An Update on the Heightened Threat of Iranian Cyber Attacks: How to Understand the Risk and Enhance Resilience

In June 2025, I first published a blog about the increasing threat posed by Iranian-backed cyber actors. In it, I highlighted why organizations should expect increased cyber attacks from pro-Irianian hacktivists and Iranian government-affiliated actors, what operational capabilities Iranian-backed actors possess, and what attack scenarios within the SafeBreach Exposure Validation Platform were available to help organizations proactively assess and enhance their cyber defense capabilities against these threats.

Since then, there has been a massive escalation in Iranian cyber attacks driven—at least in part—by the ongoing offensive by the US and Israel against Iran that began on February 28, 2026. There has been a measurable surge in denial of service (DDoS) campaigns, data wipers, hack-and-leak operations, and renewed ransomware collaboration between Iranian state actors and criminal affiliate networks. Security researchers have observed Iranian-aligned groups scanning for vulnerable targets across Gulf energy infrastructure, including confirmed claims of targeted operations against Qatari LNG facilities (Ras Laffan and Mesaieed). Cotton Sandstorm—an Iran-backed threat actor—has been seen resuming operations. And, most notably, Handala threat actors—linked to Iran’s Ministry of Intelligence and Security (MOIS)—claimed responsibility for a devastating attack against medical technology giant Stryker on March 11. CISA has also continued to issue Iran-specific advisories at an elevated pace—AA25-239A (August 2025), AA25-266A (September 2025), AA25-343A (December 2025)—reflecting sustained intelligence community concern and an elevated risk for defense industrial base organizations, financial sector firms, and critical infrastructure operators.

Below, I’ll share details about what has changed since our first publication on the topic in June 2025, including the new Iranian attack patterns and targeting that has emerged. I’ll also highlight newly added attack scenarios within the SafeBreach exposure validation platform—specifically the Known Threat Series and Threat Group attack scenarios—that are available to help organizations proactively assess and enhance their cyber defense capabilities against these threats in order to build resilience.

What Has Changed Since June 2025

Expanded Attack Patterns and Targeting

Since June 2025, the Iranian threat landscape as seen the following operational shifts:

• Dramatic DDoS escalation: Cybersecurity firm Radware recorded a 700% spike in cyberattacks against Israel during the 2025 conflict. Multiple pro-Iran threat groups claimed compromises of industrial control systems in Israel, Poland, Turkey, Jordan, and other Gulf states. DDoS remains the most frequently reported attack method, followed by destructive operations.
• Destructive wiper and fake-ransomware operations: Iranian-affiliated groups continued deploying disk-wiping malware—including the No Justice wiper (ClearSky, January 2024) and newly observed samples—often disguised as ransomware to create financial pressure while accomplishing destructive goals. 
• Hack-and-leak campaigns: Iranian-affiliated actors conducted several hack-and-leak operations following the onset of the Israel-Hamas and later Israel-Iran conflict, combining data theft with information operations amplified via social media and direct messaging to maximize reputational and financial damage to victims.
• OT/ICS targeting: IRGC-affiliated actors expanded targeting of operational technology (OT) environments, particularly programmable logic controllers (PLCs) and human-machine interfaces (HMIs). CyberAv3ngers, initially presenting as a hacktivist group, is now attributed to the IRGC and has been observed actively scanning for vulnerable internet-connected cameras and industrial equipment for reconnaissance and battle-damage assessment.
• New hacktivist proxies: Fatimion Cyber Team, Cyber Fattah, and Cyber Islamic Resistance emerged as active hacktivist organizations conducting coordinated DDoS campaigns, website defacements, and data theft in synchronization with military activity. Cotton Sandstorm (Altoufan Team) resumed operations in Bahrain after a year of silence, consistent with geopolitically triggered reactivation patterns.
• Ransomware collaboration expansion: State-sponsored Iranian actors were observed offering financial incentives to ransomware operators targeting U.S. and Israeli organizations, broadening the collaborative model first documented with Pioneer Kitten’s partnerships with NoEscape, Ransomhouse, and ALPHV (BlackCat).
• Cloud infrastructure abuse: Pioneer Kitten and affiliated actors were observed leveraging compromised cloud computing resources to conduct follow-on operations against additional organizations, including U.S. academic and defense sector entities.

Newly Elevated Target Sectors

CISA and other intelligence organizations have identified the following as priority targets for Iranian-affiliated cyber actors in the current threat environment:

• Defense Industrial Base (DIB) — particularly companies with holdings or relationships with Israeli research and defense firms
• Water and wastewater systems — expanded from prior industrial control systems (ICS) and programmable logic controller (PLC) campaigns
• Energy infrastructure — including liquified natural gas (LNG) and utility operations in the broader Gulf region
• Healthcare and public health — continuing the brute-force credential access campaigns documented in AA24-290A
• Telecommunications — consistent with long-standing MuddyWater and APT39 targeting patterns
• Financial sector — including crypto exchanges, with a $90 million breach attributed to Iranian-linked actors in June 2025

New & Updated SafeBreach Attack Scenarios 

Known Threat Series: New Additions

The SafeBreach Known Threat Series and Threat Group scenarios are integral to assessing and enhancing an organization’s cyber defense. The Known Threat Series employs real-world threat intelligence to simulate attacks based on documented advisories, allowing organizations to validate their security posture against well-known cyber threats. 

Since the June 2025 publication of our original blog on this topic, SafeBreach has added new attack scenarios into its platform that are directly relevant to the Iranian threat ecosystem. The following scenarios complement the 28 pre-built scenarios documented in the original post and reflect the latest intelligence on Iranian-linked tactics, techniques, and procedures (TTPs).

