The risk for cyber or U.S. critical infrastructure attacks in Iran conflict

(DoD)

U.S. strikes on Iran’s nuclear program in 2025 raised concerns about the security of American interests as the Islamic Republic and its proxies weighed their options for potential retaliation. With the resumption of hostilities commencing with Feb. 28, 2026, strikes on Iran, threat actors are again vowing to hit Western and Gulf targets.

Maxwell Air Force Base and Gunter Annex, Alabama, participated in an Energy Resilience Readiness Exercise (ERRE) on October 19, 2023. Electrical power was intentionally cut from the base by the commercial electricity provider, Central Alabama Electric Cooperative, in a meticulously planned, risk-mitigated outage to assess mission readiness. (Photo by Mackenzie Brooks/Headquarters Air Force, Office of the Director of Civil Engineers)

4/5/26

Iranian hackers vow ‘back to the Middle Ages’ water, power, oil attacks if Trump strikes power plants

The Iranian hacker group behind a massive wiper attack on a U.S. medical technology company and the breach of the FBI director’s personal email claimed that they are poised to inflict water, electricity and oil attacks on the United States and its allies of a caliber to “send your lives back to the Middle Ages” if the U.S. hits Iran’s power grid. “Know that this is not just a warning, but a definite promise, rooted in years of preparation and the expertise of Handala’s soldiers; forces that are now more prepared and ruthless than ever, waiting for just one mistake from you,” they continued. “If you think you can strike at the security of Iran or the Resistance Axis without consequences, you are gravely mistaken.”

An F-35C Lightning II, attached to Marine Fighter Attack Squadron (VMFA) 314, launches from the flight deck of Nimitz-class aircraft carrier USS Abraham Lincoln (CVN 72) during Operation Epic Fury on March 21, 2026. (U.S. Navy photo)

3/31/26

Pro-Iran hackers threaten ‘proportionate response’ if authorities disrupt dark-web sale of alleged Lockheed Martin data

The pro-Iran hacking group that claimed to have stolen a tranche of sensitive materials from Lockheed Martin and posted it for sale in a Russian- and English-language dark web marketplace threatened today that “any government intervention, regardless of its nature, will be met with a proportionate response.” APT IRAN also declared “we have long-term plans for Lockheed” while claiming that a data release could cause “irreparable damage” to the company.

3/27/26

Major Iranian hackers unite, threaten ‘irreparable damages’ to U.S. water systems

A trio of Iranian hacking groups with a track record of critical-infrastructure breaches has vowed to inflict “irreparable damages” on the United States’ water infrastructure if water systems in Iran are threatened, one of the groups said while announcing their alliance. “It is hereby announced that the Handala and CyberAv3ngers groups are under our direct support and that necessary support will be provided to them,” APT IRAN said in a Telegram post. “If the FBI prevents the activities of these groups, a challenge will be created within the United States that will deprive them of the opportunity to deal with these groups.”

The seizure message that appeared on Handala’s former websites.

3/26/26

Iran hackers who hit U.S. medtech firm claim retaliatory breach of FBI

The hacking group that claimed responsibility for the massive wiper attack against medical technology company Stryker declared that it breached the FBI in retaliation for the Justice Department’s response. On March 19, the DOJ announced that it had seized four domains used by Iran’s Ministry of Intelligence and Security “in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks, and calling for the killing of journalists, regime dissidents, and Israeli persons.”

An F-35A Lightning II takes off from an undisclosed location in support of Operation Epic Fury on March 2, 2026. (U.S. Air Force photo)

3/26/26

Hackers claim stolen Lockheed Martin data shared with IRGC, threaten defense giant’s engineers

The pro-Iran hacking group that claimed to have swiped a large volume of data from Lockheed Martin hiked their ransom demand even while saying they already shared sensitive information with the IRGC, as the hackers who hit a U.S. med-tech firm said they are now targeting specific Lockheed engineers working in Israel. APT IRAN claimed that they shared Lockheed data with the IRGC for free, “but this information is not only going to be available to the Iranians. We have many customers in China and Russia.” The hackers added that $600 million from Lockheed Martin only “might be able to provide this guarantee so that the information will only be in Iran’s hands and not sold to China, Russia, etc.”

