Pro-Iranian Hacktivists Targeting US Networks Department of Homeland Security Warns

The Department of Homeland Security has issued a critical advisory warning of escalating cyber threats from pro-Iranian hacktivist groups targeting United States networks, as tensions between Iran and the US reach a dangerous new peak following recent military exchanges.

The warning comes in the aftermath of Iran’s Islamic Revolutionary Guard Corps firing missiles at US military bases in Qatar and Iraq on June 23, 2025, a direct retaliation for American strikes on three Iranian nuclear facilities the previous day.

This marked escalation in the ongoing Iran-Israel conflict has now extended into cyberspace, with state-aligned cybercrime groups ramping up their digital offensive operations against American infrastructure.

The cyber campaign represents a coordinated effort by multiple Iranian-affiliated groups employing sophisticated attack vectors including distributed denial-of-service attacks, operational technology device exploitation, and targeted espionage operations against defense sectors.

ReliaQuest analysts noted that the scope of cyber conflict has been largely limited to participating countries until now, but following the United States’ recent kinetic attacks, cyber retaliation against American targets is highly likely within the next one to four weeks.

The threat assessment indicates that Iranian offensive operations will primarily target organizations conducting business with Israel or utilizing Israeli equipment, particularly programmable logic controllers and other operational technology devices.

Among the active threat groups, Team 313 has emerged as a particularly aggressive actor, claiming responsibility for a distributed denial-of-service attack against the Truth Social platform, citing the missile attacks on Iranian nuclear facilities as motivation for their digital assault.

The pro-Iranian hacktivist group joins other active entities including the pro-Palestine group Handala, which has claimed to have stolen over 2 terabytes of data from multiple Israeli organizations, and the pro-Israel group Predatory Sparrow, which has targeted Iranian banking and cryptocurrency infrastructure.

Intelligence assessments suggest these groups are likely affiliated with the Iranian government and represent a strategic deployment of cyber warfare tactics designed to gather intelligence and disrupt critical infrastructure operations.

The threat landscape encompasses both opportunistic attacks exploiting inadvertently exposed operational technology devices and deliberate denial-of-service campaigns against entities supporting US efforts in the conflict.

High-impact cyberattacks designed to cause destruction are expected to coincide with kinetic operations, following the pattern established by previous Iranian cyber operations that have demonstrated capability to cause significant economic damage, including a 2014 attack on a Las Vegas casino that reportedly resulted in $40 million in damages after its CEO expressed support for stronger action against Iran.

Operational Technology Exploitation Techniques

The most concerning aspect of the current threat landscape involves the targeting of operational technology systems through internet-connected devices.

Iranian groups, particularly CyberAv3ngers, have demonstrated sophisticated capabilities in exploiting programmable logic controllers and human-machine interfaces connected to the internet.

The group’s successful attack on multiple US water and wastewater facilities in November 2023 exemplifies their methodology, where attackers employed scanning tools to identify accessible internet-connected devices before gaining entry through default credentials readily available in operational technology manuals.

This technique leverages the convergence of information technology and operational technology systems, creating an expanded attack surface where critical infrastructure becomes vulnerable through basic security oversights.

The exploitation typically begins with automated scanning for devices responding on standard industrial protocols, followed by brute-force attacks against systems protected only by manufacturer default passwords, enabling attackers to gain control over critical infrastructure systems that were never designed for internet connectivity.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free tria