Iranian Cyber Activity: Post-US Strikes Threat Advisory

Executive Summary

The United States has taken military actions against Iranian nuclear facilities and has intensified the global cyber threat landscape, leading to immediate warnings from U.S. government agencies. A heightened risk of cyber retaliation from both state-sponsored Iranian Advanced Persistent Threat (APT) groups and pro-Iranian hacktivists. These potential retaliatory actions encompass disruptive attacks, data theft, and influence operations. Deepwatch’s robust security operations, supported by advanced use case detections, are specifically engineered to protect customer environments from these sophisticated and opportunistic tactics, techniques, and procedures (TTPs). This bulletin provides an overview of the elevated threat, details how services contribute to protection, and outlines critical proactive mitigation strategies for organizations to implement.

Current Threat Landscape

News Analysis of Geopolitical Context and Elevated Risk Assessment

On June 21, 2025, the U.S. military conducted precision strikes on three Iranian nuclear facilities located at Fordo, Natanz, and Isfahan. This operation followed a week of sustained Israeli attacks targeting Iranian military sites. The direct involvement of the United States has been met with condemnation from Iran, which has publicly stated its right to retaliate.

In the immediate aftermath of these strikes, the U.S. Department of Homeland Security (DHS) issued a national terrorism bulletin, warning of a “heightened threat environment” and the likely occurrence of cyberattacks against U.S. networks. The Cybersecurity and Infrastructure Security Agency (CISA) has reinforced these warnings, confirming its active monitoring of cyberattacks and its coordination with partners to strengthen collective defenses.

The direct military action by the United States represents an escalation in the ongoing geopolitical tensions. Historically, Iranian cyber responses have often been observed in reaction to Israeli operations or broader regional dynamics. The explicit warnings from DHS and CISA, which specifically mention both “low-level cyber attacks by pro-Iranian hacktivists” and potential actions by “cyber actors affiliated with the Iranian government,” indicate a dual-pronged and potentially less predictable threat. This implies that while sophisticated APTs will likely continue their stealthy, targeted operations, the increased involvement of hacktivists suggests a higher probability of disruptive, noisy, and less precise attacks. These could include distributed denial-of-service (DDoS) attacks, website defacements, and data leaks aimed at achieving public visibility and psychological impact, rather than solely focusing on espionage or financial gain. Consequently, this broadens the potential attack surface, necessitating vigilance against both highly sophisticated and opportunistic cyber threats.

Iranian Cyber Capabilities and Objectives

Iranian cyber actors comprise a diverse spectrum of groups, ranging from highly sophisticated state-sponsored entities, such as APT34 (OilRig), MuddyWater, APT35/42 (Charming Kitten), and APT33 (Refined Kitten), to cybercriminal affiliates and various pro-Iranian hacktivist collectives.³ These actors pursue a variety of objectives:

Espionage and Data Theft: A primary objective involves the theft of sensitive intellectual property, technical data, and private communications, often serving long-term intelligence collection goals for the Iranian government.
Disruption and Destruction: Iranian groups, including IRGC-affiliated entities such as CyberAv3ngers and APT33, are known for focusing on disruptive attacks against critical infrastructure sectors, including healthcare, government, energy, and information technology, frequently employing wiper malware.
Ransomware Collaboration: A notable development involves groups like Pioneer Kitten (also known as Fox Kitten or Lemon Sandstorm) acting as initial access brokers. These groups gain persistent network access and then collaborate with prominent ransomware gangs, including NoEscape and ALPHV (also known as BlackCat), to deploy ransomware and share in the illicit profits.
Influence Operations: Iranian actors engage in “hack-and-leak” campaigns, where stolen data is publicized to sow fear, undermine confidence in targeted organizations, and disseminate disinformation.

Common attack vectors employed by these actors include the exploitation of unpatched internet-facing systems (known as N-days), brute-force password attacks, multi-factor authentication (MFA) “push bombing” (also referred to as MFA fatigue), and sophisticated phishing schemes.

