CISA, FBI, NSA Warn: Iran-Linked Cyber Actors May Target US Critical Infrastructure

U.S. cyber divisions, including the FBI and NSA, have issued an urgent advisory warning of potential cyberattacks targeting the nation’s critical infrastructure by hacker groups affiliated with Iran. While experts note that there is currently no evidence of a large-scale campaign, the escalating instability in the Middle East and Iran’s prior cyber activities have raised significant concern.

The joint intelligence bulletin emphasizes that enterprises within the defense sector—particularly those with ties to Israeli military and research institutions—face an elevated threat level. Other likely targets include key infrastructure domains such as energy, water supply, and healthcare systems.

U.S. intelligence agencies highlight that Iranian hacking groups—operating both overtly and under the guise of activist collectives—frequently exploit longstanding system vulnerabilities or breach devices left unsecured with default factory passwords. A notable example occurred in November 2023, when actors linked to the Islamic Revolutionary Guard Corps (IRGC) infiltrated the control system of a wastewater treatment facility in Pennsylvania. The breach leveraged internet-connected Unitronics programmable logic controllers.

Beyond the compromise of industrial systems, attackers have increasingly employed DDoS assaults and website defacements to disseminate politically charged content. These messages are often broadcast via platforms such as X* and Telegram to amplify their impact.

There have also been documented instances in which Iranian cyber actors deployed ransomware or collaborated with other threat groups, including NoEscape, RansomHouse, and ALPHV/BlackCat. These campaigns, frequently aimed at Israeli enterprises, involved the encryption of sensitive data followed by its public release.

In certain attacks, hackers opted for so-called “wipers”—malicious programs designed to irreversibly destroy victims’ data in order to inflict maximum damage.

To mitigate the risk of such intrusions, cybersecurity experts from the Department of Homeland Security, Department of Defense, FBI, and NSA recommend the following countermeasures:

• Fully isolate operational technology (OT) and industrial control systems (ICS) from internet access, strictly limiting remote connectivity.
• Enforce the use of strong, unique passwords for all online services and systems, replacing default credentials wherever applicable.
• Enable multi-factor authentication across all mission-critical systems.
• Apply software patches promptly, especially for internet-facing applications, to eliminate known vulnerabilities.
• Conduct continuous network and server monitoring to detect suspicious or anomalous activity.
• Develop and rigorously test an incident response plan, ensuring the availability of functional backups and robust recovery protocols.

Further guidance on Iranian-linked cyber threats can be found on the official pages of CISA and the FBI.