Iranian Threat Actors Target U.S. Critical Infrastructure, Including Water Systems

Iran’s Islamic Revolutionary Guard Corps (IRGC) has increased its asymmetric cyber operations in response to recent U.S. attacks on Iranian nuclear sites. Intelligence Group 13 has emerged as a major aggressor in attacking critical infrastructure in the United States.

This elite unit, embedded within the Shahid Kaveh Cyber Group, operates at the nexus of tactical cyber-espionage, industrial sabotage, and psychological warfare, leveraging advanced persistent threat (APT) techniques to preposition malware and disrupt essential services.

Named after the martyred IRGC commander Mohammad Kaveh, the group infuses its operations with ideological fervor, portraying digital intrusions as extensions of revolutionary struggle.

As geopolitical pressures mount, assessments indicate a heightened probability of retaliatory strikes, blending technical aggression with narrative manipulation to amplify psychological impact and project defiance against Western adversaries.

Escalating Cyber Retaliation

Intelligence Group 13’s command structure is deeply integrated into the IRGC’s cyber ecosystem, drawing oversight from the Electronic Warfare and Cyber Defense Organization (EWCD), the Intelligence Organization (IO), and the Quds Force’s specialized units like Unit 300.

Senior figures such as Hamidreza Lashgarian, a high-ranking IRGC cyber official, provide strategic guidance, while tactical leadership falls to Reza Salarvand, who orchestrates target selection and intrusion campaigns.

Supporting this hierarchy is Mohammad Bagher Shirinkar, who bridges military operations with contractor networks, facilitating tool development and deniable activities through front companies.

According to the Report, this compartmentalized architecture enables the group to conduct covert operations with plausible deniability, mirroring models seen in state-sponsored cyber programs from China and Russia, where private firms mask official involvement.

The group’s tradecraft focuses on infiltrating industrial control systems (ICS), including programmable logic controllers (PLCs) like those from Unitronics, as demonstrated in prior attacks on U.S. water treatment facilities and Israeli electrical grids.

Techniques include phishing-driven credential theft, open-source intelligence (OSINT) harvesting, and the deployment of custom malware for reconnaissance and sabotage.

For instance, in the Aliquippa water system intrusion in Pennsylvania, the group prepositioned implants to enable dormant activation, potentially causing widespread disruption to pressure regulation and monitoring.

These operations extend beyond mere technical compromise, incorporating psychological elements through propaganda fronts like CyberAveng3rs, which disseminates defacement screenshots, operational leaks, and taunting messages laced with religious-nationalist rhetoric via Telegram and Instagram channels.

Operated under handles such as @CyberAveng3rs and associated with figures like Mr. Soul (Mr_Soulcy), this arm issues preemptive threats, such as “Operation IV” targeting Israeli cybersecurity units, effectively waging cognitive warfare to erode trust and heighten fear.

Underpinning these efforts is a robust ecosystem of IRGC-affiliated contractors and front companies, designed for scalability and evasion of sanctions.

Entities like Ayandeh Sazan Sepehr Aria, a successor to the sanctioned Emen Net Pasargad, specialize in malware development and disinformation campaigns, while Mahak Rayan Afraz provides AI-driven surveillance tools including Persian natural language processing (NLP) engines and facial recognition platforms.

Other key players, such as DSPRI for signal interception and Sabrin Kish for ICS sniffers, support reconnaissance and abroad deployments to proxies in Syria and Iraq.

This hybrid public-private model, akin to China’s i-SOON leaks, allows the IRGC to rotate corporate identities Net Peygard evolving into Emen Net, then Ayandeh Sazan while retaining personnel and capabilities, thus sustaining long-term offensive postures despite international scrutiny.

Strategic Implications

As Iran seeks reprisal for escalating tensions, Intelligence Group 13’s dual mandate of disruption and influence positions it as a prime vector for hybrid retaliation.

Future campaigns may target U.S. water systems, fuel distribution networks, and Gulf State infrastructure, combining kinetic-cyber effects with amplified narratives to undermine institutional resilience.

Defenses must encompass not only network hardening against APT intrusions but also countermeasures against disinformation, recognizing that these threats aim to control both digital domains and public perception.

With ideological underpinnings rooted in martyrdom and resistance, the group’s operations signal a persistent evolution in state-sponsored cyber warfare, demanding vigilant monitoring of rebranded entities and propaganda channels to mitigate impending risks.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.