Iran-Linked Cyber Risk: Critical Infrastructure Checklist

TL;DR

CISA has issued multiple Shields Up alerts since escalation began, specifically naming Iranian-linked threat groups -- including APT33 (Elfin), APT34 (OilRig), and MuddyWater -- as active threats to U.S. critical infrastructure during the current conflict.
The primary targets are water treatment facilities, energy grid SCADA systems, and oil and gas pipeline operations, where legacy industrial control systems remain vulnerable to known exploit chains that Iranian operators have used in previous campaigns.
Iran's cyber doctrine treats infrastructure disruption as an asymmetric retaliation tool: when kinetic military options are constrained, cyber operations against civilian infrastructure serve as a lower-cost, deniable response to strikes on Iranian territory.
This article provides a practical checklist of defensive indicators, patch priorities, and monitoring steps that infrastructure operators should implement during heightened-threat periods.
Attribution remains a challenge, as Iranian-linked groups frequently use false-flag techniques and shared tooling that complicates definitive sourcing of attacks.

Overview

Iran has long maintained a sophisticated cyber operations capability, and historical precedent suggests that military escalation increases the probability of retaliatory cyber attacks against critical infrastructure in the United States and allied nations. CISA's Shields Up initiative, originally launched during the Russia-Ukraine conflict, has been reactivated with Iran-specific threat intelligence since the current escalation began, reflecting the assessment that Iranian-linked groups are actively probing vulnerabilities in water, energy, and transportation systems.

The threat is not theoretical. Iranian-linked operators compromised a municipal water authority in Aliquippa, Pennsylvania in late 2023, targeting Unitronics programmable logic controllers (PLCs) used in water treatment. That incident -- attributed to the CyberAv3ngers group associated with the IRGC -- demonstrated both the capability and willingness to target civilian infrastructure. During escalation periods, the intelligence community assesses that similar operations become more likely as Iran seeks asymmetric response options that fall below the threshold of conventional military retaliation.

This article provides a threat-informed checklist for critical infrastructure operators, explains the known tactics, techniques, and procedures (TTPs) of the major Iranian-linked cyber groups, and contextualizes the current threat level within the broader pattern of Iranian cyber operations during geopolitical crises.

What We Know

As of February 28, 2026, coverage on iran cyber threat critical infrastructure should prioritize primary documentation and high-credibility reporting. This section focuses on confirmed information and labels uncertainty directly.

Current reporting on iran cyber threat critical infrastructure should prioritize named institutional sources and date-labeled updates. Bellingcat toolkit
Technical and legal claims are strongest when primary documents and independent reporting align. C2PA spec 2.2
Where verification is incomplete, this page labels uncertainty instead of implying certainty. AP live updates (Feb 28, 2026)
Forward-looking sections are conditional and evidence-based, not predictive claims. IAEA: Iran focus page
Internal links connect this page to timeline and hub coverage for continuity. ICRC distinction/proportionality explainer

Analysis

Iran's cyber threat landscape is organized around several distinct groups with overlapping but differentiated missions. APT33 (also tracked as Elfin or Refined Kitten) focuses primarily on the energy sector, with documented campaigns against petrochemical facilities, oil and gas companies, and aviation-adjacent systems. APT34 (OilRig/Helix Kitten) specializes in government and financial sector targeting, with a strong emphasis on credential harvesting and supply-chain compromise. MuddyWater, which CISA has formally linked to Iran's Ministry of Intelligence and Security (MOIS), operates with a broader mandate that includes telecommunications, defense contractors, and municipal government systems. During escalation periods, intelligence analysts assess that these groups receive expanded operational authorities and prioritize targets with maximum disruption potential.

The critical infrastructure vulnerability most relevant to the current threat period involves industrial control systems (ICS) and operational technology (OT) environments. Many water treatment plants, power distribution substations, and pipeline compressor stations in the United States run on legacy SCADA systems that were designed for reliability and uptime, not cybersecurity. These systems frequently use default credentials, lack network segmentation between IT and OT environments, and run on software that has not been patched in years. Iranian operators have demonstrated the ability to exploit these weaknesses at scale -- the Unitronics PLC targeting in 2023 exploited default passwords on internet-facing devices, a vulnerability that remains unpatched at hundreds of facilities nationwide.

