Full Report
U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber-attacks from Iranian state-sponsored or affiliated threat actors. "Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events," the agencies said. "These cyber actors often
Analysis Summary
# Threat Actor: Iranian State-Sponsored or Affiliated Actors / Pro-Iranian Hacktivists / APT35
## Attribution & Identity
The advisory names **Iranian state-sponsored or affiliated actors** and **pro-Iranian hacktivists** as the source of increasing cyber risk. The Iranian nation-state hacking group **APT35** is specifically mentioned in relation to a recent campaign.
## Activity Summary
U.S. agencies warn of increasing cyber activity from these actors, expected to escalate due to recent geopolitical events. Activities observed or anticipated include:
* Exploiting targets of opportunity via unpatched software (known CVEs) or default/common passwords.
* Potential targeting of Defense Industrial Base (DIB) companies with ties to Israeli research and defense firms.
* Threat of Distributed Denial-of-Service (DDoS) attacks and ransomware campaigns against U.S. and Israeli entities.
* APT35 was recently observed targeting journalists, high-profile cybersecurity experts, and computer science professors in Israel via spear-phishing designed to capture Google account credentials.
* Low-level cyber attacks attributed to pro-Iranian hacktivists have prompted prior warnings.
## Tactics, Techniques & Procedures
- Exploitation of unpatched/outdated software (known CVEs).
- Use of default or common passwords on internet-connected accounts and devices.
- Initial access via reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in Operational Technology (OT) environments.
- Lateral movement achieved by exploiting weak segmentation or misconfigured firewalls.
- Escalation often involves:
- Remote Access Tools (RATs)
- Keyloggers
- Legitimate Admin Utilities (e.g., PsExec, Mimikatz)
- Evasion of basic endpoint defenses.
- Gaining access to OT networks using system engineering and diagnostic tools.
- Password dumping techniques: automated password guessing and password hash cracking.
- Spear-phishing campaigns (e.g., APT35 using bogus Gmail login pages or Google Meet invitations to capture credentials).
## Targeting
- Sectors: Defense Industrial Base (DIB), Operational Technology (OT) environments, Critical Infrastructure.
- Geography: U.S. and Israeli entities.
- Victims: DIB companies with ties to Israeli research/defense firms; Journalists, high-profile cybersecurity experts, and computer science professors (specifically targeted by APT35).
## Tools & Infrastructure
- Malware families used: Remote Access Tools (RATs), Keyloggers.
- Legitimate Tools Used: PsExec, Mimikatz.
- Reconnaissance: Shodan.
- Infrastructure/Techniques: Bogus Gmail login pages, Google Meet invitation spear-phishing lures.
## Implications
There is currently no evidence of a coordinated, large-scale malicious cyber campaign attributed to Iran in the U.S., however, the threat from multiple Iranian-aligned groups (state-sponsored, affiliated, and hacktivist) is **increasing** and aimed at sensitive sectors like defense and critical infrastructure. The confluence of rising geopolitical tensions and the targeting of sensitive DIB entities suggests a high potential for disruptive or espionage-focused activity.
## Mitigations
- Organizations must increase vigilance, especially Defense Industrial Base (DIB) companies.
- Identify and disconnect OT and ICS assets from the public internet.
- Ensure devices and accounts are protected (Implied: patch vulnerabilities, enforce strong unique passwords, implement MFA).
- Patch or update software promptly to remediate known Common Vulnerabilities and Exposures (CVEs).
- Review and secure configurations for internet-facing devices, especially in ICS/OT environments, to prevent exploiting default or common passwords.