Rising tensions in the Middle East are prompting fresh warnings that the conflict could spill into the cyber domain, with potential implications for critical infrastructure operators worldwide. Security groups say Iranian state-sponsored hackers, aligned hacktivists, and cybercriminal networks could increase cyberattacks during periods of regional escalation, reflecting patterns seen in past conflicts. A joint advisory from members of the National Council of ISACs (NCI) urges organizations across critical infrastructure sectors to strengthen preparedness, noting that geopolitical crises can also elevate the risk of physical attacks by homegrown violent extremists targeting public spaces or essential services. The bulletin stresses that the warning is intended to raise awareness across industry rather than indicate confirmed increases in malicious activity.
The ISAC joint advisory recognized that Iran is a formidable cyber adversary, hosting several prominent state-sponsored threat groups that pursue a wide range of geopolitical objectives. These operations include cyber espionage, disruptive and destructive attacks, and financially motivated cybercrime, sometimes in collaboration with ransomware actors.
“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” the advisory detailed. “This could be caused by several factors, including a breakdown in command and control, cyber threat actors being reassigned to other responsibilities, and effective offensive cyber operations by the U.S. and Israel. However, there are signs of life in Iranian offensive cyber operations. In addition, there are confirmed disruptions to cloud services resulting from a kinetic attack, demonstrating, yet again, but in a new way, how physical security incidents can cause cyber impacts.”
As an additional concern, the advisory added, “we are seeing indications that Russia-affiliated actors are beginning to potentially align with Iranian actors. During the 12-day war between Israel and Iran in June 2025, Russian hacktivists were observed attacking Israeli critical infrastructure organizations. One example of this was the group Server Killers attacking Israeli health delivery organizations in response to the strikes on Iranian nuclear infrastructure.”
Due to the current and similar ongoing situation, it is likely that this activity will also be prevalent throughout the 2026 conflict. In fact, the Russian hacktivist group NoName057(16) was observed attacking Israeli organizations with DDoS attacks on March 04, 2026. As the conflict continues, other Russian hacktivist groups may join the fray, exacerbating the existing risk to critical infrastructure organizations.”
Among the most active groups is Charming Kitten (APT35, Phosphorous), known for extensive spear-phishing campaigns targeting U.S. political entities, military organizations, and commercial sectors. The group often uses social engineering by impersonating journalists, researchers, or government officials to build trust before directing victims to fake login pages or conference invitations designed to steal credentials.
APT33 (Elfin) conducted significant attacks against critical infrastructure, particularly in the energy and aviation sectors in the United States and other Western countries. The group relies heavily on spear phishing with malicious attachments, often disguised as job opportunities or geopolitical discussions. It also uses typosquatted domains to impersonate legitimate businesses, conducts password-spraying attacks against weakly protected accounts, and has exploited zero-day vulnerabilities in IT products.
MuddyWater (APT37, Seedworm) focuses primarily on espionage operations targeting government, defense, energy, telecommunications, and financial organizations. Its campaigns have spanned the Middle East, Asia, Africa, Europe, and North America. The group typically gains initial access through spear-phishing emails containing malicious attachments or links. MuddyWater also develops custom malware but frequently relies on publicly known vulnerabilities and open-source tools to maintain persistence inside victim networks.
OilRig (APT34) specializes in cyber espionage and intelligence gathering. While it has historically targeted critical infrastructure in the Middle East, its operations have expanded to other regions, including the United States. The group uses spear-phishing campaigns, including LinkedIn-based attacks, to gain initial access and deploys custom malware alongside exploits for known vulnerabilities. OilRig is also known for leveraging compromised organizations to conduct supply chain attacks against additional targets.
Another notable actor is Pioneer Kitten (Fox Kitten, UNC757), which targets critical infrastructure sectors in the United States and elsewhere. The group often focuses on network infrastructure and exploits vulnerabilities in VPN systems, particularly devices from Pulse Secure, Citrix, and F5, to establish persistent access. Researchers have also documented its collaboration with ransomware affiliates and its role in selling network access to other threat actors, making it a hybrid player operating at the intersection of espionage and financially motivated cybercrime.
