Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks

Nozomi Networks Labs cybersecurity researchers have reported a startling 133% increase in cyberattacks linked to well-known Iranian advanced persistent threat (APT) groups in May and June 2025, following current tensions with Iran.

This uptick aligns with warnings from U.S. authorities, including a June 30th Fact Sheet from the Cybersecurity and Infrastructure Security Agency (CISA) and a subsequent National Terrorism Advisory System Bulletin from the Department of Homeland Security, which highlighted U.S. entities as prime targets.

Drawing from anonymized telemetry data shared by customers, Nozomi’s analysis reveals 28 incidents linked to these actors in the two-month period, compared to just 12 in March and April, underscoring a deliberate escalation in offensive cyber operations.

The primary focus appears to be on industrial and critical infrastructure sectors, particularly transportation and manufacturing organizations within the United States, where attackers employ sophisticated tactics to infiltrate networks and exfiltrate sensitive data.

Key Threat Actors

Among the most active groups, MuddyWater also known as SeedWorm emerged as the leading perpetrator, compromising at least five U.S.-based companies in transportation and manufacturing through persistent espionage campaigns.

This Iran-backed entity, operational since 2017, traditionally targets Middle Eastern governments, telecommunications, and energy sectors but has pivoted toward Western assets amid geopolitical strife.

Following closely is APT33 (Elfin), which struck at least three American firms, leveraging cyber espionage tools to pilfer proprietary information from aerospace, energy, and petrochemical domains since its inception in 2013.

OilRig (APT34 or Helix Kitten), active since 2014, was observed in attacks on two U.S. entities, utilizing spear-phishing and custom malware for intelligence gathering in financial, energy, and telecom sectors across the Middle East and beyond.

Other notable actors include CyberAv3ngers, which reused infrastructure from prior operations involving the OT-focused OrpaCrab (IOCONTROL) malware first identified in December 2024 to target critical infrastructure with politically motivated disruptions.

Fox Kitten (Pioneer Kitten), a state-sponsored APT since 2017, focuses on long-term network persistence for potential sabotage, while Homeland Justice gained infamy for its 2022 assaults on Albanian systems and continues to pose risks to global entities.

Nozomi’s Threat Intelligence platform tracks these groups’ activities across various countries, revealing a pattern of targeting strategically vital sectors to advance Iranian interests.

Researchers noted CyberAv3ngers’ recycling of an IP address from previous incursions, highlighting persistent vulnerabilities in OT, IoT, and IT environments.

Mitigation Strategies

Industrial organizations worldwide are advised to heighten vigilance, reassess security postures, and integrate threat intelligence feeds to detect indicators of compromise (IoCs) from these groups.

Nozomi Networks customers benefit from pre-existing signatures in their Threat Intelligence subscriptions, including the Mandiant TI Expansion Pack, which provide real-time updates and seamless integration with existing cybersecurity tools.

By monitoring nation-state actors daily and transforming telemetry into actionable detection logic, Nozomi enhances collective defenses against these evolving threats.

As global conflicts increasingly spill into cyberspace, proactive intelligence sharing remains crucial for safeguarding critical infrastructure from disruptive APT operations.

Indicators of Compromise (IoCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.