Iranian threat actors are expected to intensify their cyberattacks against the United States following President Donald Trump’s decision to launch air strikes on Iran.
After the US bombed three key nuclear sites in Iran, the regime in Tehran vowed to retaliate.
The Department of Homeland Security (DHS) issued a national terrorism advisory system bulletin on Sunday, warning that the Iranian government has publicly condemned the United States’ involvement in the conflict and that retaliation could come in several forms.
Iran could conduct lethal attacks and commit acts of violence on US soil, but Iranian state-sponsored hackers and pro-Iran hacktivists are also likely to intensify attacks against the United States in response to recent events.
“The ongoing Iran conflict is causing a heightened threat environment in the United States,” the DHS said. “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.”
John Hultquist, chief analyst in Google’s Threat Intelligence Group, said in emailed comments that the likelihood of disruptive cyberattacks launched by Iranian hackers against the US has increased.
Hultquist pointed out that many of Iran’s cyber operations have focused on Israel — particularly after the October 2023 escalation in the Israel-Hamas conflict — and those attacks can provide valuable insights into both the capabilities and limitations of Iranian threat actors.
“Iran has had mixed results with disruptive cyberattacks and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact. We should be careful not to overestimate these incidents and inadvertently assist the actors,” Hultquist said, noting, “The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware.”
“Iran already targets the US with cyberespionage which they use to directly and indirectly gather geopolitical insight and surveil persons of interest. Persons and individuals associated with Iran policy are frequently targeted through organizational and personal accounts and should be on the lookout for social engineering schemes,” Hultquist warned.
He added, “Individuals are also targeted indirectly by Iranian cyberespionage against telecoms, airlines, hospitality, and other organizations who have data that can be used to identify and track persons of interest.”
The cybersecurity community has closely followed Iran’s activities in cyberspace. While some attacks linked to Iranian hackers appeared unsophisticated — including attacks targeting industrial control systems (ICS) — others were more advanced.
This includes phishing attacks aimed at political campaigns, and brute force attacks targeting critical infrastructure. In terms of malware, the community has seen noteworthy threats designed for intelligence gathering, as well as malware delivery methods.
In addition, the Iranian state-sponsored hacking group that poses as a hacktivist collective named CyberAv3ngers has developed a piece of malware called IOCONTROL that has been used to target IoT and OT devices in the US and Israel.
The US cybersecurity agency CISA provides resources describing Iran’s cyber activities and recommendations for detecting and blocking attacks.
*updated with link to CISA resources
Related: Predatory Sparrow Burns $90 Million on Iranian Crypto Exchange in Cyber Shadow War
Related: US, Israel Describe Iranian Hackers’ Targeting of Olympics, Surveillance Cameras
Related: US Imposes Sanctions on Russian and Iranian Groups Over Disinformation Targeting American Voters
