Cybersecurity Risks Amid Rising Iran–U.S. Tensions

On June 21st, the United States launched coordinated strikes against three Iranian nuclear facilities, marking its first direct military involvement in the ongoing Iran-Israel conflict. This operation, named Midnight Hammer, represents a significant escalation following Israeli airstrikes that began on June 13, 2025. 

In relation to the ongoing conflict, the U.S. Department of Homeland Security (DHS) issued an advisory outlining the potential threat of retaliatory actions by Iran, alongside a review of past instances where domestic terror attacks were successfully thwarted. The DHS bulletin referenced the possibility of cyber attacks by Iranian hacktivists. Since the June 2025 escalation began between Israel and Iran, countries throughout the Schengen Area have issued travel advisories strongly discouraging travel to Iran. 

Historically, Iran has launched broad cyber operations in response to military interventions, sanctions, and various geopolitical pressures. These attacks have typically included: 

• Destructive wiper malware campaigns. 

• Distributed Denial of Service (DDoS) attacks. 

• Targeted intrusions, particularly within energy and utility sector networks. 

Affected organizations may include organizations with a physical presence in the U.S., even if they are based outside of U.S. Additionally, past threat activity from Iran has shown to be indiscriminate in some instances, even affecting networks of organizations based in countries that don’t actively participate in conflict against Iran. 

Historical context

In late 2023, Iranian IRGC-linked cyber actors operating under the alias “CyberAv3ngers” targeted Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs). These devices, widely used across critical infrastructure sectors such as water, energy, and manufacturing, were compromised through exploitation of default credentials and publicly exposed systems. The attackers defaced affected systems with political messages and altered device configurations to disrupt operations and complicate recovery efforts. 

Previous threat activities tied to Iran have cast a wide net, and have affected countries throughout Europe, Asia, and North America. Historically, this has included Canada, the UK, France, Germany, the Netherlands, India, Kuwait, Pakistan, Qatar, Saudi Arabia, Turkey, United Arab Emirates, China, and South Korea. While some of these operations began as an immediate reaction to Stuxnet in the early 2010s, they later evolved into long-term efforts focusing on intelligence collection, credential harvesting, and infiltration of supply chains, with lasting impact across multiple geographies. 

Given this context, organizations throughout North America, the Middle East, the Schengen Area, and the Indo-Pacific, especially those in sectors previously targeted by Iranian threat groups, including energy, defense, transportation, healthcare, and government, should maintain heightened vigilance as the regional conflict continues to evolve. 

How Arctic Wolf Is Responding to Iran-Affiliated Cyber Threats

Arctic Wolf has implemented increased monitoring of organizations in sectors previously affected by Iran-affiliated threat activity. Additionally, Arctic Wolf is actively monitoring for new developments in the threat landscape around Iran-affiliated threats, and will alert Managed Detection and Response customers if and when relevant malicious activities are observed. 

Recommendations 

Reduce Exposure of ICS/SCADA Devices

Due to geopolitical interest that Iran-affiliated threat actors have historically shown towards ICS/SCADA devices, access to such devices should be minimized as much as possible. Following a 2023 cyber attack by the IRGC-linked group CyberAv3ngers, CISA issued a list of guidelines to protect PLCs. 

• Internet exposure of ICS/SCADA devices and other critical infrastructure components should be limited wherever possible. 

• Additionally, robust network segmentation should be implemented where possible to limit the impact of potential compromises and isolate threat actors from being able to move laterally to operationally sensitive networks. 

• Efforts should be made to ensure that default passwords on ICS/SCADA devices are changed to avoid unauthorized access. 

• Finally, critical vulnerabilities in SCADA devices such as CVE-2025-1960 in Schneider Electric EcoStruxure WebHMI should be patched as soon as possible, as highlighted by CISA. 

Patch Critical Vulnerabilities Leveraged by Iran-affiliated Threat Actors

The following vulnerabilities have been previously exploited in Iran-affiliated threat campaigns. This has included targeting of VPN gateways and firewalls in various products, including appliances from Pulse Secure, Fortinet, Palo Alto Networks, F5, and Citrix. 

Wherever possible, previously targeted software listed here should be prioritized for patching: 

Block Telegram and Unused Remote Monitoring and Management Tools If Possible

In several Iran-affiliated threat campaigns, Telegram has been used as a means of conducting data exfiltration. Additionally, legitimate RMM tools such as Atera, Tactical, SimpleHelp, AnyDesk, ScreenConnect, and RemoteUtilities have been used by Iranian threat actors to evade detection. 

If you are not using these tools in your environment, consider blocking them altogether to prevent malicious use. 

Adopt Additional Security Best Practices

• Enforce strong, unique passwords across all systems and enable multi-factor authentication (MFA) for all accounts. 

• Perform continuous security audits and monitoring to proactively identify and respond to suspicious activities and potential threats. 

• Deliver ongoing cybersecurity awareness training to employees, empowering them to recognize and mitigate cyber risks effectively. 

References 

• Department of Homeland Security Advisory

• CISA Guidelines