Iranian APT Activity Escalates Amid Geopolitical Conflict: Recommended Actions

Nozomi Networks Labs is tracking a big rise in cyber activity linked to the Iranian government after open conflict began involving Iran, Israel, and the United States. This includes Operation Lion’s Roar coordinated military strikes on Iranian military and nuclear sites and the retaliations that followed. The conflict has moved beyond physical attacks into cyberspace. Iranian threat groups are using their advanced persistent threat (APT) skills to target foreign networks and industrial control systems as part of their wider goals. Analysis of anonymous data from the last two weeks shows a steady increase in alerts related to Iran-linked APTs. The Manufacturing and Transportation sectors are the most targeted.

Key threat groups include: MuddyWater (APT34/OilRig/Seedworm), a group linked to MOIS that carries out cyber spying through spear-phishing and using existing system tools; OilRig (APT34/Helix Kitten), which focuses on government, financial, and energy sectors using custom backdoors and web shells; APT33 (Elfin/Refined Kitten), targeting aerospace, aviation, energy, and manufacturing through spear-phishing and password spraying; and UNC1549 (also known as CURIUM/Tortoise Shell/Crimson Sandstorm), active in defense, aerospace, telecommunications, and government sectors. An analysis of Middle Eastern organizations’ security shows a worrying situation: 61% of found vulnerabilities are HIGH or CRITICAL (CVSS), which is twice the global average of 48%. Also, 8% of vulnerabilities have EPSS scores over 1%, double the global average of 4%. The main MITRE ATT&CK techniques seen (default credential abuse, valid account use, brute force, scanning) show attackers are in the early stages exploring systems, finding important assets, and setting up access. This period of reconnaissance is a key chance for defenders to stop attacks before they move on to privilege escalation, stealing data, or causing damage.

Target: Applicable to all users.