3/25/26

UN and law enforcement agencies targeted by pro-Iran hackers

An Iraqi member of a pro-Iran hacking collective claimed to have attacked United Nations and international law enforcement organizations’ websites today. 313 Team said it targeted the websites of INTERPOL and Europol with a “precise cyberattack” and posted check-host.net screenshots as evidence of sites outages. The group then said it targeted the United Nations’ Office on Drugs and Crime (UNODC) and Germany’s Federal Criminal Police Office for one-hour website shutdowns, and posted screenshots of time-out errors for each site.

A U.S. Air Force F-35 takes flight at an undisclosed location in support of Operation Epic Fury on March 2, 2026. (U.S. Air Force photo)

3/23/26

Pro-Iran hackers demand $400M for alleged Lockheed Martin data

A pro-Iran hacking group that has focused on critical infrastructure targets demanded “about $400 million” from the United States — “the cost of building four F-35 fighters” — in ransom for what they claimed was a tranche of sensitive information swiped from an American aerospace and defense giant. APT IRAN claimed that the group had breached Lockheed Martin and swiped 375 terabytes of sensitive information “including technical documentation from active military projects, confidential contracts, high-level personnel information and sensitive administrative emails.”

M142 High Mobility Artillery Rocket Systems (HIMARS) conduct live-fire missions during Operation Epic Fury on March 9, 2026, in an undisclosed area in the U.S. Central Command area of responsibility. (U.S. Army Photo)

3/16/26

Pro-Iran hackers claim Microsoft outage, vow to ramp up attacks on U.S. companies

Hackers supporting Iran claimed to be behind today’s Microsoft outage issues while a collective that has urged “epic war” allies to stand as unified “mujahideen” on the cyber front is vowing to target more U.S. companies and conducting fundraising to beef up hackers’ infrastructure. An Iranian group closely linked to CyberAv3ngers that has previously focused on operational technology targets also made a chilling yet unverified claim of responsibility for a deadly explosion at a Nebraska biofuels plant this past summer.

3/10/26

The cyber dimension of the Iran conflict with Cynthia Kaiser and Mark Montgomery

Cyber is now woven into modern conflict, alongside conventional military force. In this episode of Cyber Focus, Frank Cilluffo examines how that shift shapes the threat from Iran — especially the risk of cyber retaliation aimed at U.S. critical infrastructure, U.S. businesses and public confidence. Rear Adm. (Ret.) Mark Montgomery of the Foundation for Defense of Democracies brings a strategic and military lens to the discussion, explaining how cyber is being built into conflict planning alongside kinetic operations. Cynthia Kaiser, a former FBI cyber leader now with Halcyon, brings an operational view of how Iranian cyber activity can create disruption, spread fear and produce real effects even without the sophistication of China or Russia.

WATCH

Jerusalem District police and Border Police officers operate at a missile impact scene on one of the city’s main roads on March 1, 2026. (Israel Police/X)

3/8/26

Critical infrastructure attack claims in Iran cyber war linked to desired physical attacks

Hacking groups supporting Iran claimed new hits against critical infrastructure sectors, with some saying they had manipulated control systems and the earliest attacker of this conflict declaring that details they had swiped about a commercial complex were released to make a physical attack easier. Hider Nex, a pro-Palestinian Tunisian hacking group that emerged in mid-2025, published on its Telegram channel Saturday what it said was “sensitive and precise information” and building plans for the Azrieli Business Park in Herzliya, Israel, which “houses embassies and major companies.”

(Cyber Islamic Resistance video/Telegram)

3/8/26

Cyber ‘mujahideen’ urged to ‘close the gaps’ as ‘double the force’ vowed in response to hit on Iran school

Pro-Iran hackers urged “epic war” allies to stand as unified “mujahideen” as one team decided to withdraw from the coalition and settle into a neutral position due to Iran’s attacks on Kurdish territory and forces. Cyber Islamic Resistance, a pro-Iran hacking collective, posted a video Wednesday on its Telegram channel with a shadowy figure at a computer and English subtitles encouraging “mujahideen … who stand guard on the frontiers in the great battle of epic war” to “straighten the rows among yourselves and close the gaps in the jihad to which you have marched.”

