U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated actors targeting critical infrastructure, including the Defense Industrial Base. The advisory highlights an expected escalation in activity due to recent geopolitical events, emphasizing increased vigilance against threats like distributed denial-of-service (DDoS) attacks and ransomware. Organizations are urged to bolster their defenses as a precaution against these escalating Iranian cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) issued the warning, noting an increase in hacktivist and Iranian government-affiliated actor activity over recent months. These actors frequently exploit vulnerable systems by leveraging unpatched software with known vulnerabilities or by utilizing default or common passwords on internet-connected devices. While no coordinated malicious cyber campaign attributed to Iran is currently evident in the U.S., the agencies stress the elevated risk faced by Defense Industrial Base (DIB) companies, particularly those with ties to Israeli research and defense firms.
Iranian Cyberattacks and Defense Network Vulnerabilities
Iranian threat actors are known to employ sophisticated techniques to breach networks. Their initial reconnaissance often involves tools like Shodan to identify internet-facing devices, with a particular focus on industrial control system (ICS) environments. Once access is gained, they may exploit weak network segmentation or misconfigured firewalls to move laterally across networks. Past campaigns have seen these groups utilize remote access tools (RATs), keyloggers, and legitimate administrative utilities such as PsExec and Mimikatz to escalate privileges, often evading basic endpoint security measures.
Based on prior intelligence, Iranian threat actors commonly use automated password guessing, password hash cracking, and default manufacturer passwords to infiltrate internet-exposed devices. They have also been observed employing system engineering and diagnostic tools to gain access to operational technology (OT) networks. This approach targets the often-overlooked vulnerabilities within OT environments, which can have significant real-world consequences if compromised.
This advisory follows a Department of Homeland Security (DHS) bulletin urging U.S. organizations to prepare for potential “low-level cyber attacks” from pro-Iranian hacktivists amid ongoing geopolitical tensions. Last week, Check Point reported that an Iranian nation-state hacking group, APT35, targeted journalists, cybersecurity experts, and computer science professors in Israel through a spear-phishing campaign. This campaign aimed to steal Google account credentials using fake Gmail login pages or Google Meet invitations, underscoring the multifaceted nature of these threats.
Mitigation Strategies and Emerging Exposures
To counter these threats, cybersecurity agencies recommend several mitigation strategies. Key among these is the identification and disconnection of OT and ICS assets from the public internet to limit direct exposure. Organizations should ensure devices and accounts are protected with strong, unique passwords, replacing any weak or default credentials and enforcing multi-factor authentication (MFA). Implementing phishing-resistant MFA for remote access to OT networks from other networks is also advised.
Furthermore, agencies recommend ensuring all systems are running the latest software patches to address known security vulnerabilities. Monitoring user access logs for remote access to OT networks is crucial for detecting unauthorized activity. Establishing OT processes that prevent unauthorized changes, loss of visibility, or loss of control, alongside adopting comprehensive system and data backups, are essential for recovery in the event of an incident.
For organizations unsure where to begin, a practical first step is to review their external attack surface. This includes identifying exposed systems, open ports, and any running outdated services. Tools such as CISA’s Cyber Hygiene program or open-source scanners like Nmap can help identify risks before attackers exploit them. Aligning defenses with the MITRE ATT&CK framework can also aid in prioritizing protections based on real-world threat actor tactics.
Recent Exposures and Hacktivist Activity
A recent report by Censys identified a significant number of internet-exposed OT devices, including over 43,000 from Tridium Niagara, alongside thousands from Red Lion and Unitronics. The report noted that default passwords continue to be a significant entry point for threat actors and urged manufacturers to eliminate default credentials in favor of strong, unique passwords. While Tridium Niagara has the highest exposure numbers, the report suggests that building automation software may not always be the most valuable target depending on an attacker’s objectives.
Alongside these technical vulnerabilities, there has been a reported spike in cyber activity linked to the Iran-Israel conflict. SOCRadar observed over 600 cyber attack claims across more than 100 Telegram channels within a two-week period in June 2025. Israel was the most targeted nation, followed by the U.S., India, and various Middle Eastern countries. The top hacktivist groups involved included Mr Hamza, Keymous, and NoName057(16), with governments, defense, telecom, financial services, and technology sectors being the most targeted industries.
The conflict has seen an increase in activity from state-sponsored hackers, hacktivists from both nations, and actors from non-participant countries. Israel was the primary target of DDoS attacks, accounting for 74% of all reported DDoS activity during the period. Outpost24 noted that over 80 distinct hacktivist groups are actively involved in operations targeting Israel and its allies, with suspected “faketivist” entities potentially operating with state support or direct state direction. This surge in hacktivist operations underscores the growing role of cyber conflict in modern geopolitical tensions.
Despite ongoing negotiations and declared ceasefires, Iranian-affiliated cyber actors and hacktivist groups are expected to continue malicious cyber activity. The increased exposure of critical OT systems and the persistent use of weak credentials present ongoing risks. Organizations should remain vigilant and implement the recommended security measures to protect their networks against evolving Iranian cyber threats.