The explicit documentation of groups like Pioneer Kitten functioning as “access brokers for ransomware operations” and their collaboration with well-known ransomware affiliates, such as NoEscape and ALPHV/BlackCat, represents a critical evolution in their operational model. This observed behavior significantly blurs the traditional demarcation between state-sponsored threats, which typically focus on espionage or sabotage, and financially motivated cybercrime. The implication is that organizations that may not be directly involved in geopolitical conflicts but possess valuable data or are perceived as likely to pay a ransom could become targets for initial access brokering, ultimately leading to the deployment of ransomware. This development substantially expands the potential victim pool beyond conventional government or critical infrastructure targets.

How Deepwatch Protects Customers

Deepwatch employs a comprehensive suite of advanced detection use cases specifically engineered to identify the Tactics, Techniques, and Procedures (TTPs) utilized by Iranian cyber threat actors. The Security Operations Center (SOC) continuously monitors client environments, ensuring these detections remain active, tuned, and effective against evolving threats.

Leveraging Advanced Detection Use Cases

The detection capabilities are meticulously aligned with the observed TTPs of Iranian groups across the entire attack lifecycle:

Initial Access & Credential Harvesting: Systems are designed to detect spearphishing campaigns, attempts to exploit public-facing applications, password spraying activities, and various credential theft methodologies.
Execution & Defense Evasion: The security infrastructure identifies the malicious abuse of “Living off the Land” binaries (LOLBins) such as PowerShell and VBScript, the deployment of obfuscation techniques, and the illicit use of legitimate remote access tools to blend with normal network activity.
Command and Control (C2) & Exfiltration: Monitoring encompasses sophisticated C2 methods, including DNS tunneling, Domain Generation Algorithm (DGA) activity, LOLBins initiating web traffic, and data exfiltration attempts over various protocols or via abused legitimate cloud services.
Impact (Disruption & Destruction) & Ransomware Collaboration: Detections cover destructive capabilities such as disk wiping commands, the deployment of ransomware, and attempts to disable critical backup services, which often precede disruptive attacks.
Broader Account and System Activity: Comprehensive tracking is in place for privilege escalation attempts, account manipulation activities, lateral movement within networks, and the creation of new credentials to maintain persistence.

Proactive Mitigation Strategies for Your Organization

While Deepwatch provides continuous monitoring and detection, the implementation of proactive measures by customers is paramount to strengthening defenses against these elevated threats.

Immediate Priorities

Organizations must prioritize the following actions:

Patch Critical Vulnerabilities: Iranian state-sponsored actors are known for aggressively scanning for and exploiting known vulnerabilities in public-facing applications and appliances, including Citrix ADC, F5 BIG-IP, Ivanti Pulse Secure, Palo Alto PAN-OS, and Check Point firewalls. It is imperative to implement a robust patch management strategy that prioritizes critical updates based on Common Vulnerability Scoring System (CVSS) scores and CISA Known Exploited Vulnerabilities (KEV) alerts. This strategy should include the timely deployment of patches, following thorough testing, to minimize operational disruptions.
Enforce Phishing-Resistant Multi-Factor Authentication (MFA): Iranian groups extensively utilize password spraying and MFA “push bombing” to gain initial access to cloud services and VPNs. Organizations should implement phishing-resistant MFA mechanisms, such as FIDO2 security keys, wherever technically feasible. Furthermore, comprehensive user education is essential for training employees to recognize and report MFA fatigue attempts, where attackers repeatedly send MFA prompts in the hope that a user will inadvertently approve access. Simply having MFA enabled is insufficient; it must be resilient against these specific attack vectors. Iranian actors are actively targeting and bypassing standard MFA implementations through tactics like MFA fatigue. This highlights a critical vulnerability where organizations might perceive themselves as secure due to MFA, yet the specific methods employed by these actors can render it ineffective. The emphasis must therefore shift from merely “having MFA” to implementing phishing-resistant MFA and establishing a robust user education program to counteract the social engineering aspects of MFA attacks.
Distributed Denial-of-Service (DDoS) Protection: Given the potential for disruptive attacks, including Distributed Denial-of-Service (DDoS) attacks, organizations should implement robust DDoS protection measures. Effective DDoS mitigation requires a multi-layered approach that combines network capacity, processing power, and intelligent traffic filtering.
Leverage Cloud-Based DDoS Protection Services: Consider utilizing specialized cloud-based DDoS protection services from providers. These services offer unmetered mitigation, global network resiliency, and rapid response times, often mitigating attacks within seconds. They can protect critical infrastructure components, including DNS servers, email systems, FTP servers, backend applications, and management platforms.
Protect DNS and API Infrastructure: Ensure your Domain Name System (DNS) infrastructure is protected with robust solutions, as DNS attacks are a common method of disruption and extend protection to application and API layers, potentially using a Web Application Firewall (WAF) to block malicious HTTP requests.

