Iranian Cyber Actors Pose Ongoing Threat To U.S. Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Defense Cyber Crime Center (DC3), and National Security Agency (NSA) have released a fact sheet: Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest

The agencies urge U.S. organizations to remain alert for potential cyber threats from Iranian-affiliated actors. Despite a declared ceasefire and ongoing diplomatic negotiations, Iranian state-aligned cyber groups and hacktivists may continue malicious activities targeting U.S. critical infrastructure and other sectors.

Iranian cyber actors and aligned groups often exploit targets of opportunity based on the use of unpatched or outdated software with known CVEs or the use of default or common passwords on accounts and devices.

The authoring agencies are closely monitoring developments and will share relevant cyber threat and defense updates as needed.

Threat Overview

Given the current geopolitical climate, Iranian cyber actors may launch short-term operations against U.S. systems, particularly those linked to Israeli defense and research. Entities in the Defense Industrial Base (DIB) and other critical infrastructure sectors are at heightened risk.

These actors often exploit:

• Unpatched systems with known vulnerabilities (CVEs)

• Default or weak passwords

• Poorly secured internet-connected devices

Common tactics include automated password guessing, password hash cracking, and use of manufacturer default credentials. For operational technology (OT) targets, attackers may also use engineering and diagnostic tools to infiltrate operator workstations, vendor maintenance systems, and security devices.

Iranian-aligned hacktivists have recently intensified website defacements and data leaks, and are likely to escalate distributed denial-of-service (DDoS) attacks, particularly against U.S. and Israeli targets. They may also coordinate with ransomware groups to encrypt systems and leak stolen data online.

Recent Campaigns

Between November 2023 and January 2024, during the Israel-Hamas conflict, cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) compromised Israeli-made programmable logic controllers (PLCs) and human-machine interfaces (HMIs). This campaign affected dozens of U.S. organizations across the water, energy, food manufacturing, and healthcare sectors. The attackers exploited publicly accessible industrial control systems (ICS) with default or no passwords and open TCP ports.

Additionally, Iranian-linked hackers conducted hack-and-leak operations in protest of the Gaza conflict. These operations combined data theft with online disinformation campaigns and harassment, leading to financial and reputational damage. While the main targets were Israeli organizations, one U.S. IPTV company was also impacted.

Recommended Mitigations

The authoring agencies strongly advise critical infrastructure operators to implement the following measures:

System Access and Segmentation

• Remove OT/ICS assets from public internet exposure.

• Secure remote access tools (e.g., VNC, RDP, SSH, VPN) with deny-by-default allowlists.

• Replace default or weak passwords with strong, unique credentials.

• Enforce Role-Based Access Controls (RBAC) and conditional access policies, especially for cloud or managed service accounts.

Authentication and Patching

• Deploy phishing-resistant multi-factor authentication (MFA), particularly for OT access and high-value system changes.

• Regularly apply manufacturer updates and security patches to internet-facing systems.

Monitoring and Incident Preparedness

• Monitor logs for unauthorized remote access and configuration changes.

• Implement OT protections to prevent unauthorized actions (e.g., set PLCs to run mode, enable interlocks, redundant sensors).

• Maintain updated business continuity and incident response plans.

Post-Exfiltration Risk Reduction

• Assess how leaked data, such as credentials, could be used in follow-up attacks.

• Implement controls to limit potential damage from data exposure.

Stay informed: For information on known exploited vulnerabilities, refer to CISA’s KEV Catalog.

Download the complete Fact Sheet HERE

Access CISA's dedicated Iran Threat page HERE

Access FBI's dedicated Iran Threat page HERE