Iran-Affiliated Cyber Threat Advisory

Executive Summary

Situation Overview

On February 28, 2026, the United States and Israel launched Operation Epic Fury / Operation Roaring Lion, targeting Iranian military, nuclear, and leadership infrastructure. Iran's Supreme Leader and senior military commanders were killed in the initial strikes. Iran has responded with missile and drone strikes against Israeli territory and U.S. installations across the Middle East. Iranian drones also hit two AWS data centers in the UAE, disrupting regional cloud services. As of March 4, the conflict is ongoing and may continue for several weeks.

Cyber implications are significant but nuanced. Iran's internet connectivity has dropped to 1–4% of normal levels following the strikes, constraining near-term operations from actors inside Iran. However, Iranian-aligned hacktivist groups and proxy operators outside Iran have already mobilized, with reconnaissance, denial-of-service, and phishing activity observed within hours. With conventional military options degraded, analysts assess cyber operations will become Iran's primary retaliation tool.

Why This Matters Now

Three factors compound the risk for organizations:

• Cyber is Iran's remaining lever. With conventional military capabilities degraded and senior leadership eliminated, cyber operations are assessed as Iran's primary remaining retaliation tool. The destruction of central command also means proxy groups are making their own targeting decisions without oversight from Tehran.
• Active threat mobilization. Approximately 60 hacktivist groups have become active since the strikes, including pro-Russian groups. A U.S. port has been targeted with a denial-of-service attack, and Jordan confirmed thwarting an attack on its wheat silo management system. However, most hacktivist claims remain unverified; multiple firms caution that the majority are exaggerated or fabricated.
• Reduced federal cyber support. CISA, the U.S. federal agency responsible for national cyber defense coordination, is operating at approximately 38% staffing under a partial government shutdown. Its acting director was reassigned last week. Organizations should not rely on timely federal threat intelligence or incident support; private sector Managed SOC and SIEM providers are more critical than ever.

Who Should Act

The following sectors face elevated risk based on historical Iranian targeting patterns and current threat intelligence:

• Highest Risk: Energy, utilities, water/wastewater, defense, government, and defense-adjacent commercial organizations
• Elevated Risk: Healthcare, telecommunications, financial services, and transportation
• Indirect Risk: Any organization with third-party dependencies on the above sectors, or with industrial control systems exposed to the internet

Important context: As of this publication, no confirmed state-sponsored cyberattacks against U.S. critical infrastructure have been attributed to Iranian actors, though such targeting is expected in the coming days and weeks. Iranian actors have historically had mixed results with disruptive cyberattacks and frequently exaggerate their impact. Validate any reported breaches through trusted intelligence sources before reacting.

Recommended Actions in Order of Value

These actions are distinct from baseline security hygiene; they represent specific escalation steps for the current threat environment:

1. Contact your Managed SOC / Managed SIEM provider and confirm they are actively monitoring for known Iranian attack patterns and threat indicators. Request a status update on detection rules for the threat groups referenced in this briefing.
2. Request an ad hoc threat hunt focused on indicators of Iranian intrusion activity, particularly against VPN gateways, internet-facing industrial control systems, and identity infrastructure.
3. Establish an escalation protocol with your SOC provider for the next 90 days: agree on expedited notification timelines (e.g., 15-minute SLA for high-confidence Iran-affiliated alerts) and pre-authorized response actions for the duration of the conflict.
4. Verify that internet-exposed industrial control systems have default credentials changed and are segmented from corporate networks. This is likely the easiest Iranian attack vector to exploit (no exploit code needed, just a known default password).
5. Block Telegram and any unused remote management tools (Atera, Tactical RMM, SimpleHelp, AnyDesk, ScreenConnect, RemoteUtilities) if not operationally required. These have been used by Iranian actors for data theft and to evade detection.
6. Brief your incident response team and review response playbooks for destructive malware scenarios. Wiper malware (software designed to permanently erase data and disable systems) is the most likely payload in an Iran-affiliated destructive attack.
7. Review your cyber insurance policy for war exclusion clauses that may be triggered by a named military operation. Confirm coverage for state-sponsored attacks and notification requirements with your broker or carrier.
8. Contact critical vendors and cloud providers operating in targeted sectors to confirm they have heightened their monitoring posture in response to the current threat environment.

