Iranian Cyber Threats – CISA Alerts U.S. on Potential Attacks Targeting Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI, Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), has issued a high-priority alert warning U.S. organizations about a significant uptick in cyber threats from Iranian-affiliated actors.

Despite a declared ceasefire and ongoing diplomatic negotiations in the Middle East, U.S. authorities caution that Iranian cyber groups and hacktivists remain highly active and are likely to target critical U.S. infrastructure in the near term.

Technical Threat Landscape: Tactics and Targets

According to the joint advisory released on June 30, 2025, Iranian-affiliated cyber actors and hacktivist groups are exploiting vulnerabilities in U.S. networks and internet-connected devices.

The threat is particularly acute for Defense Industrial Base (DIB) companies and organizations with ties to Israeli research and defense sectors.

Key Attack Techniques:

• Exploiting Unpatched Software: Attackers frequently target systems running outdated software with known Common Vulnerabilities and Exposures (CVEs), as cataloged by CISA.
• Credential-Based Attacks: Automated password guessing, hash cracking, and use of default or manufacturer-set passwords are common points of entry.
• Operational Technology (OT) Intrusions: Iranian actors use system engineering and diagnostic tools to compromise engineering and operator devices, performance and security systems, and third-party maintenance interfaces.
• Hack-and-Leak, DDoS, and Ransomware: Recent campaigns have included website defacements, data leaks, and distributed denial-of-service (DDoS) attacks. There is also evidence of collaboration with ransomware affiliates to encrypt and steal sensitive data.

Recent operations have targeted U.S. water and wastewater facilities, energy providers, food and beverage manufacturers, and healthcare organizations.

These attacks often leverage internet-exposed industrial control systems (ICS) with weak or default credentials, as well as default Transmission Control Protocol (TCP) ports.

Recent Campaigns and Impact

Between November 2023 and January 2024, during the Israel-Hamas conflict, Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated actors compromised Israeli-made programmable logic controllers (PLCs) and human-machine interfaces (HMIs).

This global campaign included dozens of U.S. victims across multiple sectors. Hack-and-leak operations combined hacking, data theft, and information operations (such as online amplification and direct harassment), resulting in financial losses and reputational damage.

The primary objective of these campaigns has been to undermine public confidence in the security of victim networks and data, embarrass targeted companies and countries, and protest geopolitical events.

While Israeli companies have been the primary targets, U.S. entities, including an IPTV company, have also been affected.

Mitigation Strategies and Federal Resources

CISA and its partners strongly urge critical infrastructure asset owners and operators to implement robust cyber defenses, including:

• Disconnecting OT/ICS Assets: Remove public internet access, especially for remote access technologies like VNC, RDP, SSH, and web management interfaces.
• Enforcing Strong Passwords and MFA: Replace weak or default passwords and implement phishing-resistant multi-factor authentication (MFA) for all remote access.
• Applying Security Patches: Ensure all internet-facing systems are updated with the latest manufacturer patches.
• Monitoring and Access Controls: Regularly review user access logs, employ Role-Based Access Controls (RBAC), and use conditional access policies for cloud or managed services.
• Incident Response Preparedness: Maintain and rehearse business continuity and incident response plans, including system and data backups.
• Data Leak Awareness: Prepare for potential malicious use of exfiltrated data, such as leaked credentials.

Federal agencies recommend reporting suspicious activity to CISA’s 24/7 Operations Center, the FBI, or the NSA.