Threat Overview:

In light of the current geopolitical climate between the US and Iran, the IT-ISAC updated our Iranian threat alert. The IT-ISAC urges GTIA members to prepare for a potential increase in cyber threats coming from the region.

Iranian State-Sponsored Actors:

While the line between hacktivist and state-sponsored threat actors can be blurry, Iran is a formidable adversary hosting several prominent threat actors. Iran’s geopolitical objectives range from disruptive and destructive attacks, cyber espionage, and financially motivated cyber attacks in collaboration with ransomware actors.

Charming Kitten (APT35, Phosphorous) is a sophisticated adversary known for extensive spear-phishing campaigns against US political entities, military, and commercial facilities. The group also carries out cyber espionage to assist Iran in its geopolitical goals. Using social engineering, Charming Kitten will commonly impersonate legitimate individuals like journalists, researchers, and government officials to build trust. They will then lure victims to fake login pages for email or conference invites to steal credentials.

APT33 (Elfin) is another sophisticated threat actor receiving resources from the Iranian government. They are known for impactful attacks on critical infrastructure, typically in the energy and aviation sectors in the US and other Western countries. APT33 uses spear-phishing in combination with malicious attachments, often using lures related to job opportunities, geopolitical topics, or by masquerading as legitimate businesses via typosquatted domains. They may also leverage password spraying against to prey on accounts with weak authentication, and have been known to leverage zero-day vulnerabilities in several different IT products.

MuddyWater (APT37, Seedworm) is another state sponsored group focused on espionage, the group targets a broad range of sectors including government, defense, energy, telecommunications, and finance, primarily in the Middle East, Asia, Africa, Europe, and North America. For initial access the group primarily uses spear phishing to lure victims into downloading malicious attachments or clicking malicious links. Aside from developing custom malware to assist in their operations, MuddyWater will typically leverage publicly known vulnerabilities and open-source tools to gain initial access and maintain persistence.

OilRig (APT34) specializes in cyber espionage and intelligence gathering. While the threat actor has historically targeted critical infrastructure in the Middle East, their operations have extended to other regions including the US. The group leverages spear phishing attacks, including LinkedIn phishing for initial access, along with developing custom malware and exploiting publicly known vulnerabilities. Notably OilRig is known for leveraging compromised organizations for supply chain attacks to reach their primary targets.

Pioneer Kitten (Fox Kitten, UNC757) is an Iranian group assessed to be linked to the Iranian government and known for targeting US critical infrastructure across sectors like defense, education, finance, and healthcare. They are particularly notable for their focus on network infrastructure, exploiting VPN vulnerabilities (particularly in Pulse Secure, Citrix, and F5 devices) to establish persistent footholds. They have also been documented collaborating with ransomware affiliates, selling network access to other threat actors, which makes them a unique hybrid of espionage and financially-motivated activity.

Tortoiseshell (Imperial Kitten) is an Iranian actor with ties to the IRGC known for targeting IT managed service providers as a vector for downstream supply chain compromises, similar to OilRig's approach. They have focused on defense sector contractors and companies with US government ties, using watering hole attacks alongside spear phishing. Their targeting of MSPs is particularly significant given the potential for broad downstream impact across multiple victim organizations.

Agrius (Pink Sandstorm, Agonizing Serpens) is a destructive threat actor group linked to Iran that deploys wiper malware disguised as ransomware, making them distinct from the espionage-focused groups above. While they have primarily targeted Israeli and Middle Eastern organizations, their use of destructive payloads is a notable concern for US critical infrastructure given the potential for spillover or escalated targeting during periods of heightened tension.

Non-State Actor Activity:
Iran-linked Hackers Target US Transportation, Manufacturing Firms
Homeland Justice (Void Manticore, Storm-0842) was identified by Nozomi Networks as part of a cluster of Iran-linked threat groups that attempted to breach at least 10 US companies, mostly in the transportation and manufacturing sectors, coinciding with escalating Iran-Israel tensions in mid-2025.

Destructive Attacks, Website Defacements, Distributed-denial-of-service (DDoS) Attacks, Wiper Malware
According to Palo Alto’s Unit42, as of June 2025, 120 hacktivist groups were reportedly active in response to Iran-Israel conflict events, with DDoS being the most reported attack method, followed by destructive attacks. Palo Alto Networks Iranian-aligned hacktivists have increasingly conducted website defacements and leaks of sensitive information exfiltrated from victims, and are expected to significantly increase DDoS campaigns against US and Israeli websites.

Cyber Av3ngers (Sandcat / IRGC-affiliated Actors) has emerged as a significant threat to industrial control systems and operational technology environments, particularly in the water and wastewater sector. The group is assessed to be affiliated with the Islamic Revolutionary Guard Corps (IRGC) and tends to focus on ICS/SCADA-facing devices exposed to the internet, often exploiting default credentials and known vulnerabilities in industrial equipment.

During the Israel-Palestine conflict, CyberAv3ngers targeted Unitronics Vision Series programmable logic controllers (PLCs) used in various critical infrastructure industries, including the Water and Wastewater Systems (WWS). They exploited internet-accessible devices that had default or no passwords (often communicating via default TCP port 20256). In total, they compromised at least 75 devices, including at least 34 in the U.S. WWS Sector. Upon compromise, the PLCs displayed a defacement message: "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target." (CISA, 2024). The actors made changes to the devices to disrupt the vulnerable PLC’s functions, including disabling upload/download functions, enabling password protection, changing default ports, and uploading the defacement splash page to the HMI screen, preventing operators from seeing normal readings.

Hacktivists groups from Iran have also been implicated in attacks against U.S.-based Healthcare Facilities, specifically deploying ransomware attacks. They targeted US pharmaceutical companies during the 2020 Covid outbreak, seeking to steal sensitive data related to vaccine research. And for many years have targeted US satellite and defense sector networks.

The line between hacktivist groups and state-sponsored actors can be blurry with Iranian adversaries, as many Iranian hacktivists groups are believed to have direct or indirect ties to the Islamic Revolutionary Guard Corps (IRGC) or other government entities.

Outlook:

Iranian hacktivists have historically targeted the US as a result of geopolitical conflicts. These actors are increasingly sophisticated, and often overlap strategically with the goals of state-sponsored objectives. These hacktivists groups leverage a variety of tactics, including the exploitation of vulnerable systems, targeted spear-phishing, data collection, and are known to carry out both disruptive and destructive attacks.

The IT-ISAC will continue to monitor the ongoing conflict and will report on state-sponsored and hacktivist activities as they pertain to US entities and critical infrastructure. Members may also contact the operations team at ops@it-isac.org if they have anything to share.