Current Threat Landscape

The following reflects publicly available threat intelligence as of March 4, 2026. This is a rapidly evolving situation.

Near-Term State Actor Constraints

Palo Alto Networks' Unit 42 reports that Iran's available internet connectivity dropped to between 1 and 4% of normal levels beginning the morning of February 28. Combined with the significant degradation of Iranian leadership and command structures, this likely hinders the ability of state-sponsored groups to coordinate sophisticated offensive operations in the immediate term. However, as Anomali notes, this constraint is unlikely to prevent retaliation, since pre-positioned implants, foreign-based operators, and proxy groups operate independently of Iranian domestic infrastructure. Some cybersecurity firms have observed a drop in malicious cyber activity originating from within Iran since the start of the conflict, likely because operators are sheltering during the strikes.

Active Hacktivist Surge

Unit 42 has identified approximately 60 individual hacktivist groups active since the strikes, including pro-Iranian, pro-Palestinian, and pro-Russian groups. Activity consists primarily of distributed denial-of-service (DDoS) attacks, website defacements, and unverified breach claims. Sophos notes that many claims remain unverified and that hacktivist groups frequently recycle previously leaked data to amplify psychological impact. The Multi-State ISAC warns that hacktivist groups are beginning to cooperate and coalesce into collectives, which could enhance their targeting capabilities.

State-Sponsored Groups to Watch

Anomali reports that APT42 and APT33 (also known as MuddyWater), two advanced persistent threat (APT) groups linked to Iran's Islamic Revolutionary Guard Corps (IRGC) and MOIS respectively, have been mobilized. Halcyon has identified MuddyWater conducting a structured cyber offensive operation designated "Operation Olampo," targeting the Middle East, Turkey, and Africa region. Google's Threat Intelligence Group expects Iran to target the U.S., Israel, and Gulf Cooperation Council countries with disruptive cyberattacks focused on targets of opportunity and critical infrastructure. Flashpoint reports that the decentralized Iranian leadership vacuum is leading to more unpredictable proxy attacks, with individual actors making targeting decisions without central oversight.

Likely Attack Patterns

Based on historical precedent and current intelligence, the following attack types are listed in approximate order of near-term likelihood. DDoS, phishing, and disinformation are already actively observed; wiper and ransomware deployments require more preparation but carry greater destructive potential:

• DDoS Attacks: Denial-of-service attacks that flood systems with traffic to knock them offline. Already observed against U.S. and Israeli targets, including a U.S. port.
• Phishing Campaigns: Unit 42 has identified an active phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert application. Expect topical phishing tied to the conflict.
• Disinformation and "Hack-and-Leak": Fabricated or exaggerated breach claims to generate fear and reputational damage. Organizations should verify claims through trusted sources before reacting publicly.
• ICS/SCADA Targeting: Exploitation of internet-facing Industrial Control Systems and Supervisory Control and Data Acquisition (ICS/SCADA) devices. Consistent with the 2023 CyberAv3ngers campaign against U.S. water systems.
• Ransomware via Affiliates: Iranian actors have historically collaborated with ransomware affiliates, maintaining plausible deniability while achieving disruption.
• Wiper Malware: Destructive malware designed to permanently erase data and disable systems. This is Iran's signature destructive capability.

Vulnerabilities Exploited by Iranian Threat Actors

The following vulnerabilities have been previously exploited in confirmed Iran-affiliated campaigns. These are not new vulnerabilities (most date to 2019 through 2024), but organizations that have not yet patched them are at significantly elevated risk in the current environment:

Detailed Recommendations

The following recommendations are listed in priority order, from what should be done first to what should be done last. Within each recommendation, sub-items are also prioritized from most urgent to least urgent.

