Iran Cyber Attacks on the US: Capabilities, Past Attacks, and Infrastructure at Risk

Overview

As US and Israeli missiles strike Iranian territory on February 28, 2026, cybersecurity experts are warning that Iran's retaliation may arrive not through the sky but through fiber-optic cables. Iran has spent over a decade building one of the most capable state-sponsored cyber warfare programs in the world, with dedicated units within the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) that have repeatedly demonstrated the ability and willingness to attack US critical infrastructure, financial institutions, government networks, and private companies.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency advisory within hours of the first confirmed strikes, warning all US critical infrastructure operators of an "elevated and imminent" Iranian cyber threat. The advisory — designated AA26-059A — identified water treatment facilities, electrical grid operators, natural gas pipeline systems, healthcare networks, and financial institutions as the highest-priority targets. CISA elevated its threat level to "Shield Red," the highest tier in its alerting framework, for the first time since the system was established in 2023.

This article provides a comprehensive assessment of Iran's cyber warfare capabilities: the organizational structure behind the attacks, the specific APT groups and their track records, a detailed history of past operations against US targets, and a practical guide to which infrastructure sectors face the greatest risk. Understanding this threat is critical because Iranian cyber retaliation is not a hypothetical — it is a near-certainty, based on the consistent pattern of Iranian cyber operations following kinetic escalations.

IRGC Cyber Units

Iran's cyber warfare capability is organized under two primary institutional umbrellas: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Together, these organizations oversee an estimated 5,000-10,000 cyber operatives, including both uniformed military personnel and contracted civilian hackers who operate through front companies and university research programs.

Within the IRGC, the primary cyber warfare entity is the IRGC Electronic Warfare and Cyber Defense Organization (IRGC-EWCD), also known informally as the "Cyber Command." Established formally in 2010 in the aftermath of the Stuxnet attack on Iran's nuclear facilities, the IRGC-EWCD was created with an explicitly offensive mandate: to develop the capability to retaliate against the United States and Israel in cyberspace after demonstrating that Iran's physical infrastructure was vulnerable to cyber sabotage. The organization reports directly to the IRGC commander-in-chief and operates with significant autonomy from Iran's conventional military and civilian government structures.

The IRGC-EWCD oversees several subordinate units with specialized functions. The Shahid Kaveh Unit focuses on offensive operations against Western critical infrastructure, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. The Shahid Babaei Unit conducts intelligence collection operations against military and diplomatic targets. The Basij Cyber Council, affiliated with the IRGC's paramilitary Basij force, coordinates a network of volunteer hackers — estimated at 50,000-100,000 individuals — who can be mobilized for distributed denial-of-service (DDoS) campaigns and social media influence operations.

The MOIS operates its own cyber division, focused primarily on espionage rather than sabotage. MOIS-linked groups conduct long-term intelligence collection against foreign governments, opposition groups, and diaspora communities. While MOIS operations tend to be stealthier and more patient than IRGC operations, the distinction between espionage and attack is increasingly blurred: intelligence access to a target's network can be rapidly converted to destructive capability if the order is given.

According to Microsoft Threat Intelligence, Iranian state-sponsored cyber activity increased 300% in the six months preceding the February 28 strikes, with a particular focus on reconnaissance of US critical infrastructure networks — a pattern consistent with pre-positioning for retaliatory operations.

APT33 Elfin

APT33, also tracked as Elfin, Refined Kitten, and Magnallium, is one of Iran's most capable and active cyber threat groups. Attributed to the IRGC by multiple cybersecurity firms and the US Department of Justice, APT33 has been operational since at least 2013 and specializes in targeting aerospace, energy, and defense sectors in the United States, Saudi Arabia, and South Korea.