Enhanced Vigilance and Monitoring

Continuous and thorough monitoring is vital:

Monitor Authentication Activity: All authentication logs, from both on-premise Active Directory (AD) and cloud identity services, should be reviewed for anomalies. This includes identifying patterns such as multiple failed logins originating from a single source, “impossible travel” logins (where a user appears to log in from geographically distant locations in a short timeframe), or logins from unusual geographic locations not typically associated with the user.
Audit MFA and Account Changes: Security teams should actively hunt for unexpected MFA enrollment or reset events, particularly if they originate from unusual IP addresses or occur outside normal business hours. Any instance of MFA being disabled or security controls being removed from an account must be treated as highly suspicious and investigated immediately.
Track Privileged Account Usage: Rigorous monitoring of administrative accounts and sensitive groups is crucial. Alerts should be configured for privileged account logons on systems where they do not typically operate, as well as for any privilege escalation events. Special attention should be paid to the creation of new accounts, especially those with names resembling administrative or service accounts.
Inspect Endpoint Processes and Files: Monitoring should include the detection of Sysinternals tools (e.g., contig.exe), suspicious DLLs (e.g., version.dll), or the presence of remote access tools (e.g., AnyDesk, Ngrok, Ligolo/Ligolo-NG) on servers, as these are frequently abused by Iranian actors for malicious purposes.
Network and Cloud Monitoring: Implement detection rules for known Command and Control (C2) patterns, including outbound connections to dynamic DNS domains, cloud relay services (e.g., *.ngrok.io subdomains), and specific file hosting sites (e.g., files.catbox.moe). Additionally, monitor for large data flows from cloud storage services to external destinations, which could indicate data exfiltration.
Email and Productivity Services: Enable comprehensive logging and alerting for key changes within email accounts. This includes mail forwarding rules to external addresses or hidden folders, which are common indicators of email account compromise, and suspicious logins to mail accounts from unusual IP addresses.

Strengthening Cyber Hygiene

Fundamental cybersecurity practices must be reinforced:

Employee Security Awareness Training: Continuous education for employees is their ability to recognize sophisticated phishing attempts, social engineering tactics, and the importance of promptly reporting suspicious activity. Iranian actors consistently exploit the human element through social engineering, phishing, and MFA fatigue. This highlights that despite the implementation of robust technical controls, a strong human firewall, cultivated through continuous and specifically tailored security awareness training, remains an indispensable component of defense. Organizations must move beyond basic training to address complex social engineering tactics and empower employees to serve as a critical first line of defense.

Conclusion and Next Steps

The current geopolitical climate necessitates an unwavering commitment to heightened vigilance against Iranian cyber threats. Deepwatch remains dedicated to safeguarding customer environments through the continuous integration of the latest threat intelligence and proactive monitoring. The existing suite of use case detections is specifically designed and continuously updated to counter the TTPs observed from these persistent and evolving actors.

All Deepwatch customers are encouraged to thoroughly review and implement the proactive mitigation strategies detailed in this bulletin. Should any suspicious activity be observed or if further guidance is required, customers are encouraged to contact the 24/7 Security Operations Center without delay. Through collaborative efforts, the collective resilience of organizations against these evolving cyber threats can be significantly enhanced.