate offensive cyber capabilities, Iran’s ability to launch damaging attacks should not be underestimated. Other groups sympathetic to Iran, or even unaligned opportunists, could also take advantage of the current conflict to launch their own attacks.”
McGee adds that with the recent outbreak of hostilities, Iran is likely to be less concerned about the consequences of its actions in the cyber realm, increasing the danger of large-scale attacks. “The prospect of Iran combining cyber-action with physical attacks makes the situation even more unpredictable. We encourage our customers to enhance their cybersecurity posture and, if in a vulnerable geography or associated with a targeted group, to also consider taking physical precautions.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.