Understanding the Iranian Cyber Threat: Key Insights for IT Teams

Although there is currently a ceasefire in place, geopolitical tensions between the United States and Iran continue to escalate. As a result, we're witnessing a corresponding surge in Iranian-sponsored cyber activity targeting American organizations. Recent U.S. military strikes on Iranian nuclear facilities have prompted the Department of Homeland Security to issue warnings about heightened cyber threats from Iranian hacktivists and state-affiliated groups.

The data we're seeing from both our customer environments and research infrastructure tells a clear story: cyber operations from nation states like Iran are becoming more sophisticated, coordinated, and persistent.

Our Research Into the Current Threat Landscape

The Scale of Iranian Cyber Activity

Blumira provides a security operations platform for over 18,000 organizations to find and address threats and risks in their environment. Over the past 21 months, we've tracked 824 security incidents targeting our customers that can be attributed to Tactics, Techniques, and Procedures (TTPs) by Iranian cyber actors and Iranian-sourced networks. This sustained campaign included 383 RDP brute force attempts, 27 SSH attacks, and 414 web application scans, all originating from 67 unique Iranian IP addresses.

What makes this particularly concerning isn't just the volume but the timing and coordination. Our publicly-exposed security research lab has been monitoring Iranian reconnaissance patterns since June 2024, and the correlation between cyber activity spikes and geopolitical events is unmistakable:

• March 18-19, 2025: Our highest-ever recorded Iranian activity, with over 25,000 connections in a single day, coinciding with the DieNet hacktivist campaign that successfully targeted 61 U.S. organizations
• February 6, 2025: A 30x increase in baseline activity following U.S. sanctions on Iranian IRGC officials
• January 30, 2025: The first major spike of 2025, aligning with new administration policy changes

These aren't random port scans or opportunistic attacks. They represent systematic intelligence gathering that military strategists call "preparation of the battlefield."

Evolution of Iranian Tactics

Iranian cyber groups have evolved considerably over the past two years. We're tracking several key Advanced Persistent Threat (APT) groups:

APT33 (Elfin Team, Refined Kitten, HOLMIUM, Peach Sandstorm)has expanded beyond traditional espionage to focus on satellite communications and critical infrastructure. In May 2024, they successfully compromised a U.S. swing state government entity, demonstrating their capability to target election infrastructure.

APT34 (OilRig, Helix Kitten, Hazel Sandstorm) is an Iranian threat group that has targeted various sectors, including financial, government, energy, chemical, and telecommunications, since at least 2014.

APT35 (Magic Hound, Charming Kitten, Phosphorus) has incorporated AI-enhanced social engineering techniques and continues to focus on aerospace and critical infrastructure sectors.

MuddyWater (Seedworm, Static Kitten, TEMP.Zagros) adopted the sophisticated DarkBeatC2 command-and-control framework in 2024, significantly enhancing their operational capabilities.

CyberAv3ngers (Soldiers of Soloman), affiliated with Iran's Islamic Revolutionary Guard Corps, specializes in targeting industrial control systems, particularly water infrastructure and Israeli-made Unitronics PLCs.

Recent TTPs linked to Iranian cyber actors

2016-2017

• HBO breach (2017) - Iranian hackers stole unreleased content including Game of Thrones episodes
• Dam control system intrusion (2016) - Iranian hackers gained access to Bowman Avenue Dam control systems in New York

2018-2019

• Global oil and gas targeting (2018-2019) - APT33/Elfin targeted aviation and energy sectors worldwide
• DNSpionage campaign (2018-2019) - DNS hijacking attacks targeting government and private sector entities
• Telecommunications infrastructure attacks (2019) - Attacks targeting telecom providers in multiple countries

2020-2021

• Water treatment facility attacks (2020-2021) - Attacks targeting water infrastructure in Israel and potentially the U.S.
• Ransomware operations surge (2020-2021) - Groups like Pay2Key and others linked to Iranian operations
• Microsoft Exchange exploitation (2021) - Iranian groups were among those exploiting ProxyLogon vulnerabilities

2022-2024

• Albania government systems (July 2022) - Major attack disrupting government services
• Critical infrastructure targeting (2022-2023) - Continued focus on water, energy, and transportation sectors
• Election interference activities (2020, 2024) - Attempts to influence US elections through various means

Industries at Highest Risk

Our analysis shows Iranian actors are particularly focused on several key sectors:

• Healthcare and Public Health: Often targeted due to the critical nature of these services and potential for causing public alarm. Additionally, there is value in healthcare data on the open market as well as for intelligence purposes.
• Energy and Utilities: Including power generation, oil/gas infrastructure, and water systems. These industries are often identified as having more attack surface facing the internet due to historical under-investment in IT.
• Government and Defense: FFederal, state, and local government entities, along with defense contractors. From the city you live in all the way up to the state and federal level are different groups of people are trying to secure and defend different networks - and all have valuable data.
• Information Technology: Cybersecurity companies and IT service providers (like us) are priority targets for their access to multiple downstream customers. Validate your interconnections with your providers, and make sure you know what could happen if they get hit - do a tabletop exercise!
• Financial Services: Banking, investment firms, and payment processors. These are perfect targets for generating revenue. In 2016, North Korea’s Lazarus Group almost stole $1B from a Bangladeshi bank but failed due to a variety of circumstances.
• Education: Universities and research institutions, particularly those with government research contracts have valuable data for both manufacturing and selling.

If your organization operates in any of these sectors, you should assume you're being actively considered by Iranian threat actors.

What to Do Next

The current conflict represents more than just another geopolitical crisis; it's a demonstration of how modern conflicts play out in cyberspace. And while the threat is real, it's not insurmountable: with the right preparation, tools, and expertise, organizations can build the resilience needed to withstand even nation-state attacks. The question isn't whether your organization will face disruptive events, whether by threat actors or acts of nature; it's whether you are prepared.

The key is to move beyond a purely defensive mindset and toward a proactive security posture. Instead of trying to build perfect walls around your organization, focus on building the capability to quickly detect risky and suspicious activity, understand what that activity represents, and respond effectively to mitigate and maintain operations.

How Blumira Can Help

We believe security shouldn't be about fear — it should be about building operational resilience. While nation-state threats like those above can seem overwhelming, our approach focuses on building security operations that keep the business running smoothly by focusing on addressing risk holistically, not just detecting the next threat. We provide visibility where it matters most, actionable guidance when you need it, and human expertise when critical issues arise – because we're passionate about helping the people behind the technology who keep their organizations safe every day.

Ready to strengthen your cyber defenses? Read our post about what you can do today to help protect your organization against cyber threats and build the operational resilience you need for the modern threat landscape.

This analysis is based on security intelligence gathered from our anonymized customer environments and research infrastructure. All data shared comes from legitimate security research operations designed to improve community threat intelligence and help organizations better defend against advanced threats.