Following the intense military operations of Operation Epic Fury, Iran has shifted from its traditional cyber espionage to a more aggressive, disruptive digital campaign. Iranian cyber actors, especially those linked to the Ministry of Intelligence and Security (MOIS), are stepping up their efforts by targeting critical sectors globally. Let’s explore the current surge in Iranian cyber activities and the potential risks for industries worldwide.
The Shift from Espionage to Destructive Attacks
After the military strikes in late February, Iranian cyber groups transitioned from covert intelligence gathering to overt cyberattacks. The Ministry of Intelligence and Security (MOIS)-affiliated groups such as MuddyWater and Handala have been at the forefront of this shift. Their attacks have targeted critical infrastructure, government bodies, and private sector organizations, all in retaliation for the military operation.
MuddyWater, also known as Seedworm, is known for breaching networks before executing malicious attacks. Recent reports show their infiltration into U.S. and Israeli infrastructure even before Operation Epic Fury took place. These groups have been attributed with sophisticated tools like Dindoor and Fakeset backdoors to maintain prolonged access to compromised networks.
In a more destructive turn, the Handala persona, associated with Void Manticore, has been involved in wiping data from compromised systems. For example, Handala recently claimed responsibility for a massive attack on Stryker, a global medical technology company, where over 200,000 systems were wiped. They also made headlines by defacing Microsoft Entra login pages and stealing significant amounts of data.
Cybercrime Alliances and Complex Attribution
In a new twist, Iranian cyber actors are also using cybercriminal infrastructure to cover their tracks. The connection between Iranian actors and criminal organizations, such as Qilin (a ransomware-as-a-service operator), complicates the attribution of attacks. MuddyWater, for example, is suspected of using Qilin’s infrastructure to launch attacks on Israeli hospitals, exploiting the anonymity that cybercrime groups provide.
This alliance with cybercriminals gives Iranian-backed actors a veil of plausible deniability, making it harder to pinpoint exact perpetrators. With this strategy, they can engage in destructive activities without direct attribution to the Iranian state. It also allows them to target specific sectors while maintaining a degree of deniability, further muddying the waters for investigators.
Targeted Industries and Growing Threats
The recent escalation suggests a high likelihood of Iranian cyber actors targeting more industries in the coming months. Following a missile strike on Bank Sepah, Iran’s largest public bank, Iranian officials warned that U.S. and Israeli financial institutions could be next. The industries that are most at risk include:
- Aviation
- Transportation
- Finance
- Healthcare
- Defense
- Government
- Critical Infrastructure (Energy, Utilities, Water & Wastewater)
- Telecommunications
With cyberattacks targeting everything from financial institutions to healthcare providers, the growing concern is the impact on critical infrastructure. Though specific attacks targeting SCADA and industrial control systems (ICS) have not been fully confirmed, the threat is very real. Recent claims from the pro-Russia hacktivist group Z-Pentest, which stated to have compromised SCADA and ICS systems, have raised alarms about possible collaborations between cybercriminals and Iranian-backed actors.
CVE Vulnerabilities Exploited by Iranian-linked Actors
| CVE | Description | CVSSv3 | VPR | Exploitation |
|---|---|---|---|---|
| CVE-2017-7921 | Hikvision IP Camera Improper Authentication Vulnerability | 10.0 | 9.2 | Exploited in targeting Hikvision IP cameras |
| CVE-2021-33044 | Dahua Authentication Bypass Vulnerability | 9.8 | 7.4 | Targeted Dahua cameras for unauthorized access |
| CVE-2021-36260 | Hikvision IP Camera Command Injection Vulnerability | 9.8 | 9.7 | Used for command injection attacks in Hikvision cameras |
| CVE-2023-6895 | Hikvision Intercom Broadcasting System Command Injection Vulnerability | 9.8 | 6.7 | Exploited in Hikvision intercom systems |
| CVE-2025-34067 | Hikvision Integrated Security Management Platform Command Execution Vulnerability | 9.8 | 6.7 | Targeted Hikvision security platforms for command execution |
| CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability | 7.8 | 9.8 | Used for exploiting Microsoft Office applications |
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | 8.8 | 9.5 | Targeted Microsoft Exchange servers for remote code execution |
Key Targets of Iranian Cyber Actors
| Target Industry | Specific Target/Action | Risk/Impact |
|---|---|---|
| Aviation | Potential attacks on aviation networks | Risk of disruptions to global flight operations |
| Transportation | Infrastructure disruption | Could lead to significant transportation delays or cancellations |
| Finance | U.S. and Israeli financial institutions | Major financial losses, data breaches, and theft |
| Healthcare | Attacks on medical tech companies (e.g., Stryker) | Data loss, system wipeouts, disruption to healthcare services |
| Defense | Military contractors and defense agencies | Breaches of sensitive military data, risk to national security |
| Government | Attacks on government bodies | Disruptions in government operations, sensitive data exposure |
| Critical Infrastructure | Energy, utilities, water & wastewater sectors | Disruptions to essential services, including power and water supply |
| Telecommunications | Attacks on telecommunications infrastructure | Risk to communications services, both for consumers and critical services |
Exploiting Vulnerabilities in IP Cameras
A surge in attacks targeting IP cameras, specifically from companies like Hikvision and Dahua, is another notable trend. Iranian-backed actors have been found exploiting well-known vulnerabilities in these devices. These attacks could be used for surveillance or data collection, possibly supporting kinetic strikes. Known vulnerabilities, such as CVE-2021-33044 and CVE-2023-6895, have been used to gain unauthorized access to these devices. These vulnerabilities highlight the ongoing risks to organizations relying on security cameras and surveillance systems.
Several vulnerabilities tied to Iranian actors have been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog, which indicates the severity of the threats posed by these attacks.
What Organizations Can Do
As Iranian cyber activities intensify, organizations must act swiftly to defend against evolving threats. Key defensive measures include:
- Vulnerability Management: Regularly update systems to patch vulnerabilities like those in Hikvision and Dahua cameras, which have been widely exploited by Iranian actors.
- Enhanced Cyber Hygiene: Strengthen networks with multi-layered security tools such as firewalls, intrusion detection, and threat hunting practices.
- Incident Response: Having an updated incident response plan in place is crucial. Organizations should prepare for potential data breaches or disruptive attacks.
- Employee Training: Increase awareness of phishing attacks, as Iranian threat actors often use spear-phishing as an entry point into networks.
With the growing threat of cyberattacks, especially targeting critical sectors, staying proactive is more important than ever.
No Comment! Be the first one.