1. Coordinate with Your Managed SOC / SIEM Provider

This is the single most important action because it enables detection of active compromise and unlocks the effectiveness of every other recommendation below.

• Request an immediate ad hoc threat hunt focused on indicators of existing Iranian compromise, prioritizing VPN gateway logs, internet-facing ICS/SCADA devices, and identity infrastructure
• Confirm detection rules are in place for Iran-specific attack techniques, including data exfiltration via Telegram, exploitation of VPN and edge device vulnerabilities, anomalous ICS/SCADA activity, unauthorized RMM tool installation, and brute force/credential spraying
• Ensure threat intelligence feeds cover APT42, APT33/MuddyWater, OilRig/APT34, Fox Kitten/Pioneer Kitten, CyberAv3ngers, and Handala Hack
• Establish a 90-day escalation protocol with expedited notification timelines and pre-authorized response actions

2. Patch Known Iran-Exploited Vulnerabilities

Iranian actors overwhelmingly exploit known, publicly disclosed vulnerabilities rather than zero-days. Patching closes the front door.

• Highest priority: Patch VPN gateways and edge devices immediately — Fortinet FortiOS SSL-VPN, Citrix ADC/Gateway, F5 BIG-IP, and Ivanti Connect Secure
• Patch Microsoft Exchange servers (ProxyShell) and Windows domain controllers (Zerologon)
• Patch Zoho ManageEngine and Windows kernel if present in your environment
• If patching is not immediately possible, implement compensating controls: disable affected services, restrict access by IP whitelist, deploy virtual patching via IPS/IDS rules

3. Harden Industrial Control Systems

Exploitation of internet-facing ICS with default credentials is the easiest Iranian attack vector, requiring no exploit code. This section applies to organizations operating ICS/SCADA environments.

• Change all default credentials on PLCs and HMI devices immediately
• Audit all internet-facing ICS/SCADA devices and remove unnecessary external access
• Implement or verify network segmentation isolating OT from corporate IT

4. Strengthen Identity and Access Controls

• Enforce MFA on all administrative and privileged accounts immediately, preferring hardware security keys or FIDO2-based authentication
• Monitor for brute force and credential spraying activity against VPN portals, email gateways, and cloud identity providers
• Review MFA configurations for signs of "push bombing" (MFA fatigue) attempts
• Audit privileged accounts for dormant or unnecessary access

5. Block Unnecessary Communication Channels

• Block Telegram at the network perimeter unless there is a documented business requirement
• Block unauthorized remote monitoring and management (RMM) tools including Atera, Tactical RMM, SimpleHelp, AnyDesk, ScreenConnect, and RemoteUtilities

6. Prepare for Destructive Scenarios

• Verify backup integrity and confirm offline or immutable backup availability for critical systems
• Review and test incident response playbooks for destructive malware scenarios, specifically Iranian wiper malware families: Shamoon/StoneDrill, ZeroCleare, Dustman, and WhiteLock
• Establish internal and external communication procedures for responding to breach claims, including fabricated ones
• Review cyber insurance policy for war exclusion clauses and state-sponsored attack coverage

7. Employee Awareness

• Issue a targeted advisory about heightened phishing risk, specifically Iran-linked social engineering tactics
• Alert employees to potential disinformation campaigns and fabricated breach notifications
• Remind staff to report suspicious activity through established channels

8. Third-Party and Supply Chain Risk

• Identify critical third-party dependencies, particularly cloud infrastructure providers, identity providers, and vendors operating in targeted sectors
• Review vendor contracts for incident notification requirements
• If you rely on cloud services in the Middle East (particularly UAE or Bahrain), confirm continuity plans given the confirmed drone strikes on AWS data centers

This briefing will be updated as the situation evolves. For assistance implementing these recommendations or to discuss your organization's specific risk profile, contact Exposure Security.