Cyber Threat Bulletin Summary: Iranian Cyber Actors Targeting U.S. Networks and Operational Technology

Share This Article

Federal cybersecurity agencies—including CISA, the FBI, DC3, and NSA—have issued a joint advisory urging U.S. organizations to remain vigilant amid increased cyber activity linked to Iranian-affiliated actors. These agencies have observed incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities, particularly those with connections to Israeli defense or research sectors.

Fortress Security Risk Management has also conducted an independent Threat Intelligence assessment focused on Iranian nation-state cyber threats. The findings and analysis are detailed in Appendix A.

Key Threats

Operational Technology (OT) Vulnerabilities

• Internet-facing OT and ICS devices are at high risk due to weak authentication and outdated software.
• Threat actors exploit default passwords, unpatched systems, and unsecured remote access to disrupt operations.

Iranian-Affiliated Cyber Activity

• Likely targets include critical infrastructure and Defense Industrial Base (DIB) companies.
• Tactics include ransomware, DDoS campaigns, data exfiltration, and attacks on OT systems such as PLCs and HMIs.

Recommended Mitigations

For OT and ICS Environments

• Disconnect OT from Public Internet: Remove unnecessary internet exposure and enforce allowlist access.
• Secure Remote Access: Use VPNs, private IPs, strong passwords, and phishing-resistant MFA.
• Segment Networks: Separate IT and OT environments using firewalls and demilitarized zones (DMZs).
• Patch Regularly: Apply updates to address known vulnerabilities.
• Plan for Manual Operations: Test backups and fail-safes to maintain continuity during disruptions.

For General Cyber Threats

• Enforce Strong Credentials: Replace default or weak passwords and enable MFA.
• Monitor Access Logs: Track remote access and configuration changes for anomalies.
• Develop Incident Response Plans: Ensure your team is prepared to respond and recover quickly.
• Protect Sensitive Data: Implement controls to reduce the impact of potential leaks or breaches.

Helpful Resources

• Iran Threat Overview and Advisories | CISA
• Iran State-Sponsored Cyber Threat: Advisories | CISA
• Understanding and Responding to Distributed Denial-Of-Service Attacks | CISA

Report Suspicious Activity

• CISA: [email protected] | 888-282-0870
• FBI: Home Page – Internet Crime Complaint Center (IC3) or contact your local field office
• NSA: [email protected]

How Fortress SRM Can Help

Fortress SRM is here to support your organization with:

• Vulnerability assessments
• OT/ICS security reviews
• Incident response planning
• Threat monitoring and mitigation

Contact us today at [email protected] to schedule a consultation or learn more about how we can help strengthen your cybersecurity posture.

Appendix A – Fortress Cyber Risk Management Independent Threat Intelligence Assessment

Appendix A dives deeper into specific threat actors, their unique tactics, and prominent attack vectors, enabling organizations to tailor defenses against these precise threats.

Section 1 – Key Iranian-Affiliated Threat Actors

APT33 (Elfin) – Targets the aerospace and energy sectors through spear-phishing campaigns and credential theft operations.

APT34 (OilRig) – Focuses on financial, energy, and telecommunications industries; known for deploying web shell implants and phishing techniques.

APT35 (Charming Kitten) – Engages in credential-harvesting campaigns targeting dissidents, academics, and non-governmental organizations (NGOs).

APT42 – Exploits vulnerabilities in VPN appliances and Fortinet devices to establish persistent access within targeted networks.

Emennet Pasargad – Specializes in intrusions into Operational Technology (OT) and Industrial Control Systems (ICS), leveraging custom malware and zero-day exploits.

MuddyWater (SeedWorm) – Conducts low-profile cyber espionage using backdoors and remote access tools.

Pioneer Kitten – Performs reconnaissance on supply chains and deploys bespoke malware for targeted intrusions.

Section 2 – Prominent Iranian Threat Vectors and Tactics

• Spear-phishing & credential harvesting
• Watering-hole attacks
• Exploitation of Microsoft Exchange & Fortinet vulnerabilities
• Destructive wiper malware (e.g., Shamoon)
• ICS/OT intrusion & process-disruption payloads (e.g., Triton/HatMan)
• Ransomware & distributed-denial-of-service (DDoS)
• Remote code execution via exposed services
• Supply-chain compromise of legitimate software
• Illicit procurement & sanctions evasion to support cyber operations

Read more: Cyber Threat Bulletin Summary: Iranian Cyber Actors Targeting U.S. Networks and Operational Technology