Organizations across critical infrastructure sectors are stepping up their cybersecurity vigilance in the wake of recent events in the conflict between Iran and Israel. Hospitals, water treatment facilities, and power plants throughout the United States are now on high alert for potential Iranian cyberattacks in retaliation for last weekend’s strikes.
Ivan Novikov, CEO of the security firm Wallarm, views Iran as well-prepared, well-resourced, and highly motivated, and as capable of public and covert attacks, with a particular focus on critical infrastructure.
"Iran has invested heavily in building cyber capabilities, including hiring and training hackers, and collaborating with other nation-state actors such as North Korea and Russia," Novikov said.
"Iran has a history of targeting critical infrastructure during geopolitical tensions," agreed Theresa Payton, CEO at cybersecurity services and consultancy Fortalice Solutions. "Expect a potential shift from Iran's regional focus to the U.S. and perhaps other countries as targets, with destructive tactics like DDoS attacks, website defacements, wiper malware, and ransomware aimed at disrupting operations," Payton added.
Healthcare organizations face particular concern, with the Department of Health and Human Services' Administration for Strategic Preparedness and Response warning healthcare providers "to prepare for the likelihood of increased cyberattacks against healthcare entities."
"Expect a potential shift from Iran's regional focus to the U.S. and perhaps other countries as targets, with destructive tactics like DDoS attacks, website defacements, wiper malware, and ransomware aimed at disrupting operations."
— Theresa Payton
The advisory notes that "Iranian government-affiliated cyberthreat actors, in particular, have been known to utilize brute-force methods, such as password spraying and multifactor authentication 'push bombing,' to compromise networks and obtain credentials."
The Information Technology Information Sharing and Analysis Center and the Food and Agriculture Information Sharing and Analysis Center reported Monday that they had not yet seen confirmed attacks against either sector in connection with the Iran threat.
Iranian threat actors have a record of focus on operational technology (OT) and industrial control systems (ICS), with the Islamic Revolutionary Guard Corps-affiliated group "CyberAv3ngers" leading attacks against programmable logic controllers (PLCs). Between November 2023 and April 2024, the group was tied to at least 29 confirmed intrusions into industrial control systems and operational technology networks.
One of the most high-profile incidents occurred in Aliquippa, Pennsylvania, where CyberAv3ngers compromised a Unitronics programmable logic controller used by the town's water authority, defacing it with anti-Israel slogans and rendering it partially inoperable. The attack targeted Israeli-made equipment, with the hackers' message stating, "Every equipment 'Made in Israel' is CyberAv3ngers legal target."
The Cybersecurity and Infrastructure Security Agency has warned that these PLCs are commonly used in water and wastewater systems and are also utilized in energy, food and beverage manufacturing, transportation systems, and healthcare sectors. CISA emphasizes that "Iranian state-sponsored activity has included malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT cyber actors."
The Department of Homeland Security has issued a National Terrorism Advisory System bulletin warning of increased Iranian cyber threats against U.S. critical infrastructure following recent military strikes on Iranian nuclear facilities. The advisory, issued on June 22, warns that "low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks."
"If security teams have the time and resources, run a red-team exercise simulating an Iranian-style attack within the next two weeks. This will stress-test detection and response capabilities and uncover gaps before a real attack hits."
— Theresa Payton
The escalation comes after U.S. bombers struck three Iranian nuclear facilities at Fordow, Natanz, and Isfahan on Saturday night, prompting immediate concerns about retaliatory cyberattacks targeting American infrastructure. Federal officials emphasize that hacktivists and Iranian government-affiliated actors "routinely target poorly secured U.S. networks and Internet-connected devices for disruptive cyber attacks."
Fortalice Solution's Payton advises companies immediately:
Fastrack maintenance: Consult with the leadership team and obtain permission to expedite any maintenance or other key security initiatives.
Harden Defenses: Obtain permission to accelerate patch releases. Implement phishing-resistant MFA to counter brute-force and MFA fatigue tactics.
Enhance Threat Monitoring: Increase real-time monitoring for Iranian TTPs and use ISAC threat intelligence feeds for early warnings.
Prepare for Hybrid Threats: Anticipate hack-and-leak operations and disinformation. Develop incident response plans for data leaks and public-facing misinformation.
Secure Supply Chains: Vet third-party vendors, as Iran often exploits supply chain weaknesses.
Conduct Awareness Training: A brief staff meeting or condensed training session to educate staff on recognizing phishing and social engineering could be helpful.
"If security teams have the time and resources, run a red-team exercise simulating an Iranian-style attack within the next two weeks. This will stress-test detection and response capabilities and uncover gaps before a real attack hits," Payton added.
Cybersecurity experts warn that Iran's diminished conventional military capabilities following recent Israeli strikes make cyberattacks an increasingly attractive asymmetric response option.
"Iran is currently more likely than ever to retaliate through cyberattacks due to its significantly reduced ability to respond through conventional military means," according to analysis from Radware.
The National Terrorism Advisory System bulletin remains in effect until Sept. 22, reflecting the sustained nature of the threat. As tensions continue to escalate in the Middle East, U.S. critical infrastructure operators must maintain heightened cybersecurity postures while federal agencies work to coordinate defensive measures across sectors.
Federal agencies are urging critical infrastructure operators to implement immediate protective measures, including multifactor authentication, strong unique passwords, and checking PLCs for default passwords. CISA is "actively collaborating with government, industry, and international partners to disseminate actionable intelligence and bolster collective defense," according to spokesperson Marci McCarthy.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