The ISAC advisory observed that the line between hacktivist groups and state-sponsored actors in Iran’s cyber ecosystem is often blurred, as many groups are believed to have direct or indirect ties to the Islamic Revolutionary Guard Corps or other government entities. These non-state actors frequently align with Iranian geopolitical interests and conduct a range of operations, including destructive cyberattacks, data theft, distributed denial-of-service campaigns, and website defacements.
Several groups have emerged as notable threats. CyberAv3ngers, also known as Sandcat, targets industrial control systems and operational technology environments, often exploiting internet-exposed ICS (industrial control systems) and SCADA (supervisory control and data acquisition) devices that use default credentials or unpatched vulnerabilities. During the June 2025 Israel–Palestine conflict, the group compromised dozens of programmable logic controllers used across critical infrastructure sectors.
Handala, also known as Void Manticore, focuses on psychological operations and hack-and-leak campaigns, primarily targeting Israeli organizations and companies connected to Israel through phishing and SMS-based social engineering. The group has also sought supply chain footholds by targeting IT and service providers and probing exposed applications for weak credentials and misconfigurations.
Other actors operate as part of a broader proxy ecosystem. Cyber Islamic Resistance, also known as Team 313, functions as a loose coordination network that organizes disruptive campaigns across multiple hacktivist groups targeting entities in the Middle East, the U.S., and parts of Asia. The Fatimion Cyber Team, or FAD Team, focuses on destructive operations, including wiper malware and large-scale SQL injection campaigns, and has claimed unauthorized access to SCADA and PLC systems in several countries. Meanwhile, the decentralized group DieNet conducts denial-of-service attacks, website defacements, and data breaches, primarily targeting Israel and its allies.
Companies are encouraged to adopt a thoughtful, comprehensive cybersecurity strategy that enables them to allocate limited resources most effectively. They should prepare for the likelihood of increased activity by Iranian-aligned hackers, including understanding organizational dependencies and developing continuity plans in case of a disruption to their operations or those of a critical supplier or partner.
Based on commonly seen cyber TTPs deployed by Iranian actors, companies are urged to increase monitoring for spearphishing and credential theft, review DDoS mitigation playbooks, ensure response partners are on standby, and validate backup and recovery processes for critical systems, especially in their communications infrastructure. They must also remain vigilant for signs of supply chain compromise or attempts to leverage trusted relationships for lateral movement. Enable multi-factor authentication (MFA) wherever possible.
Amid this heightened threat environment, critical infrastructure organizations can take concrete steps to strengthen their physical security and reduce their vulnerabilities, which include but are not limited to joining an information-sharing community, conducting risk and vulnerability assessments, documenting emergency response plans, policies, and procedures and exercising emergency response plans and other security contingencies. They must also conduct awareness training on the threats and risks facing critical infrastructure, and network with neighboring infrastructure entities and local law enforcement.
In conclusion, the ISAC joint advisory expects the threat environment to remain highly volatile. “Now is the time for companies to become familiar with Iranian-affiliated threat actors and their TTPs, test and assess their cybersecurity posture, strengthen their defenses, increase monitoring for suspicious activity, and remind employees to report suspicious emails and links. Preparedness is critical to resilience. Even attacks that do not directly target the U.S. could have cascading effects and disrupt U.S. companies. Given the interconnectedness of networks, it is possible that cyberattacks targeting Israel itself could cause collateral damage to U.S. companies, even if the U.S. companies themselves are not the intended targets.”
It also encouraged organizations to consider joining their sector-specific ISAC. ISACs are a cost-effective supplement to corporate security and cybersecurity teams, connecting peer analysts around common threats and enabling the kind of trusted, voluntary collaboration that makes the whole sector stronger. Voluntary collaboration with industry peers is invaluable, and it is never too late to join and engage.