APT33's primary tool is spear-phishing — highly targeted emails designed to appear as legitimate communications from trusted contacts, containing malicious attachments or links that install remote access trojans (RATs) on victim systems. The group has demonstrated sophisticated understanding of its targets' organizational structures, often impersonating specific individuals within victim organizations and timing emails to coincide with legitimate business communications. APT33 maintains a portfolio of custom malware, including the Shamoon wiper (discussed in detail below), the Stonedrill backdoor, and the Turnedup RAT.

APT33's most strategically significant operations have targeted US energy infrastructure. In 2017, the group compromised networks at multiple US energy companies, gaining access to operational technology (OT) networks that control physical industrial processes. While no destructive action was taken at the time, the access established — and potentially maintained through persistent backdoors — represents a latent threat that could be activated during the current conflict. Mandiant's threat assessment (December 2025) warned that APT33 has "pre-positioned access within at least a dozen US energy sector networks" and that this access could be leveraged for destructive attacks "within hours of receiving authorization."

In 2019, APT33 shifted a significant portion of its operations toward developing destructive capability — specifically, refining its ability to deploy wiper malware that permanently destroys data and damages systems. This shift, assessed by cybersecurity researchers as a deliberate strategic decision by IRGC leadership, indicated preparation for a conflict scenario in which Iran would deploy destructive cyber attacks against US infrastructure as a form of asymmetric retaliation.

APT34 OilRig

APT34, also known as OilRig, Helix Kitten, and Crambus, is attributed to the MOIS and has been active since at least 2014. APT34 specializes in espionage operations targeting government agencies, financial institutions, energy companies, and telecommunications providers, primarily in the Middle East but with significant operations against US targets.

APT34's technical sophistication distinguishes it from other Iranian groups. The group develops custom tools — including the BONDUPDATER and POWRUNER backdoors, the VALUEVAULT credential harvester, and the LONGWATCH keylogger — that demonstrate a high level of software engineering capability. APT34 has also shown the ability to exploit zero-day vulnerabilities (previously unknown software flaws), a capability that was once considered beyond Iran's reach and that indicates either independent vulnerability research or acquisition of exploits from commercial vendors or allied intelligence services.

In 2019, a significant breach within APT34 resulted in the leak of the group's tools, operational procedures, and victim data by a dissident or rival group using the alias "Lab Dookhtegan." The leak confirmed APT34's targeting of US financial institutions, Middle Eastern government ministries, and telecommunications companies. It also revealed the group's use of DNS tunneling — a technique that hides data exfiltration within normal DNS traffic — and webshell implants that maintain persistent access to compromised web servers.

APT34's relevance to the current conflict lies in its intelligence collection infrastructure. The group maintains long-term access to networks in multiple countries, including diplomatic communications, military logistics systems, and energy sector control networks. This intelligence provides Iranian decision-makers with real-time visibility into adversary operations, intentions, and vulnerabilities — information that is directly relevant to both defensive planning and offensive targeting during the current conflict.

APT42 Charming Kitten

APT42, widely known as Charming Kitten, Phosphorus, and TA453, is arguably Iran's most publicly visible cyber threat group, with a track record of operations targeting US government officials, think tank researchers, journalists, academics, and political campaigns. Attributed to the IRGC Intelligence Organization (IRGC-IO), APT42 combines cyber espionage with social engineering to achieve strategic intelligence objectives.

APT42's operational methodology is distinctive: the group invests significant time in building trust-based relationships with targets before deploying technical exploits. Operatives create elaborate fake personas — fictitious journalists, academic researchers, think tank fellows — and engage targets over weeks or months through email, social media, and messaging platforms. Once trust is established, the target is lured to a malicious website or sent a weaponized document. This patience sets APT42 apart from the "spray and pray" approach of less sophisticated actors and makes its operations significantly harder to detect.

CrowdStrike's 2025 Global Threat Report identified APT42 as responsible for targeting at least 14 US policy officials, 8 congressional staffers, and 22 journalists covering Iran policy between 2023 and 2025. The group also targeted the personal email accounts of officials involved in JCPOA negotiations, seeking to obtain intelligence on US negotiating positions and internal deliberations. In 2024, APT42 conducted operations targeting the US presidential election, sending phishing emails to campaign staff of both major party candidates — a pattern consistent with intelligence collection rather than interference, though the distinction is operationally thin.

