On June 22nd, the United States launched coordinated strikes against three Iranian nuclear facilities, marking its first direct military involvement in the ongoing Iran-Israel conflict. This operation, named Midnight Hammer, represents a significant escalation following Israeli airstrikes that began on June 13, 2025.
In relation to the ongoing conflict, the Department of Homeland Security (DHS) has issued an advisory outlining the potential threat of retaliatory actions by Iran, alongside a review of past instances where domestic terror attacks were successfully thwarted.
Historically, Iran has launched cyber operations in response to military interventions, sanctions, and various geopolitical pressures. These attacks have typically included:
- Destructive wiper malware campaigns.
- Distributed Denial of Service (DDoS) attacks.
- Targeted intrusions, particularly within energy and utility sector networks.
Historical context
In late 2023, Iranian IRGC-linked cyber actors operating under the alias “CyberAv3ngers” targeted Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs). These devices, widely used across critical infrastructure sectors such as water, energy, and manufacturing, were compromised through exploitation of default credentials and publicly exposed systems. The attackers defaced affected systems with political messages and altered device configurations to disrupt operations and complicate recovery efforts.
Given this context, organizations throughout the United States, especially those in sectors previously targeted by Iranian threat groups, including energy, defense, transportation, healthcare, and government, should maintain heightened vigilance as the regional conflict continues to evolve.
How Arctic Wolf Is Responding to Iran-Affiliated Cyber Threats
Arctic Wolf has implemented increased monitoring of organizations in sectors previously affected by Iran-affiliated threat activity. Additionally, Arctic Wolf is actively monitoring for new developments in the threat landscape around Iran-affiliated threats, and will alert Managed Detection and Response customers if and when relevant malicious activities are observed.
Recommendations
Reduce Exposure of ICS/SCADA Devices
Due to geopolitical interest that Iran-affiliated threat actors have historically shown towards ICS/SCADA devices, access to such devices should be minimized as much as possible. Following a 2023 cyber attack by the IRGC-linked group CyberAv3ngers, CISA issued a list of guidelines to protect PLCs.
Internet exposure of ICS/SCADA devices and other critical infrastructure components should be limited wherever possible.
Additionally, robust network segmentation should be implemented where possible to limit the impact of potential compromises and isolate threat actors from being able to move laterally to operationally sensitive networks.
Efforts should be made to ensure that default passwords on ICS/SCADA devices are changed to avoid unauthorized access.
Finally, critical vulnerabilities in SCADA devices such as CVE-2025-1960 in Schneider Electric EcoStruxure WebHMI should be patched as soon as possible, as highlighted by CISA.
Patch Critical Vulnerabilities Leveraged by Iran-affiliated Threat Actors
The following vulnerabilities have been previously exploited in Iran-affiliated threat campaigns. This has included targeting of VPN gateways and firewalls in various products, including appliances from Pulse Secure, Fortinet, Palo Alto Networks, F5, and Citrix.
Wherever possible, previously targeted software listed here should be prioritized for patching:
| CVE | Product | Threat Actor | CISA KEV |
| CVE-2024-30088 | Windows Kernel | OilRig/APT34 | Added on 2024-10-15 |
| CVE-2022-47966 | Zoho ManageEngine | Mint Sandstorm | Added on 2023-01-23 |
| CVE-2022-42475 | Fortinet FortiOS | Fox Kitten / Pioneer Kitten | Added on 2022-12-13 |
| CVE-2021-34473 | Microsoft Exchange | Multiple | Added on 2021-11-03 |
| CVE-2020-5902 | F5 BIG-IP TMUI | Fox Kitten | Added on 2021-11-03 |
| CVE-2020-1472 | Microsoft Windows Netlogon | Multiple | Added on 2021-11-03 |
| CVE-2019-19781 | Citrix ADC | Fox Kitten | N/A |
Block Telegram and Unused Remote Monitoring and Management Tools If Possible
In several Iran-affiliated threat campaigns, Telegram has been used as a means of conducting data exfiltration. Additionally, legitimate RMM tools such as Atera, Tactical, SimpleHelp, AnyDesk, ScreenConnect, and RemoteUtilities have been used by Iranian threat actors to evade detection.
If you are not using these tools in your environment, consider blocking them altogether to prevent malicious use.
Adopt Additional Security Best Practices
Enforce strong, unique passwords across all systems and enable multi-factor authentication (MFA) for all accounts.
Perform continuous security audits and monitoring to proactively identify and respond to suspicious activities and potential threats.
Deliver ongoing cybersecurity awareness training to employees, empowering them to recognize and mitigate cyber risks effectively.