(Jordan Silos and Supply General Company)

3/3/26

Pro-Iran hackers claim manipulation op intended to ‘rot’ critical wheat stockpile

A pro-Iran hacking group detailed an attack manipulating agricultural sector control systems in an incident the Jordanian government said was aimed at destroying a strategic wheat stockpile. A post on a newly created Telegram channel attributed to APT IRAN, which was promoted by the Cyber Islamic Resistance Telegram channel, said that “we infiltrated Jordan’s critical infrastructure” by breaching the Jordan Silos and Supply General Company’s internal network via what they claimed was infiltration that began about a month ago. “We introduced our malware to the network through a targeted phishing email to an employee in the administrative department,” APT IRAN said. “After entering, we scanned the internal network and gained access to important parts: the silo control system that manages temperature and humidity, the weighing and scales system, the solar power plant, and by accessing these parts, we took actions.”

U.S. sailors prepare to stage ordnance on the flight deck of the USS Abraham Lincoln in support of Operation Epic Fury on Feb. 28, 2026. (U.S. Navy photo)

3/1/26

Pro-Iran hackers claim DDoS attacks on critical infrastructure targets, including U.S. port

Pro-Iran cyber threat actors began their promised retaliatory operations against Western and Gulf entities with largely a campaign of distributed denial of service (DDoS) attacks, claiming an American port’s website as one of their targets along with other critical infrastructure sectors. The “great epic” cyber war, as one hacking collective branded the battle, has also apparently drawn into the fray a wanted IRGC threat actor known for critical infrastructure strikes. The U.S. has a $10 million Rewards for Justice bounty on Islamic Revolutionary Guard Corps hackers CyberAv3ngers, associated with the online persona Mr. Soul and accused of targeting ICS/SCADA devices in U.S. and global critical infrastructure.

A missile is launched toward Iran in Operation Epic Fury on Febr. 28, 2026. (U.S. Central Command Public Affairs)

2/28/26

‘Prepare for the destruction of your infrastructure’: Hackers vow retaliation as Iran takes cyber hit

Iran was hit by an expected cyber onslaught in addition to missiles today as threat actors supporting the Islamic Republic warned Iran’s foes to “prepare for the destruction of your infrastructure” in eminent “massive” cyberattacks. Given recent reporting on the United States using offensive cyber capabilities in an unprecedented manner to capture Venezuelan leader Nicolas Maduro, Iran was expected to assess its defenses as the U.S. military buildup in the Gulf region intensified and negotiations over the Islamic Republic’s nuclear program reached an impasse. FAD Team, a pro-Iran hacking group, said in an official statementposted last weekend that they were engaged in “a phase of extreme technical mobilization and silent effort in the most delicate cyber fields,” according to a translation. But it’s not just about putting Iran on defense. Iran and its proxies are ramping up their own offensive cyber ops, as expected.

Israel Defense Forces said June 21, 2025, that this video shows the result of its strikes on Iran’s nuclear site at Isfahan. (IDF video)

7/1/25

Critical infrastructure entities warned of Iran-linked cyber risk to U.S. networks

Despite a pause in the clash between Iran and Israel, U.S. agencies are warning that critical infrastructure entities should not let their guard down in the cyber realm. The Cybersecurity and Infrastructure Security Agency, FBI, Department of Defense Cyber Crime Center (DC3), and the National Security Agency released a joint statement “strongly” urging organizations to “remain vigilant for potential targeted cyber activity against U.S. critical infrastructure and other U.S. entities by Iranian-affiliated cyber actors.”

