Iran • hacktivists • IRGC • MOIS • DDoS • wipers • ransomware • critical infrastructure
Affected vendor / product: Cross-sector (internet-facing services, identity systems, OT/ICS edge devices)
Primary issue: Heightened geopolitical cyber risk (disruption, influence, opportunistic intrusion)
Exploitation status: Observed defacements and disruptive activity; no confirmed large-scale destructive campaign against US critical infrastructure publicly attributed as of 2 March 2026
Confidence level: High (risk elevation, common TTPs); Medium (near-term targeting priorities)
Severity: Elevated (disruptive and reputational impact likely; destructive scenarios plausible)
Patch / mitigation status: Mitigations available (patching, MFA, exposure reduction, OT hardening)
Sectors at risk: DIB, government, critical infrastructure, finance, defence-adjacent commercial entities
Regions at risk: United States, Israel, Middle East; spillover risk for globally exposed assets
Publication context: New report (2 March 2026)
Executive Summary
Open-source reporting and vendor intelligence assessments are converging on a near-term increase in disruptive and influence-oriented cyber activity linked to the current US-Israel-Iran escalation. A joint US government fact sheet warns that Iranian-affiliated actors and aligned hacktivists often exploit unpatched systems and default or weak credentials, and that DDoS activity may increase following major regional events. (U.S. Department of War)
Reuters reported cyber-enabled activity alongside US-Israeli strikes, including compromises of Iranian websites and a widely downloaded Iranian mobile application, with multiple firms warning of likely follow-on action by proxy groups and hacktivists against US- and Israel-affiliated targets. (Reuters)
Across reporting from Sophos X-Ops and Check Point Research, the most plausible near-term threat mix includes DDoS, defacements, hack-and-leak operations, credential phishing, opportunistic exploitation of exposed services, and in higher-impact scenarios, wiper or ransomware deployment. (SOPHOS)
Situation update
- Cyber activity reported in parallel with kinetic events: Reuters described a wave of cyber-enabled operations affecting Iranian apps and websites, and noted industry reporting of reconnaissance and DDoS activity consistent with Iranian-aligned actors and hacktivist groups. (Reuters)
- US government warning remains relevant: The CISA/FBI/NSA/DC3 joint fact sheet (dated 30 June 2025) states that Iranian-affiliated actors routinely target poorly secured US networks and internet-connected devices, frequently abusing known CVEs, default credentials, and automated password guessing. (U.S. Department of War)
- Risk framing from major vendors: Sophos assesses the near-term threat level as elevated, with the most likely activity skewing toward disruptive, opportunistic, or influence-oriented operations. (SOPHOS)
Targeting priorities and at-risk environments
US DIB and Israel-linked supply chains. The US joint fact sheet specifically flags Defense Industrial Base organisations, particularly those with relationships or holdings linked to Israeli research and defence firms, as at increased risk in the near term. (U.S. Department of War)
Critical infrastructure and OT/ICS exposure. The same guidance highlights historic targeting of internet-connected industrial systems, including campaigns leveraging default passwords or absent authentication on PLCs and HMIs, and notes that Iranian actors use engineering and diagnostic tooling when targeting OT. (U.S. Department of War)
Public-facing services and identity systems. Sophos and Check Point both emphasise credential-based attacks (phishing, password spraying), exploitation of internet-exposed systems, and rapid, event-driven campaigns that blend intrusion with information operations and amplification. (SOPHOS)
Threat actor and capability context
Iran’s cyber ecosystem mixes state-aligned clusters and deniable personas. Check Point Research describes multiple clusters aligned with the IRGC and MOIS, plus “hacktivist” brands used for disruption and influence. (Check Point Blog)
Examples highlighted by Check Point include:
- Cotton Sandstorm (also tracked as Emennet Pasargad / Aria Sepehr Ayandehsazan), associated with fast-reaction influence operations, defacements, DDoS, and hack-and-leak style amplification. (Check Point Blog)
- MuddyWater (Mango Sandstorm / Static Kitten), widely assessed as MOIS-tied, with sustained enterprise intrusions using phishing and abuse of legitimate tools, sometimes pivoting from collection to disruption. (Check Point Blog)
- Agrius (Pink Sandstorm / Agonizing Serpens), linked in public reporting to MOIS and associated with destructive operations including wipers and “fake ransomware” tradecraft. (Check Point Blog)
Separately, Sophos notes that Iran-linked proxy personas have a history of hack-and-leak and wiper activity, and assesses an increased likelihood of opportunistic and disruptive actions against Israeli- and US-affiliated targets. (SOPHOS)
Likely TTPs mapped to MITRE ATT&CK
Sophos published a concise set of anticipated ATT&CK techniques commonly associated with Iran-aligned activity during escalation windows. (SOPHOS) The following table combines that with the US government emphasis on exposed services and weak authentication.