During the current conflict, APT42's greatest value to Iran is its existing access to the communications and networks of US policy officials. Information obtained through compromised email accounts — internal deliberations about strike planning, post-strike diplomatic strategy, and intelligence assessments of Iranian capabilities — could provide Iranian leaders with critical insight into US intentions and red lines.

Past Attacks on US Infrastructure

Iran's track record of cyber attacks on US targets is extensive and demonstrates a progression from crude disruption to sophisticated infrastructure targeting. The following timeline captures the most significant operations.

Major Iranian Cyber Operations Against US Targets (2012-2025)

Year	Operation/Target	Impact	Attribution
2012-2013	Operation Ababil (US banks)	DDoS attacks disrupted online banking at 46 institutions	IRGC-linked (DOJ indictment)
2013	Bowman Avenue Dam, NY	SCADA system access (flood gate control)	IRGC (DOJ indictment 2016)
2014	Sands Casino, Las Vegas	Destructive attack; data wiped, $40M+ damage	Iran (FBI attribution)
2017	US university networks (144 institutions)	31TB of data stolen, $3.4B IP theft	Mabna Institute / IRGC
2019-2020	US water/energy reconnaissance	SCADA system mapping, no destructive action	APT33 (Mandiant)
2021	Boston Children's Hospital	Attempted ransomware attack blocked by FBI	Iran-sponsored (FBI)
2023	Pennsylvania water authority	Programmable logic controller compromised	IRGC-affiliated CyberAv3ngers
2024	US election campaign targeting	Phishing of campaign staff	APT42 (Microsoft/Google)
2025	Multiple US water utilities	SCADA access confirmed at 6 systems	IRGC (CISA advisory)

This progression reveals two critical trends. First, Iran has consistently escalated the sensitivity of its targets — from banking websites (disruption) to industrial control systems (potential physical damage) to election infrastructure (democratic process interference). Second, Iran has demonstrated a pattern of pre-positioning: gaining access to critical systems during peacetime and maintaining that access for potential activation during a conflict. The current military escalation represents precisely the scenario for which this pre-positioning was designed.

Water System Intrusions

Water treatment and distribution systems have emerged as Iran's preferred critical infrastructure target within the United States. The reasons are both strategic and practical. Strategically, attacks on water systems affect civilian populations directly and create public fear disproportionate to the physical damage. Practically, US water utilities represent the softest target in the critical infrastructure landscape: the sector comprises approximately 152,000 public water systems, the vast majority operated by small municipalities with minimal cybersecurity budgets, outdated SCADA systems, and limited technical staff.

In November 2023, Iranian hackers affiliated with the IRGC-linked group CyberAv3ngers compromised a programmable logic controller (PLC) at the Municipal Water Authority of Aliquippa, Pennsylvania. The attackers accessed an Unitronics Vision Series PLC that controlled water pressure monitoring equipment. While the attack did not directly affect water treatment or distribution, it demonstrated that Iranian actors had the capability and intent to access operational technology controlling physical water infrastructure. CISA subsequently identified that the same Unitronics PLCs were deployed across hundreds of US water systems, all running factory-default passwords and accessible via the internet.

The 2023 Aliquippa incident was not an isolated event. CISA advisories issued throughout 2024 and 2025 documented Iranian reconnaissance and intrusion attempts at water utilities across multiple states, including systems serving major metropolitan areas. The February 2025 CISA advisory (AA25-048A) confirmed that Iranian-affiliated actors had gained SCADA access at six US water utilities serving a combined population of over 3 million people. In at least two cases, the attackers had the technical capability to alter chemical dosing parameters — specifically, the amount of chlorine and sodium hydroxide added during treatment — though no manipulation was detected.