CISA Joint Advisory — Iranian Cyber Actors May Target Vulnerable US Networks (June 30, 2025)

• Attack Objectives: Validate defenses against opportunistic targeting of poorly secured networks, OT devices, and credential access via default or weak passwords.
• Threat Context: CISA, FBI, NSA, and DC3 joint advisory following the June 2025 Israel-Iran conflict, emphasizing DDoS, destructive malware, and ransomware collaboration as primary risk vectors.
• Sectors Targeted: Defense Industrial Base, Water/Wastewater, Energy, Healthcare, Telecommunications.
• Primary TTPs: Default credential exploitation, operational technology (OT) system engineering tool abuse, DDoS, web defacement, data exfiltration and public leaks.

CISA AA23-335A  — IRGC-Affiliated Actors Exploit PLCs in Critical Infrastructure

• Attack Objectives: Compromise industrial PLC and HMI devices in water, energy, and critical infrastructure environments for cyber-physical impact.
• Threat Group: CyberAv3ngers (IRGC-affiliated)
• Updated TTPs (Dec 2024): Expanded beyond Unitronics devices to broader PLC targeting; active scanning for vulnerable internet-connected cameras; living-off-the-land (LOTL) post-exploitation; deeper device-level access enabling process disruption.
• Geographic Scope: United States, Israel, United Kingdom, and broader international critical infrastructure.
• Key Vulnerabilities: Default manufacturer passwords on internet-connected OT devices; exposed HMI interfaces; vulnerable PLCs in water, wastewater, and energy sectors.

No Justice Wiper — Destructive Malware Validation (IL-CERT / ClearSky)

• Attack Objectives: Verify whether destructive wiper malware associated with Iranian influence operations can be transferred to endpoints, written to disk, and executed without detection.
• Malware: No Justice (e2531f) — deployed in Iranian-backed operations against Israeli targets.
• SafeBreach Scenarios: Malware Transfer (HTTP/S), Malware Drop (write to disk), Pre-execution Phase, Internal Spearphishing (email attachment delivery).
• Primary TTPs: Disk wiping for destructive impact, web shell deployment, internal spearphishing for lateral movement.
• MITRE Coverage: T1566 Phishing, T1566.001 Spearphishing Attachment, T1534 Internal Spearphishing.

Threat Groups: Expanded Coverage

Threat groups are collections of cyber actors or adversaries that are identified and tracked based on observed behavior, techniques, or attributions. These groups often share common TTPs that allow cybersecurity professionals to catalog and respond to their activities effectively. They can be state-sponsored or motivated by financial or political interests.

Attack scenarios within the SafeBreach platform associated with Threat Groups are typically designed based on the known activities of these groups, leveraging their specific TTPs to simulate attacks. For example, the SafeBreach platform includes scenarios and testing simulations that are based on documented advisories and reports from the MITRE ATT&CK framework to provide testing simulations that mirror the behavior of specific threat groups. These scenarios help organizations evaluate their security posture against the tactics employed by these groups.

In addition to the 17 threat group scenarios documented in June 2025, the following actors have emerged with elevated activity and expanded SafeBreach platform coverage:

CyberAv3ngers (IRGC-affiliated)

•  Attribution: Iranian Revolutionary Guard Corps (IRGC); initially presented as hacktivist, now confirmed state-affiliated.
• Primary Targets: Industrial control systems, water/wastewater infrastructure, internet-connected cameras, critical infrastructure globally.
• Key TTPs: Exploitation of internet-facing OT devices, default credential abuse, camera network compromise for intelligence collection, active post-conflict scanning for battle-damage assessment.
• Notable Activity: Active scanning of Israeli camera infrastructure during and after the June 2025 conflict; confirmed compromise of Unitronics PLCs in U.S. wastewater facilities.

Cotton Sandstorm (Altoufan Team)

• Attribution: Iranian state-sponsored group (Emennet Pasargad-affiliated)
• Primary Targets: Gulf region entities, Bahraini organizations, broader Middle East critical infrastructure.
• Key TTPs: Wiper and fake-ransomware operations, web server exploitation, ASPX web shell deployment, LOTL, reconnaissance tunneling.
• Notable Activity: Reactivated in late February/March 2026 after a year of silence, claiming new targets in Bahrain; pattern consistent with geopolitically triggered campaign activation.

Iranian Hacktivist Proxy Ecosystem (Fatimion Cyber Team, Cyber Fattah, Cyber Islamic Resistance)

• Attribution: Iranian state-orchestrated hacktivist proxies—coordinated rather than organic.
• Primary Targets: Israeli and Western organizations across multiple sectors; targets aligned with active conflict developments.
• Key TTPs: DDoS campaigns, website defacements, data theft and public leaks, ICS claims, synchronized attack timing with kinetic military events.
• Scale: As of June 22, 2025, 120 hacktivist groups were reportedly active; analysis of Telegram channels confirmed orchestrated coordination across 178+ groups.

Conclusion

Iranian cyber operations represent a mature, multi-faceted threat that combines traditional espionage, criminal monetization, and destructive capabilities. The documented evolution from purely intelligence-focused operations to hybrid criminal-state partnerships indicates a strategic shift that requires updated defensive approaches and enhanced public-private cooperation. Organizations in targeted sectors should prioritize immediate defensive measures while preparing for potential escalation in both sophistication and destructive impact.

Interested to explore how the SafeBreach Exposure Validation Platform empowers critical infrastructure and enterprise teams to test like real attackers—and prove they’re ready for Iranian-backed threats and more? See the platform solution brief, then schedule a personalized demo to see the platform in action.