A coalition of top U.S. cybersecurity and intelligence agencies on Monday issued a stark warning: Iranian state-sponsored hackers and affiliated hacktivists are expected to ramp up cyberattacks targeting American defense systems, critical infrastructure, and industrial networks, particularly those with ties to Israel.

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and National Security Agency (NSA) urged American organizations to remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors, as threats grow in frequency and sophistication.

“Despite a declared ceasefire and ongoing negotiations towards a permanent solution, Iranian-affiliated cyber actors and hacktivist groups may still conduct malicious cyber activity.

The authoring agencies are continuing to monitor the situation and will release pertinent cyber threat and cyber defense information as it becomes available,” reads the joint advisory.

Although no large-scale coordinated campaign has been detected yet, the agencies are warning of a potential surge in cyberattacks from Iranian-linked hackers, especially as tensions in the Middle East continue to rise.

Threat Activity

Defense Industrial Base (DIB) companies—particularly those connected to Israeli research or defense organizations—are believed to be at higher risk. These actors often exploit poorly secured systems by leveraging unpatched software, known vulnerabilities, and default or weak passwords.

“Iranian-affiliated cyber actors and aligned hacktivist groups often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs) or the use of default or common passwords on internet-connected accounts and devices,” the advisory added.

The Iranian cyber threat groups, many linked to the Islamic Revolutionary Guard Corps (IRGC), use a range of techniques, such as automated password guessing, cracking password hashes using online resources, and inputting default manufacturer passwords, to breach systems and move undetected across networks.

When attacking operational technology (OT) systems, they also use system engineering and diagnostic tools to compromise performance, security, and maintenance systems.

Recently, Iranian-aligned hacktivists have increased website defacements and data leaks, and are likely to expand distributed denial-of-service (DDoS) attacks on U.S. and Israeli websites. Additionally, Iranian cyber actors may collaborate with ransomware groups to encrypt data, steal sensitive information, and publish it online.

Prior Threat Campaigns

Between November 2023 and January 2024, Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated cyber actors launched a global cyber campaign targeting Israeli-made programmable logic controllers (PLCs) and human machine interfaces (HMIs), affecting U.S. sectors like water, energy, food, and healthcare.

The threat actors took advantage of industrial control systems (ICSs) that were accessible over the internet and still used factory-default or no passwords, along with default Transmission Control Protocol (TCP) ports that hadn’t been secured.

In protest of the Israel-Hamas conflict, these Iranian cyber actors also carried out several hack-and-leak operations to steal and publicly release sensitive data, often amplified through social media.

The attacks caused financial losses, reputational harm, and aimed to undermine public confidence in cybersecurity. Although most targets were Israeli, at least one U.S. internet protocol television (IPTV) company was also affected.

Mitigations

The authoring agencies, in collaboration with U.S. and foreign government partners, suggest immediate steps for organizations, especially those in critical infrastructure:

  • Identify and disconnect OT and ICS systems from the public internet.
  • Replace weak/default passwords and implement phishing-resistant multi-factor authentication (MFA)
  • Apply the manufacturer’s latest software patches promptly
  • Monitor for unusual remote access behaviour
  • Conduct full system and data backups
  • Limit admin privileges and adopt microsegmentation

For additional information, organizations can refer to CISA’s Iran Threat Overview and the FBI’s Iran Threat web pages.