The water sector's vulnerability is compounded by regulatory gaps. Unlike the energy sector, where the North American Electric Reliability Corporation (NERC) enforces mandatory cybersecurity standards, the water sector has no equivalent federal cybersecurity mandate. The Environmental Protection Agency (EPA) attempted to implement cybersecurity requirements through its existing authority under the Safe Drinking Water Act, but faced legal challenges from state attorneys general who argued the EPA was exceeding its statutory mandate. As a result, water system cybersecurity remains largely voluntary, with compliance varying dramatically by system size and jurisdiction.

Bowman Dam Incident

The Bowman Avenue Dam incident remains the most frequently cited example of Iranian cyber targeting of US physical infrastructure. In 2013, Iranian hackers gained unauthorized access to the SCADA system controlling the Bowman Avenue Dam in Rye Brook, New York — a small flood-control dam on Blind Brook, approximately 30 miles north of New York City. The hackers accessed the dam's control system through an internet-connected cellular modem, gaining the ability to view the dam's water level, temperature, and status of the sluice gate (which controls water release).

The sluice gate happened to be disconnected for maintenance at the time of the intrusion, preventing the attackers from actually operating it. Had the gate been functional, the hackers could theoretically have opened it, releasing water into the downstream area. The physical consequences would have been limited — Bowman Avenue Dam is a small structure, and downstream flooding would have been modest — but the symbolic and precedential significance was enormous. It demonstrated that Iranian actors were actively probing US physical infrastructure for remote-access vulnerabilities, not merely targeting data or websites.

The US Department of Justice unsealed indictments against seven Iranian nationals in March 2016, charging them with the Bowman Dam intrusion and the Operation Ababil DDoS attacks on US banks. The indictment attributed the attacks to two IRGC-linked companies: ITSec Team and the Mersad Company. The DOJ identified the defendants as IRGC-contracted hackers operating under the direction of IRGC military officers. None of the defendants were arrested (they reside in Iran), but the indictments served as the US government's formal public attribution of Iranian state-sponsored cyber attacks on critical infrastructure.

The Bowman Dam incident established a pattern that persists today: Iranian hackers targeting small, poorly defended infrastructure assets to demonstrate capability while avoiding the kind of high-profile attack that might trigger massive US retaliation. This approach — probing and positioning rather than destroying — allows Iran to build a latent threat without crossing the threshold that would provoke a kinetic response. The current military strikes, however, have removed the deterrence calculation that previously restrained Iran from activating these capabilities.

Casino and Financial Attacks

Iran's most destructive cyber attack on US soil targeted the Las Vegas Sands Corporation in February 2014. The attack was a direct retaliation for comments by Sands CEO Sheldon Adelson, who publicly suggested the US should detonate a nuclear weapon in the Iranian desert as a negotiating tactic. Iranian hackers — attributed by the FBI to an IRGC-linked group — deployed destructive malware that wiped data from approximately 75% of the Sands Corporation's computer systems, including email servers, file servers, and endpoint workstations. The attackers also stole customer data, internal communications, and financial records, portions of which were subsequently released publicly.

The Sands attack caused an estimated $40 million or more in direct damage and recovery costs. It was among the most destructive cyber attacks ever conducted against a US company at the time and demonstrated Iran's willingness to use cyber weapons for punitive retaliation — not merely espionage or disruption, but destruction of data and systems as a form of coercive punishment.

In the financial sector, Operation Ababil (2012-2013) was a sustained DDoS campaign that targeted the websites and online banking platforms of 46 major US financial institutions, including Bank of America, JPMorgan Chase, Wells Fargo, Citigroup, PNC Financial, Capital One, and the New York Stock Exchange. The attacks generated traffic volumes exceeding 100 Gbps — among the largest DDoS attacks ever recorded at that time — and repeatedly knocked banking websites offline, preventing millions of customers from accessing online banking services. The campaign lasted approximately eight months and was executed in waves, with Iranian hackers rotating targets to maximize disruption while evading mitigation efforts.

