Anatomy of an Attack

On June 30, 2025, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Defense Cyber Crime Center (DC3) issued a joint advisory regarding potential cyber activity by Iranian state-sponsored or affiliated threat actors.

Recent Attacks Reveal Escalating Tactics

The advisory urges increased vigilance, particularly for critical infrastructure, following a new wave of Iranian cyber activity.

A report by threat intelligence firm SecurityScorecard, which analyzed thousands of messages from Iranian-aligned groups, found a clear and coordinated "expansive cyber offensive." This is not just a theoretical threat; it is a multi-pronged attack that includes:

Psychological warfare: Iranian operatives use AI to create and disseminate disinformation, generating fake news and synthetic media to sow panic and undermine public morale.

Targeted phishing: A group known as Imperial Kitten created conflict-themed phishing websites to steal data from pro-Israel visitors, demonstrating how threat actors leverage real-world events to target specific individuals and organizations.

Disruptive attacks: Iranian-affiliated hackers launched multiple distributed denial-of-service (DDoS) attacks against U.S. digital platforms, including the temporary takedown of a prominent social media network. The joint advisory specifically noted that Iranian state-sponsored or affiliated threat actors will likely significantly increase their Distributed Denial of Service (DDoS) campaigns, and potentially also conduct ransomware attacks.

Intelligence gathering: Iranian operatives have reportedly hijacked Israeli internet-connected closed-circuit television (CCTV) systems, a tactic used for real-time situational awareness and intelligence gathering without having to deploy physical assets.

The Elevated Threat Landscape

The advisory, dated June 30, 2025, emphasizes that Iranian cyber actors, including state-sponsored groups and aligned hacktivists, have a documented history of targeting poorly secured U.S. networks. They frequently exploit known vulnerabilities in unpatched or outdated software and compromise accounts with default or weak passwords, often leveraging publicly accessible systems as entry points.

The primary targets for these Iranian cyber actors include:

• Defense industrial base (DIB) companies: Especially those with holdings or relationships with Israeli research and defense firms.
• Critical infrastructure: This broadly includes sectors such as water and wastewater systems, energy, healthcare, and telecommunications. A notable precedent illustrating this real-world risk is the November 2023 incident in which hackers believed to be affiliated with the Iranian Revolutionary Guard Corps (IRGC) breached Israeli-made equipment in water and wastewater systems across multiple U.S. states.

Their tactics often involve:

• Exploiting known vulnerabilities: Exploiting common vulnerabilities and exposures (CVEs) in unpatched software.
• Weak credential exploitation: Leveraging automated password guessing, cracking password hashes, and using default manufacturer passwords (a tactic favored by Iranian threat actors) .
• Operational technology (OT) compromise: Using system engineering and diagnostic tools to breach OT networks, as seen in previous campaigns targeting Israeli-made programmable logic controllers (PLCs) and human machine interfaces (HMIs). Attackers often start with reconnaissance tools like Shodan to find vulnerable internet-facing devices, especially in industrial control system (ICS) environments.

Implications for U.S. Organizations

The ease with which Iranian actors exploit common weaknesses means that even seemingly low-level attacks can have significant disruptive potential. Iranian actors have reportedly collaborated with ransomware operators to encrypt business-critical data, leak sensitive intellectual property, and launch multi-stage cyberattacks that have ripple effects.

While there is currently no evidence of a coordinated Iranian cyber campaign against the U.S. , the advisory does note that reconnaissance and probing activity may already be underway, and hackers may lie dormant inside vulnerable systems before activating.

Indicators of Compromise (IOCs) Linked to Iranian Threat Actor Activity

There are types of observable indicators that, if detected, should be considered suspicious and potentially indicative of Iranian actor activity.

Evidence of exploitation of known vulnerabilities: Detection of exploitation attempts or successful exploitation of unpatched software, particularly those with recently disclosed CVEs.

Unauthorized access through weak/default credentials: Log entries showing successful logins to internet-exposed devices or accounts using default or commonly guessed passwords.

Suspicious activity on OT/ICS networks: Unauthorized or unusual access, configuration changes, or use of system engineering and diagnostic tools within Operational Technology (OT) or Industrial Control System (ICS) environments. This includes observed activity against Israeli-made PLCs and HMIs.

High volume of DDoS traffic: Significant and sustained Distributed Denial of Service (DDOs) attacks targeting U.S. and Israeli websites.

