The Evolving Iranian Cyber Threat

In a joint bulletin Monday, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), FBI and U.S. Department of Defense Cyber Crime Center warned that Iranian cyber actors may be targeting vulnerable U.S. networks and other entities of interest following the June 21 U.S. bombing and missile attacks on three of Iran’s nuclear sites.

“Despite a declared ceasefire and ongoing negotiations toward a permanent solution, Iranian Islamic Revolutionary Guard Corps-affiliated cyber actors—including hacktivists and Iranian government-affiliated actors—may target U.S. devices and networks for near-term cyber operations,” the joint statement said. “These actors have historically targeted poorly secured U.S. networks and internet-connected devices for disruptive cyber attacks, often exploiting targets of opportunity, outdated software and the use of default or common passwords on internet-connected accounts and devices.”

The U.S. agencies urged organizations, especially those within U.S. critical infrastructure, to remain vigilant for the outlined potential targeted malicious cyber activity.

“Iranian state-sponsored or affiliated threat actors are likely to significantly increase their distributed denial-of-service (DDoS) campaigns and potentially also conduct ransomware attacks,” the U.S. agencies stated.

Iranian cyber groups have long posed significant cyber risks to the United States, with state-aligned activity beginning in 2007.

Flashpoint, the New York-based data and intelligence company that specializes in cybersecurity, threat intelligence and risk management, saw a significant jump in the regime’s investment in cyber capabilities in the 2010-2012 timeframe, when it began to carry out its first offensive cyber campaigns, including "Operation Ababil" and the use of the "Shamoon" wiper malware, explained Austin Warnick, Flashpoint’s director of national security intelligence.

Flashpoint categorizes Iran’s mature cyber warfare capabilities as sophisticated and continually evolving. Iran's offensive cyber program, especially its destructive malware campaigns, are aimed at inflicting damage, operational disruption and data loss for U.S. organizations, Warnick noted.

“Flashpoint has [previously] observed notable Iranian attack types, including direct attacks on critical infrastructure such as power grids, water and transportation, often using DDoS attacks against aerospace, oil, gas and telecom sectors,” he shared. “Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive attacks.”

Iran exploits known vulnerabilities to deploy harmful web shells to gain initial access and conduct further reconnaissance, Warnick stated. And the persistent nature of the country's attacks requires diligent patching, regular security audits and strong intrusion detection to remove unauthorized web shells.

“Many groups, including Homeland Justice and Moses Staff, engage in data exfiltration and then leak sensitive data on their online platforms (websites, Telegram channels, Twitter) to promote their attacks and propaganda,” he said. “[This] highlights the need for data loss prevention and outbound traffic monitoring.”

In addition, groups have specialized in cyber-physical attacks on industrial control systems and operational technology—such as reported attacks by CyberAv3ngers—requiring network segmentation and operational technology monitoring for critical infrastructure.

“They also conduct large-scale disruptive attacks on government and critical infrastructure (e.g., Homeland Justice), requiring robust incident response and redundant systems,” Warnick noted. “DDoS attacks are a frequent tactic (used by Cyber Islamic Resistance), emphasizing the need for mitigation services. Groups like Black Shadow/Tapandegan target financial institutions with disruptive attacks and data leaks. Finally, these groups engage in information warfare via social media, and their interest in supply chain disruption suggests a need for enhanced vendor risk management.”

In Monday’s joint bulletin, the federal agencies outlined commonly used techniques and examples of Iranian cyber campaigns and advised companies to understand the destructive approaches.

“Organizations should review this information to become familiar with the tactics utilized by these malicious cyber actors,” the agencies advised. “Critical infrastructure asset owners and operators should review this guidance to assess their cybersecurity weaknesses and update incident response plans.”

The U.S. agencies provided detailed mitigation steps for these at-risk organizations to implement to harden their networks and assets against the malicious actors. Entities can consult CISA’s Known Exploited Vulnerabilities Catalog for more information.

“These malicious cyber actors commonly use techniques such as automated password guessing, cracking password hashes using online resources and inputting default manufacturer passwords,” the U.S. agencies stated. “When specifically targeting operational technology, these malicious cyber actors also use system engineering and diagnostic tools to target entities such as engineering and operator devices, performance and security systems, and vendor and third-party maintenance and monitoring systems.”

The federal agencies warned that Defense Industrial Base companies, particularly those that have holdings or relationships with Israeli research and defense firms, are at increased risk.

In addition, Warnick noted that Iranian adversarial cyber activity is often paired with robust information warfare and propaganda, which needs to be understood by cyber defenders.

“These groups consistently use social media and dedicated websites to spread propaganda, claim responsibility for attacks and shape narratives,” Warnick stated. “While not a direct technical mitigation, understanding these propaganda efforts can help in anticipating and responding to cyber attacks."

He also stressed the U.S. financial sector may be a target. “The massive cyber attacks that impacted Iran's financial sector could motivate the regime to focus more on financial sector targets in the future if geopolitical tensions escalate with either Israel and/or the United States,” Warnick stated.

Meanwhile, the FBI, CISA, NSA and other agencies will “continue to monitor the situation and will release pertinent cyber threat and cyber defense information as it becomes available,” the joint bulletin stated.