Operation Ababil was assessed by US intelligence agencies as a direct retaliation for the Stuxnet cyber attack on Iran's Natanz nuclear enrichment facility and for the imposition of financial sanctions. The DOJ indictment described the operation as being conducted "at the behest of" the IRGC and Iranian government. While the attacks did not compromise financial data or disrupt actual transactions (they targeted customer-facing websites, not backend processing systems), they demonstrated Iran's capacity to cause significant economic disruption and public anxiety through cyber means.

Current CISA Advisories

The Cybersecurity and Infrastructure Security Agency issued emergency advisory AA26-059A on February 28, 2026, at 14:30 EST — approximately three hours after the first confirmed US strikes on Iran. The advisory, issued at Shield Red (CISA's highest alert level), warned that "Iranian state-sponsored cyber actors are expected to conduct retaliatory cyber operations against US critical infrastructure with high confidence within the next 72 hours."

The advisory identified the following sectors as highest risk, in order of assessed vulnerability:

1. Water and Wastewater Systems: Highest priority due to known Iranian pre-positioning, prevalence of vulnerable Unitronics and Rockwell PLCs, and limited sector-wide cybersecurity maturity.
2. Energy (Electrical Grid and Natural Gas): High priority due to APT33's documented access to operational technology networks and the cascading physical consequences of grid disruption.
3. Healthcare and Public Health: High priority due to ransomware vulnerability, the psychological impact of hospital disruptions during a national security crisis, and Iranian actors' documented targeting of medical facilities.
4. Financial Services: Elevated priority due to Operation Ababil precedent and Iran's demonstrated DDoS capabilities, though the sector's cybersecurity maturity provides greater resilience than other targets.
5. Transportation Systems: Elevated priority due to potential for airport and rail disruption, though limited Iranian operational history in this sector.

The advisory includes specific technical mitigations, including immediate isolation of internet-exposed operational technology systems, mandatory password changes on all industrial control systems, implementation of multi-factor authentication on all remote access pathways, and activation of enhanced monitoring on all critical system logs. CISA also deployed Protective Security Advisors (PSAs) to coordinate with state and local officials in all 50 states and activated the Joint Cyber Defense Collaborative (JCDC) to share threat intelligence with private sector partners in real time.

Critical Infrastructure Targets

The US defines 16 critical infrastructure sectors whose disruption would have a debilitating effect on security, economic stability, public health, or safety. Iran's cyber targeting has historically concentrated on four of these sectors, with varying degrees of demonstrated capability.

Water and Wastewater: As detailed above, this sector is the most vulnerable. The combination of internet-exposed SCADA systems, default credentials, understaffed security operations, and documented Iranian intrusions creates conditions for a potentially impactful attack. The worst-case scenario involves manipulation of chemical treatment processes — altering chlorine or pH levels — which could contaminate drinking water supplies. While safety mechanisms (manual testing, alarms, physical checks) would likely detect manipulation before widespread harm occurred, even a brief disruption or contamination scare would cause significant public panic and erode confidence in essential services.

Energy: The US electrical grid operates through a complex system of generation, transmission, and distribution managed by hundreds of utilities, regional transmission organizations (RTOs), and independent system operators (ISOs). Iranian hackers have demonstrated access to operational technology within energy sector networks. A successful attack could theoretically disrupt power generation at individual plants or interfere with grid management systems that balance supply and demand. The FBI Private Industry Notification issued in January 2026 warned specifically of Iranian reconnaissance targeting natural gas pipeline SCADA systems in the Gulf Coast region — a sector where disruption could affect both electricity generation (many power plants run on natural gas) and home heating during winter months.