Indicators of ransomware/data leakage: Evidence of data encryption, data theft, or threats of public data leakage, potentially in collaboration with other criminal groups.

Unusual Network Behavior: Unusual access patterns to OT/ICS devices, unexpected remote access sessions, suspicious data transfers (especially exfiltration attempts), or anomalous behavioral patterns within encrypted traffic.

Tactics, Techniques, and Procedures (TTPs) Used by Iranian Threat Actors

Iranian actors often exploit known vulnerabilities quickly after public disclosure and target common weaknesses like weak credentials. Their operations can range from financially motivated (ransomware, data leaks) to disruptive/destructive (DDoS, wipers) and information operations/hacktivism, frequently aligned with geopolitical events. Their approach often involves opportunistic targeting of poorly secured internet-facing systems.

The joint advisory " is replete with common TTPs used by Iranian cyber actors.

We also show the associated vulnerabilities that can be exploited using these techniques, and highlight some of our NDR detections that apply to these attack vectors.

Initial Access (TA0001)

• T1190 - Exploit Public-Facing Application: Organizations should be worried about unpatched or outdated software on internet-facing systems. This includes web servers, VPNs, firewalls, email gateways, and any other services exposed to the internet. Specific vulnerabilities are those with recently disclosed CVEs that Iranian actors are known to exploit quickly. 
• T1110.003 - Brute Force: Password Spraying / T1110.001 - Brute Force: Password Guessing: Attempting to gain access using automated password guessing, cracking password hashes, and utilizing default manufacturer passwords. Vulnerabilities here include weak or default passwords on user accounts, service accounts, and device credentials. Organizations should also be concerned about a lack of multi-factor authentication (MFA) and account lockout policies that could prevent brute-force attacks.
• T1078 - Valid Accounts: Compromising accounts (often via weak credentials or brute force) to gain initial access. The primary vulnerability is the presence of compromised accounts due to weak credentials, successful phishing, or prior data breaches. Lack of monitoring for unusual login patterns or privilege escalation after initial access via a valid account is also a concern.

Lateral Movement (TA0008)

• T1210 - Exploitation of Remote Services / T1570 - Lateral Tool Transfer: Moving within breached networks, especially from IT to OT/ICS segments. This often leverages system engineering and diagnostic tools for OT. Organizations are vulnerable to poor network segmentation, allowing easy movement between IT and OT/ICS networks. Additionally, unsecured remote access protocols (e.g., RDP, SSH) and the presence of system engineering and diagnostic tools on accessible systems that can be leveraged for OT compromise are significant vulnerabilities.

Impact (TA0040)

• T1498 - Defacement / T1499 - Endpoint Denial of Service (DDoS): Engaging in Distributed Denial of Service (DDoS) attacks. Vulnerabilities include insufficient DDoS protection mechanisms (e.g., lack of scrubbing services, CDN protection), and weak web application security that could allow for defacement. For endpoint DDoS, unsecured network devices or endpoints that can be compromised and used in a botnet are a concern.
• T1486 - Data Encrypted for Impact (Ransomware): Deploying ransomware to encrypt data. Key vulnerabilities are a lack of robust backup and recovery strategies, unpatched systems that are susceptible to ransomware propagation, and poor network segmentation that allows ransomware to spread rapidly. Weak endpoint detection and response (EDR) capabilities are also a concern.

Exfiltration (TA0041)

• T1041 - Exfiltration Over C2 Channel / T1567 - Exfiltration Over Web Service: Stealing sensitive information for public leakage (often combined with ransomware/extortion). Vulnerabilities include a lack of data loss prevention (DLP) solutions, insufficient monitoring of outbound network traffic for suspicious activity (especially encrypted traffic), and unsecured cloud storage or web services that could be used as exfiltration points.

Resource Development (for Information Operations) (TA0042)

• T1583 - Create Accounts / T1584 - Compromise Accounts: Leveraging compromised accounts or creating new ones to amplify information operations. Vulnerabilities relate to weak identity and access management (IAM) controls, including poor account provisioning/de-provisioning processes, and lack of monitoring for new or unusual account creations within internal systems or external platforms.

Reconnaissance (for Information Operations) (TA0043)

• T1589 - Gather Victim Identity Information / T1592 - Gather Victim Org Information: Combining hacking and data theft with online amplification through social media or direct messaging for harassment and reputational damage. Vulnerabilities include over-sharing of information on public platforms (e.g., social media, corporate websites), poorly secured public-facing databases, and a lack of awareness regarding open-source intelligence (OSINT) gathering by adversaries.

