Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Critical infrastructure entities warned of Iran-linked cyber risk to U.S. networks

Israel Defense Forces said June 21, 2025, that this video shows the result of its strikes on Iran's nuclear site at Isfahan. (IDF video)

By Bridget Johnson

Despite a pause in the clash between Iran and Israel, U.S. agencies are warning that critical infrastructure entities should not let their guard down in the cyber realm.

The Cybersecurity and Infrastructure Security Agency, FBI, Department of Defense Cyber Crime Center (DC3), and the National Security Agency released a joint statement Monday “strongly” urging organizations to “remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors.”

The fact sheet warned that “Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations,” specifically defense industrial base organizations that have holdings or relationships with Israeli research and defense firms.

The joint statement comes just over a week after a National Terrorism Advisory System (NTAS) Bulletin warned that “low-level cyber attacks” directed at U.S. networks are “likely” after the United States bombed nuclear sites in Iran, along with an increased potential for physical attacks.

Poorly secured networks, weak passwords and unpatched or outdated software are cited as common vulnerabilities exploited by Iranian-allied hackers in the new alert. “Over the past several months, Iranian-aligned hacktivists have increasingly conducted website defacements and leaks of sensitive information exfiltrated from victims,” the agencies added. “These hacktivists are likely to significantly increase distributed denial of service (DDoS) campaigns against U.S. and Israeli websites due to recent events. Iranian-affiliated cyber actors may also conduct ransomware attacks in collaboration with other cybercriminal groups.”

The agencies noted that during the conflict between Israel and Hamas, between November 2023 and January 2024, Iranian Islamic Revolutionary Guard Corps (IRGC)-affiliated cyber actors “actively targeted and compromised Israeli-made programmable logic controllers (PLCs) and human machine interfaces (HMIs)” in a global campaign that “included dozens of U.S. victims in the water and wastewater, energy, food and beverage manufacturing, and healthcare and public health sectors.” Hackers “leveraged public internet-connected industrial control systems (ICSs) that used factory-default passwords, or no passwords, and default Transmission Control Protocol (TCP) ports.”

“Following the onset of the Israel-Hamas conflict, Iranian-affiliated cyber actors conducted several hack-andleak operations to protest the conflict in Gaza,” the agencies continued. “This campaign combined hacking and theft of data with information operations (e.g., online amplification through social media or threats and harassment using direct messaging). These operations resulted in financial losses and reputational damage for victims. The purpose of these campaigns was to undermine public confidence in the security of victim networks and data, as well as embarrass targeted companies and countries. While hacktivists primarily targeted Israeli companies, one instance involved a U.S. internet protocol television (IPTV) company.”

Critical infrastructure asset owners and operators were urged to implement various mitigations including disconnecting OT and ICS assets from the public internet.

As of June 25, CyberKnow’s Iran and Israel War Cybertracker has pinpointed 105 non-state hacktivist coalitions supporting Iran, 15 anti-Iran groups and 10 cyber collectives that identify as pro-Israel. However, some groups have been seen “returning to their usual targets” as tensions cooled following U.S. strikes on three Iranian nuclear facilities.

The pro-Palestinian, pro-Iranian hacktivist collective Handala continues to claim breaches of organizations connected to the Israeli government, stating on its Telegram channel Thursday that “revenge will soon be taken against the Jews.” On Monday, the group claimed to have infiltrated the systems of Hotam EC, posting documents it said are part of the swiped data and declaring “this is not about ransom, this is about responsibility.”

“Every fund file, KYC archive, transaction trail, compliance log, and internal memo has been accessed, exfiltrated, and mirrored,” the group claimed Sunday as it said it hacked ClockWorkAdmin, another Israeli company. “Your clients’ secrets are no longer secrets. Your investors’ identities are no longer safe. And your regulatory obligations have already been violated , irreversibly.”

Cybersecurity firm Radware reported earlier in the conflict that there was a 700% spike in cyberattacks — including attempts to breach critical infrastructure — against Israel shortly after the initial news broke of Israel’s initial strikes on Iran. 

Pro-Israeli hackers, meanwhile, have scored notable hits. The group Gonjeshke Darande, or “Predatory Sparrow,” claimed on X “cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ ‘Bank Sepah’ … an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.” 

Predatory Sparrow, which first emerged in 2021, then said that they “burned $90M from the wallets of the regime’s favorite sanctions violation tool” Nobitex, Iran’s largest cryptocurrency exchange. The group posted what they said was the full source code: “ASSETS LEFT IN NOBITEX ARE NOW ENTIRELY OUT IN THE OPEN,” they declared.

“The difference between predators is determined by the time the predators play with the prey,” the group said on its Telegram channel Thursday. “Not by the strength of the predator.”

The cyberwar landscape in the conflict between Iran and Israel is characterized as a hybrid threat ecosystem: “a few state-linked actors embedded within a dense jungle of ideological, opportunistic and proxy-driven cyber collectives,” Trustwave SpiderLabs researchers described in a recent report.

Click to listen highlighted text!