Healthcare: Hospital networks are uniquely vulnerable because they combine high-value targets (patient data, life-critical systems) with limited cybersecurity resources and a low tolerance for system downtime. Iranian-affiliated actors attempted a ransomware attack on Boston Children's Hospital in 2021, which the FBI blocked before it could execute. The healthcare sector has seen a 240% increase in ransomware attacks since 2020, and Iranian groups have adopted ransomware as both a destructive and revenue-generating tool. During the current conflict, attacks on hospitals would serve a dual purpose: causing domestic disruption and undermining public confidence in the government's ability to protect the homeland.

Financial Services: The financial sector is the most cyber-resilient of Iran's likely targets, with major institutions spending billions annually on cybersecurity. However, Iran's DDoS capabilities have grown significantly since Operation Ababil, and a sustained campaign targeting customer-facing services — online banking, ATM networks, payment processing — could cause significant economic disruption and public anxiety even without compromising actual financial systems. The psychological impact of being unable to access bank accounts during a national security crisis should not be underestimated.

Wiper Malware History

Iran has developed a sophisticated arsenal of wiper malware — malicious software designed to permanently destroy data by overwriting hard drives, corrupting master boot records, and rendering systems unrecoverable. Wipers are the cyber equivalent of a demolition charge: they are deployed not to steal information but to destroy it, making them weapons of sabotage rather than espionage.

The most notorious Iranian wiper is Shamoon (also known as Disttrack), first deployed in August 2012 against Saudi Aramco. The attack destroyed data on approximately 35,000 workstations — roughly 75% of Aramco's computer fleet — by overwriting hard drives with an image of a burning American flag. The attack forced Aramco to shut down its internal network for two weeks and replace tens of thousands of machines. Shamoon was subsequently deployed against Qatar's RasGas and against multiple Saudi government agencies in follow-on campaigns in 2016 and 2018.

Shamoon's significance lies not in its technical sophistication (it is relatively simple malware) but in Iran's demonstrated willingness to deploy it at scale against critical infrastructure. The Saudi Aramco attack was, at the time, the most destructive cyber attack ever conducted against a single organization. Variants of Shamoon have been continuously refined, with newer versions incorporating anti-analysis techniques, randomized timing, and the ability to spread laterally through networks using stolen credentials.

Other Iranian wipers include ZeroCleare (deployed against Middle Eastern energy targets in 2019), Dustman (targeting a Bahraini oil company in 2020), and Agrius-associated wipers deployed against Israeli targets in 2021-2023. Each iteration demonstrates incremental improvement in evasion and deployment capability. The Mandiant 2025 M-Trends Report assessed that Iran currently maintains at least three distinct wiper malware families in active development, with variants pre-positioned for deployment against US energy sector targets.

Election Interference

Iran's cyber operations extend beyond critical infrastructure into the domain of information operations and election interference. While less technically sophisticated than Russia's documented interference in US elections, Iran has conducted multiple operations designed to influence US political processes and public opinion.

In 2020, Iranian hackers obtained voter registration data from at least one US state and used it to send intimidating emails to voters, impersonating the far-right group Proud Boys. The emails threatened violence against voters who did not support a specific candidate. The operation was quickly attributed to Iran by the FBI and CISA, and its impact on actual voting behavior was assessed as minimal, but it demonstrated Iran's willingness to directly target the US democratic process.

In 2024, APT42 conducted extensive phishing campaigns targeting staff of both major presidential campaigns, successfully compromising email accounts associated with at least one campaign. Stolen materials were offered to media organizations and disseminated through online platforms. The operation closely mirrored Russia's 2016 hack-and-leak playbook, suggesting that Iran has adopted lessons from Russian information warfare methodology.

During the current conflict, election interference capability has a different application: shaping US public opinion about the war. Iranian information operations have historically sought to amplify anti-war sentiment, exaggerate civilian casualties, and undermine public confidence in official government narratives. Social media accounts linked to Iranian influence operations were detected across multiple platforms within hours of the February 28 strikes, pushing narratives about disproportionate civilian casualties and oil price impacts designed to erode domestic support for the military campaign.