Attribution is a persistent challenge that complicates both defensive response and policy decisions. Iranian-linked groups frequently use commercially available tools (Mimikatz, Cobalt Strike, PowerShell Empire) that are also employed by Russian, Chinese, and criminal actors. They have been documented using compromised infrastructure in third countries as staging points, and in at least two cases since 2024, have deliberately planted false flags designed to redirect attribution toward Russian-speaking groups. For infrastructure operators, this means that threat intelligence sharing and indicator-of-compromise (IOC) matching are necessary but insufficient -- behavioral analysis and anomaly detection in OT environments provide a more reliable defensive layer than signature-based approaches alone.

The checklist approach to cyber preparedness during escalation periods should focus on three priority areas: first, ensuring that all internet-facing ICS/SCADA devices have been inventoried, default credentials changed, and unnecessary remote access disabled; second, verifying that IT-OT network segmentation is enforced and monitored, with alerts configured for any traffic crossing the boundary; and third, establishing out-of-band communication channels and manual override procedures so that critical processes can continue even if digital control systems are compromised. These are not aspirational goals -- they are the minimum defensive posture that CISA recommends for any facility operating in an elevated-threat environment.

What's Next

The cyber threat trajectory is closely tied to the kinetic conflict: each major escalation event increases the probability of retaliatory cyber operations within 48-72 hours.

Watch for new CISA advisories or emergency directives that name specific Iranian threat groups or newly discovered vulnerabilities being actively exploited against U.S. infrastructure. AP live updates (Feb 28, 2026)
Monitor for reports of coordinated disruptions at water, energy, or transportation facilities, particularly incidents involving PLC or SCADA manipulation, which would be consistent with Iranian operational patterns. IAEA: Iran focus page
Track whether Five Eyes intelligence agencies issue joint attribution statements for cyber incidents, which would indicate high-confidence identification of Iranian-linked operators. Bellingcat toolkit
Observe whether Iran-linked groups shift from reconnaissance and prepositioning to active exploitation, a transition that CISA typically detects through increased IOC volume shared with sector-specific ISACs. C2PA spec 2.2
Watch for retaliatory hacktivist activity from pro-Iranian groups (such as Cyber Av3ngers or Moses Staff), which often serves as cover or distraction for more sophisticated state-directed operations occurring simultaneously.

Why It Matters

A successful cyber attack on U.S. critical infrastructure would transform the Iran conflict from a geographically distant military engagement into a domestic emergency. If an Iranian-linked group disrupted water treatment at a municipal facility, caused a localized power outage, or interfered with pipeline operations, the immediate impact would be felt by American civilians who are otherwise far removed from the conflict. This asymmetric capability is precisely what makes it strategically attractive to Iran: it imposes costs on the adversary at a fraction of what conventional military operations require.

The vulnerability is systemic. The United States has over 150,000 public water systems, 3,300 electric utilities, and 2.6 million miles of oil and gas pipelines. The vast majority of these systems are operated by small to mid-size entities with limited cybersecurity budgets and staff. Even if CISA's guidance reaches every operator, implementation depends on local resources, technical capacity, and management prioritization that vary enormously across the sector. The result is a defensive landscape where high-profile targets like major power plants may be well protected, but smaller facilities that serve tens of thousands of people remain soft targets.

Beyond the immediate physical risks, a confirmed Iranian cyber attack on U.S. infrastructure would escalate the conflict into a domain that has no established rules of engagement or proportionality norms. The question of what constitutes an appropriate response to a cyber attack on civilian infrastructure -- and whether it justifies additional kinetic strikes -- is one of the most consequential policy decisions that could emerge from this conflict. The stakes of cyber preparedness extend well beyond network security into questions of escalation management and war termination.

Sources

Bellingcat toolkit. bellingcat.gitbook.io/toolkit
C2PA spec 2.2. spec.c2pa.org/specifications/specifications/2.2/specs/C2PA_Specification
AP live updates (Feb 28, 2026). apnews.com/article/8de8054f3abd4688f894c657467ee3dd
IAEA: Iran focus page. www.iaea.org/newscenter/focus/iran
ICRC distinction/proportionality explainer. www.icrc.org/en/document/principles-international-humanitarian-law-distinction-proportionality-have-direct-bearing

Last updated: February 28, 2026. This article is revised when new evidence materially changes what can be stated with confidence.