| Tactic | Technique ID | Technique name | Observed / expected behaviour |
|---|---|---|---|
| Initial Access | T1566 | Phishing | Credential theft and lure-based access, including targeted users with privileged access |
| Initial Access | T1190 | Exploit Public-Facing Application | Opportunistic exploitation of exposed services and known vulnerabilities |
| Initial Access | T1133 | External Remote Services | Targeting VPN and remote access pathways, especially misconfigured or unpatched instances |
| Credential Access | T1110 | Brute Force | Password spraying and automated guessing, including default or common passwords |
| Credential Access | T1003 | OS Credential Dumping | Post-compromise credential harvesting to enable lateral movement |
| Defence Evasion | T1562 | Impair Defences | Attempts to weaken endpoint controls and logging to sustain access |
| Command and Control | T1071 | Application Layer Protocol | Use of common protocols for C2 and data movement |
| Impact | T1498 | Network Denial of Service | DDoS to disrupt public services and shape narratives (commonly cited by government and vendors) |
| Impact | T1491 | Defacement | Web defacements to signal presence and amplify political messaging |
| Impact | T1485 | Data Destruction | Wipers or destructive tooling in higher-impact scenarios |
| Impact | T1486 | Data Encrypted for Impact | Ransomware deployment, including “leak plus encrypt” pressure |
Impact assessment
Most likely near-term impact (days to weeks):
- Short-duration service disruption (DDoS), defacements, and opportunistic intrusions against exposed assets. (SOPHOS)
- Hack-and-leak operations where stolen data is used for coercion and amplification, potentially framed as extortion but operationally aligned to influence goals. (U.S. Department of War)
Plausible higher-impact scenarios:
- Targeted wiper deployment against selected organisations, especially where actors seek a psychological or operational effect. (SOPHOS)
- Ransomware incidents that may be coordinated with or enabled by Iranian-affiliated access, including collaboration with criminal partners as described in US government reporting. (U.S. Department of War)
Defensive priorities for the next 72 hours
These actions reflect the overlap across the US government fact sheet, Sophos X-Ops guidance, and Check Point’s recommended mitigations.
1) Reduce external exposure fast
- Patch and prioritise internet-facing systems and edge devices; validate VPN and remote access configurations. (SOPHOS)
- Audit exposed services and eliminate default credentials on internet-connected accounts and devices, including OT/ICS edge components. (U.S. Department of War)
2) Tighten identity and session controls
- Enforce MFA on remote access and privileged accounts, prioritising phishing-resistant options where feasible. (SOPHOS)
- Increase monitoring for password spraying, anomalous logins, and session token replay indicators. (SOPHOS)
3) Prepare for disruption and narrative operations
- Pre-stage DDoS response runbooks with your ISP, CDN, and WAF providers; confirm scrubbing and failover paths. (nsa.gov)
- Assume data leaks may be timed for maximum impact. Establish a comms and legal workflow for rapid validation of “new breach” claims versus recycled data. (SOPHOS)
4) Validate resilience against destructive payloads
- Confirm offline/immutable backups and rehearse restoration of critical services, including identity and security tooling dependencies. (SOPHOS)
Incident response guidance
If you suspect Iran-aligned activity, prioritise evidence that supports rapid containment and attribution-quality triage:
- Identity telemetry: IdP sign-in logs, MFA prompts, impossible travel, abnormal session creation, token abuse signals. (SOPHOS)
- Edge device artefacts: VPN/web gateway logs, WAF events, webshell indicators on public web servers (especially ASPX on IIS where relevant). (Check Point Blog)
- OT/ICS safety checks: Validate authentication on HMIs/PLCs, review remote engineering access pathways, and confirm segmentation boundaries to prevent IT-to-OT lateral movement. (U.S. Department of War)
Further reading
- US government joint fact sheet: Iranian cyber actors may target vulnerable US networks and entities of interest (CISA/FBI/NSA/DC3) (U.S. Department of War)
- Reuters reporting: hackers hit Iranian apps and websites after US-Israeli strikes (1 March 2026) (Reuters)
- Sophos X-Ops advisory: increased cyber risk amid US-Israel-Iran escalation (MITRE ATT&CK mapping included) (SOPHOS)
- Check Point Research: what defenders need to know about Iran’s cyber capabilities (1 March 2026) (Check Point Blog)