Cyberattacks linked to Iranian threat groups are on the rise, according to a new threat intelligence report from security provider Blumira. The report highlights how escalating geopolitical tensions between the US and Iran are driving a surge in Iranian state-linked cybers activity, particularly targeting critical sectors like healthcare, energy, and government.
Blumira, which monitors threats across over 18,000 customer environments, recorded 824 security incidents over the past 21 months that can be traced to Iranian networks and align with known tactics. These incidents included 283 brute-force attacks against RDP services, 27 SSH intrusions, and 414 web application scans – all originating from 67 unique Iranian IP addresses.
Activity Spikes Coincide with Political Flashpoints
Blumira’s researchers found clear links between cyber activity and major political events. The most dramatic spike came on March 18-19, 2025, with over 25,000 connections recorded in a single day. This surge coincided with a high-profile hacktivist campaign dubbed “DieNet,” which successfully breached 61 US organizations.
Other surges followed US sanctions against Iran’s Islamic Revolutionary Guard Corps (IRGC) officials in February, and after shifts in foreign policy in January.
Evolving Capabilities and Use of AI
The report also shows how Iranian threat actors are growing more sophisticated, with several advanced persistent threat (APT) groups using advanced tactics:
- APT 33 (Elfin Team/Peach Sandstorm): Once focused on espionage, this threat group now targets satellite communications and even US election infrastructure.
- APT 35 (Charming Kitten/Phosphorus): Long known for social engineering, Blumira has observed this threat group using AI-enhanced phishing tactics.
- MuddyWater (Static Kitten): This threat group recently adopted the DarkBeatC2 command-and-control framework to improve its reach.
Blumira warns that these groups are no longer relying solely on old techniques. Instead, they’re incorporating AI and advanced into recoinnassance and intrusion operations – a trend observed across many state-backed cyber programs.
Critical Sectors in the Crosshairs
Unsurprisingly, Iran actors are primarily targeting critical infrastructure. Blumira identifies to the six industries most at risk:
- Healthcare
- Energy and Utilities
- Government and Defense
- Information Technology
- Financial Services
- Education
Advanced Threats Demand a Proactive Response
As nation state-backed threats grow increasingly advanced, Blumira urges organizations to adopt a more proactive approach to cybersecurity. This means building capabilities that help detect, respond, and recover from attacks quickly. The company advocates for operational resilience, strengthening the ability to maintain core business functions in the face of incidents, a better long-term goal than chasing perfect prevention.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.