The authoring agencies are continuing to monitor the situation and will release pertinent cyber threat and cyber defense information as it becomes available,” reads the joint advisory .

Although no large-scale coordinated campaign has been detected yet, the agencies are warning of a potential surge in cyberattacks from Iranian-linked hackers, especially as tensions in the Middle East continue to rise.

Threat Activity

Defense Industrial Base (DIB) companies—particularly those connected to Israeli research or defense organizations—are believed to be at higher risk. These actors often exploit poorly secured systems by leveraging unpatched software, known vulnerabilities, and default or weak passwords.

The Iranian cyber threat groups, many linked to the Islamic Revolutionary Guard Corps (IRGC), use a range of techniques, such as automated password guessing, cracking password hashes using online resources, and inputting default manufacturer passwords, to breach systems and move undetected across networks.

When attacking operational technology (OT) systems, they also use system engineering and diagnostic tools to compromise performance, security, and maintenance systems.

Recently, Iranian-aligned hacktivists have increased website defacements and data leaks, and are likely to expand distributed denial-of-service (DDoS) attacks on U.S. and Israeli websites. Additionally, Iranian cyber actors may collaborate with ransomware groups to encrypt data, steal sensitive information, and publish it online.

Prior Threat Campaigns

The threat actors took advantage of industrial control systems (ICSs) that were accessible over the internet and still used factory-default or no passwords, along with default Transmission Control Protocol (TCP) ports that hadn’t been secured.

In protest of the Israel-Hamas conflict, these Iranian cyber actors also carried out several hack-and-leak operations to steal and publicly release sensitive data, often amplified through social media.

The attacks caused financial losses, reputational harm, and aimed to undermine public confidence in cybersecurity. Although most targets were Israeli, at least one U.S. internet protocol television (IPTV) company was also affected.

Mitigations

The authoring agencies, in collaboration with U.S. and foreign government partners, suggest immediate steps for organizations, especially those in critical infrastructure:

  • Identify and disconnect OT and ICS systems from the public internet.
  • Replace weak/default passwords and implement phishing-resistant multi-factor authentication (MFA)
  • Apply the manufacturer’s latest software patches promptly
  • Monitor for unusual remote access behaviour
  • Conduct full system and data backups
  • Limit admin privileges and adopt microsegmentation

For add itional information, organizations can refer to CISA’s Iran Threat Overview and the FBI’s Iran Threat web pages .