US government warns of new Iran-linked cyber threats on critical infrastructure

Dive Brief:

• U.S. government officials said critical infrastructure operators should be on alert for Iranian cyberattacks.
• In a threat advisory published Monday, multiple agencies said Iran might target U.S. firms “for near-term cyber operations” due to “the current geopolitical environment” — a reference to the Trump administration joining Israel’s aerial campaign against Iran’s nuclear program and related assets.
• Defense contractors, especially firms that have relationships with Israeli companies, are likely at heightened risk of targeting, according to the advisory.

Dive Insight:

The new warning from four U.S. government agencies — the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA) and the Pentagon’s Cyber Crime Center — reflects federal officials’ worries about collateral damage from the U.S. joining Israel’s war with Iran.

Tehran-linked hackers have a history of targeting Western critical infrastructure in retaliation for Israeli military operations. During Israel’s late-2023 offensive in Gaza, hackers affiliated with Iran’s Islamic Revolutionary Guard Corps hacked into operational technology equipment powering water utilities and other infrastructure, including in the U.S. Iranian hackers also launched hack-and-leak operations that caused “financial losses and reputational damage for victims,” according to the advisory.

“Hacktivists and Iranian-government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks,” the advisory warned. In particular, Iranian operatives tend to exploit “targets of opportunity” that use “unpatched or outdated software” with known flaws or configuration issues like default passwords.

Iran-linked hacktivists have already defaced websites and leaked sensitive information “over the past several months,” according to the government alert. Now, following the U.S. intervention in the skies over Iran, “these hacktivists are likely to significantly increase distributed denial of service (DDoS) campaigns against U.S. and Israeli websites.”

Multiple U.S. cybersecurity firms have warned that Iran might use cyberspace for retaliation. “This cyber element is what lets them extend their reach and there’s an air of deniability to it,” Adam Meyers, senior vice president of counter adversary at CrowdStrike, recently told CNN.

But experts also noted that Tehran uses hacking operations for psychological warfare, often exaggerating the impact of its attacks.

“It’s important that we don’t overhype the threat here and give them the win they’re after,” John Hultquist, chief analyst at Google Threat Intelligence, said on social media last week.

Critical infrastructure organizations should take several basic steps to secure their systems against Iranian attacks, according to the new government advisory. These include disconnecting operational technology from the internet, protecting user accounts with strong passwords and phishing-resistant multifactor authentication, patching all internet-facing systems, logging user activity and preparing incident response plans.