6/25/25

Despite Iran’s weaknesses U.S. must watch for radicalization at home, former CENTCOM chief warns

In a new interview for the McCrary Institute’s Cyber Focus podcast, retired Marine Corps Gen. Frank McKenzie – former commander of U.S. Central Command (CENTCOM) and now executive director of the Global and National Security Institute at the University of South Florida – described Iran as “historically weakened” following a series of military setbacks and senior leadership losses.

Secretary of Defense Pete Hegseth and Chairman of the Joint Chiefs of Staff Gen. Dan Caine conduct a press briefing at the Pentagon on June 22, 2025. (DoD photo by U.S. Navy Petty Officer 1st Class Alexander Kubitza)

6/22/25

New NTAS Bulletin warns ‘low-level cyber attacks’ against U.S. networks ‘likely’ after strikes on Iran

“Low-level cyber attacks” directed at U.S. networks are “likely” after the United States bombed nuclear sites in Iran and the potential for physical attacks in retaliation for the strikes hinges on the response of Islamic Republic leaders and proxies’ plans, a National Terrorism Advisory System (NTAS) Bulletin warned. “The conflict could also motivate violent extremists and hate crime perpetrators seeking to attack targets perceived to be Jewish, pro-Israel, or linked to the U.S. government or military in the Homeland,” the NTAS Bulletin states, stressing that “multiple recent Homeland terrorist attacks have been motivated by anti-Semitic or anti-Israel sentiment, and the ongoing Israel-Iran conflict could contribute to U.S.-based individuals plotting additional attacks.”

6/21/25

Iran may strike back in cyberspace – and U.S. infrastructure could be in the crosshairs

Just over a week after Israeli airstrikes targeted Iran’s nuclear facilities, cybersecurity experts are warning that U.S. infrastructure could be hit as Iran strikes back. In a new To the Point interview, retired Rear Adm. Mark Montgomery, senior fellow at Auburn University’s McCrary Institute and former executive director of the Cyberspace Solarium Commission, said the risk of Iranian cyber retaliation is both credible and growing. “Is it possible? Yes. Is it likely? Yes,” Montgomery said. “We already see a 700% increase in Iranian attacks on Israeli critical infrastructures.”

An image released by pro-Israeli hacking group Predatory Sparrow claiming a cyber attack on the computer systems of Iran’s Ministry of Roads and Urban Development on Oct. 26, 2021. (Gonjeshke Darande/X)

6/19/25

Inside the cyber battlefield: More hacking groups in Iran’s camp, but notable attacks from Israel’s corner

Cyberattacks act as a “strategic equalizer” as Iran’s conventional military capabilities lag behind those of Israel, and actors working on behalf of Tehran or aligned with the Islamic Republic could take attacks beyond the borders of physical combat to target entities in Western nations that are seen as aligning with Israel, said a new reportfrom Trustwave SpiderLabs. The cyberwar landscape in the fresh conflict between Iran and Israel is characterized as a hybrid threat ecosystem: “a few state-linked actors embedded within a dense jungle of ideological, opportunistic and proxy-driven cyber collectives,” researchers described. “While the most visible operations often come from hacktivist fronts or public defacement campaigns, it is important to note that both Israel and Iran are also conducting highly targeted, stealthy cyber operations behind the scenes,” the report noted. “These state-level campaigns are typically more strategic, involve advanced capabilities and rarely surface in open-source channels, making them harder to detect, attribute or assess in real time.”

News

FBI eyes more court-authorized operations inside compromised private infrastructure

By Don Kauffman • Jun 18, 2026

News

Most cybersecurity teams struggle to find time for training on new cyber threats

Infosecurity Magazine • Jun 12, 2026

Coast Guard pushes digital transformation, targets AI on every desktop by 2027

News | Information Technology

Government | Information Technology

Coast Guard pushes digital transformation, targets AI on every desktop by 2027

MeriTalk • Jun 12, 2026

News | Transportation

Cyber Europe 2026: All eyes on the EU’s collective response and resilience

ENISA • Jun 12, 2026

Critical undersea infrastructure, ISR fusion, and NATO decision latency on Germany’s northern flank

Insight | Defense Industry

Communications | Defense Industry | Government