Private Sector Risks

Beyond critical infrastructure, the US private sector faces elevated risk from Iranian cyber operations during the current conflict. Iran has historically targeted companies in sectors related to the conflict — defense contractors, energy companies, financial institutions — but retaliatory operations during active military conflict may expand to softer targets selected for maximum psychological and economic impact.

Defense contractors and suppliers: Companies in the defense industrial base that support operations in the Middle East face both espionage and destructive threats. Iranian hackers have repeatedly targeted defense contractors to steal classified information about weapons systems, surveillance capabilities, and operational planning. During active conflict, these operations may shift from intelligence collection to disruption — targeting supply chain systems, logistics networks, and communications infrastructure that support the military campaign.

Energy companies: US oil and gas companies, particularly those with operations in the Persian Gulf region, face heightened risk. Iranian hackers have documented capability against operational technology in the energy sector, and the strategic incentive to disrupt US energy production or distribution during a conflict is significant. Even unsuccessful attacks on energy infrastructure can spike oil prices further through market anxiety.

Technology companies: Cloud service providers, telecommunications companies, and IT managed service providers face increased targeting because they serve as force multipliers — compromising a single cloud provider or MSP can provide access to hundreds or thousands of downstream organizations. Iranian APT groups have demonstrated awareness of this supply chain attack vector, with documented operations targeting IT management tools and remote monitoring software.

Media organizations: Journalists covering the conflict, particularly those with sources in Iran or the US government, face targeted phishing and surveillance from APT42. Media organizations' networks may also be targeted for defacement or disruption to undermine public access to information during the conflict.

How to Protect Yourself

While the primary targets of Iranian cyber operations are organizational rather than individual, there are practical steps that both organizations and individuals should take during this period of elevated threat.

For organizations (especially critical infrastructure operators):

• Immediately audit and disconnect all internet-exposed operational technology (OT) and industrial control systems. If remote access is operationally necessary, ensure it is protected by multi-factor authentication and VPN with strong encryption.
• Change all default passwords on programmable logic controllers (PLCs), SCADA systems, and other industrial devices. CISA has documented that default Unitronics passwords remain in use at hundreds of US water systems.
• Enable enhanced logging on all critical systems and ensure logs are being actively monitored by security operations staff. Iranian intrusions may have occurred weeks or months ago; reviewing historical logs for indicators of compromise is essential.
• Implement network segmentation to ensure that compromise of IT systems (email, business applications) cannot provide access to OT systems (industrial controls, safety systems).
• Review and test incident response plans, including communication protocols with CISA, FBI, and sector-specific information sharing organizations (ISACs).

For individuals:

• Enable multi-factor authentication on all email, banking, and social media accounts. Iranian phishing campaigns target individuals with policy-relevant roles, but mass phishing campaigns may expand during the conflict.
• Be skeptical of unsolicited emails, particularly those related to the Iran conflict, oil prices, or other current events. Iranian hackers routinely use news-themed lures to deliver malware.
• Ensure all devices (computers, phones, routers) are running current software updates. Many Iranian exploits target known vulnerabilities that have been patched but not yet updated on victim systems.
• Monitor financial accounts for unusual activity. While mass financial fraud is not a primary Iranian objective, compromised credentials from phishing campaigns may be used for financial theft as a secondary benefit.
• Verify information from official sources before sharing. Iranian information operations will intensify during the conflict, and sharing unverified claims amplifies their effectiveness.

Related Coverage

• Iran-Linked Cyber Risk: Critical Infrastructure Checklist
• CRINK Alliance Explained: How China, Russia, Iran, and North Korea Coordinate Against the West
• Iran's Government Structure Explained: Supreme Leader, IRGC, and the Power Behind the State
• Iran Strikes Back: Where and What Was Hit
• What We Know So Far: Iran Strikes on February 28

Sources

Last updated: February 28, 2026. This article is revised when new evidence materially changes what can be stated with confidence.