Iranian cyber operations have gone from being disruptive single events to ongoing campaigns against governments, infrastructure providers, technology companies, and research organizations. Their ability to operate inside the same tools and infrastructure that defenders rely on makes these intrusions difficult to detect.
The stakes extend well beyond espionage. For example, in 2022, Iranian-linked attackers caused damage to systems throughout the Albanian government and shut down multiple Albanian agencies. As a result, Albania severed diplomatic relations with Iran after the attack. With the current Iran conflict, cybersecurity experts are monitoring for increased Iranian attacks against critical infrastructure and government networks.
The intrusion often begins with identity access
Many Iranian campaigns start by gaining access to a legitimate account rather than by delivering malware. For example, in the recent attack against Stryker, the Handala group appears to have gained access to the company’s Microsoft Intune device management console and used the remote-wipe feature to disrupt systems.
Groups tracked as APT35 have developed extensive social engineering operations to obtain credentials from carefully selected targets. Attackers create believable accounts on professional networking sites and contact researchers, journalists, policy experts, or private company employees to build a working relationship over several weeks. After establishing credibility, the target may receive a document link or a meeting invitation that leads to a credential-harvesting page designed to mimic the familiar login screen of a trusted service.
Some of these phishing frameworks capture multifactor authentication (MFA) codes in real time. That capability allows operators to take control of an account even when MFA is enabled. A compromised mailbox or cloud account exposes internal conversations, stored documents, and the credentials or system access needed to move deeper into the environment.
Persistence hides inside trusted services
Once attackers gain access, they move toward infrastructure that blends into normal network activity. Campaigns associated with APT34 (also known as OilRig) demonstrate that the attackers can establish a means to maintain their command-and-control channels on trusted systems already in use by the targeted organization.
Within these attacks, DNS tunneling is repeatedly used. Attackers encode instructions and stolen data inside DNS queries and records. This allows their traffic to move through the organization’s DNS infrastructure alongside thousands of legitimate lookups. Most companies generate far more DNS queries per minute than teams can review, and many lack the necessary query logging capabilities to identify the unusual patterns generated by this technique.
Other intrusions route traffic through email servers or cloud storage platforms. Exfiltrated data and attacker commands move through systems that security teams have explicitly allowed, which is precisely why the technique works.
Administrative tools become attack infrastructure
After establishing access and persistence, Iranian groups minimize their reliance on custom malware and operate through tools in the target environment. MuddyWater has built this approach into the foundation of its operations.
The group relies on PowerShell to execute commands at all stages and uses native Windows utilities that impersonate legitimate system processes to perform their attacks. Because these utilities are native to Windows, there is likely to be no alert, as their execution blends with the rest of the network activity.
Remote monitoring and management platforms — the same tools IT teams use for legitimate administration — can provide attackers with persistent remote access that closely resembles routine helpdesk activity. Without a baseline for what normal looks like, there is nothing to detect.
Perimeter vulnerabilities open the door
In some campaigns, the intrusion never begins with phishing at all. Certain Iranian operators focus on the perimeter. Fox Kitten has built its operations around compromising internet-facing infrastructure — VPN appliances, remote access gateways, and other systems that sit at the edge of corporate networks.
Exploiting vulnerabilities in these platforms lets attackers reach internal networks directly, without having to phish a single user. Once inside, they establish persistence through web shells, credential theft, or tunneling tools, allowing them to return on their own terms.
That access supports operations run by entirely separate teams. A foothold Fox Kitten establishes may be handed to another group to conduct espionage or deploy destructive payloads. This division of labor mirrors the access brokerage model in organized cybercrime. Incident responders who attribute an intrusion solely to the group deploying the final payload may remediate the damage without ever closing the door that was originally opened.
Supply chain relationships extend the intrusion
Iranian actors have also moved through technology vendors to reach their actual targets. Groups tracked as Tortoiseshell or Imperial Kitten have targeted IT service firms and managed providers with established connections to defense contractors, telecommunications companies, and energy organizations.
Compromising a managed service provider gives attackers something more valuable than a single foothold. The provider’s legitimate remote access credentials and network tunnels serve as entry points into every client the vendor supports. Attackers move through trusted business relationships into environments that would resist direct attack, and a single compromise can become the entry point for intrusions across every organization that the vendor serves.
Why do these attacks succeed
Iranian attackers succeed because they use the same infrastructure and environments that organizations use every day to conduct business. By using cloud-based services, administrative software, remote access tools, and trusted vendor relationships, they can conceal their attacks. Discovering these intruders is often less about finding new malware than about noticing when something previously seen is behaving unexpectedly.
Hüseyin Can Yüceel is the security research lead at Picus Security. He holds an MSc in Cybersecurity and is CISSP and OSCP certified, with over a decade of industry experience. Huseyin has presented his work at prestigious cybersecurity conferences and authored more than 200 blogs on emerging threats, as well as dozens of free courses on Purple Academy. He leads the development of Picus’ widely recognized annual Red Report and Blue Report, delivering in-depth analyses of global threat trends and adversary behaviors to help organizations strengthen their defenses.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.