How ExtraHop Helps: Proactive Detection in a High-Stakes Environment

In an environment where Iranian cyber actors are actively probing for weaknesses, a powerful network detection and response (NDR) solution like the ExtraHop RevealX platform is crucial to detect malicious and anomalous activity quickly and accurately.

ExtraHop provides the real-time visibility and behavioral analytics necessary to identify and respond to the TTPs commonly employed by these threat groups, even when they bypass traditional security controls. ExtraHop RevealX detects exploitation of vulnerabilities in most common enterprise software such as Zoho ManageEngine, Ivanti, Pulse Connect Secure, Microsoft SharePoint, and more.

ExtraHop RevealX provides:

• Comprehensive network visibility: It offers agentless visibility across hybrid and multi-cloud environments, including encrypted traffic, ensuring no blind spots for attackers exploiting vulnerabilities or using compromised credentials. This is vital for detecting reconnaissance, lateral movement (TA0008), and data exfiltration (TA0041) attempts, as well as supporting Initial Access (TA0001) by identifying exploitation of vulnerabilities and use of compromised credentials.
• Behavioral anomaly detection: RevealX uses advanced machine learning to detect anomalous behaviors on the network that indicate compromise, such as unusual access patterns to OT/ICS devices, unexpected remote access, or suspicious data transfers, even if the initial access method was a simple password brute-force. This directly supports the detection of Initial Access (TA0001) methods like password brute-force (T1110.001, T1110.003), and Lateral Movement (TA0008) such as unusual access patterns to OT/ICS devices or unexpected remote access. It also aids in detecting Exfiltration (TA0041) through suspicious data transfers. RevealX has hundreds of comprehensive detections, many of which may apply to potential Iranian threat actor activity.
• Real-time threat intelligence: By correlating network activity with threat intelligence, RevealX can flag known Iranian TTPs and indicators of compromise, providing immediate context for security teams across various TTP categories.
• Accelerated incident response: High-fidelity alerts with rich network context enable security teams to quickly understand the scope of an intrusion, identify affected assets, and accelerate containment and remediation efforts, minimizing the attacker's dwell time across all TTPs.

Conclusion

Iranian cyber operatives, encompassing both state-sponsored entities and sympathetic hacktivist collectives, have a well-established track record of launching attacks against American networks. Their common approach involves exploiting readily identifiable weaknesses within outdated or unpatched software, alongside compromising user accounts secured by weak or default credentials, often by initiating their incursions through publicly exposed systems.

Organizations must further improve their defenses by deploying advanced Network Detection and Response (NDR) solutions like ExtraHop RevealX. NDR provides the real-time visibility and analytics necessary to detect and respond to these adversaries before they achieve their objectives, effectively complementing existing EDR and other security stack solutions.

Endnotes:

1. "Joint Statement from CISA, FBI, DC3 and NSA on Potential Targeted Cyber Activity Against U.S. Critical Infrastructure by Iran." CISA News, June 30, 2025. https://www.cisa.gov/news-events/news/joint-statement-cisa-fbi-dc3-and-nsa-potential-targeted-cyber-activity-against-us-critical
2. "U.S. Agencies Warn of Rising Iranian Cyber Attacks on Defense, OT Networks, and Critical Infrastructure." The Hacker News, June 30, 2025. https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
3. "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest." CISA Resources, June 30, 2025. https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest
4. "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest." IC3 Cybersecurity Advisory, June 30, 2025. https://www.ic3.gov/CSA/2025/250630.pdf
5. "NTAS bulletin highlights rising cyber, terror threats to US critical infrastructure from Iran-linked hackers." Industrial Cyber, June 23, 2025. https://industrialcyber.co/threat-landscape/ntas-bulletin-highlights-rising-cyber-terror-threats-to-us-critical-infrastructure-from-iran-linked-hackers/
6. "Iran-Linked Hackers May Target U.S. Firms & Infrastructure in 2025 | Government Warning." Web Asha Technologies Blog, July 2, 2025. https://www.webasha.com/blog/iran-linked-hackers-may-target-us-firms-infrastructure-government-warning
7. "Joint Release Warns of Iranian-Backed Cyber-Attacks." JD Supra, July 3, 2025. https://www.jdsupra.com/legalnews/joint-release-warns-of-iranian-backed-8848309/

"Critical infrastructure warned of rising Iranian cyber threats; urged to detect, disconnect vulnerable OT, ICS devices." Industrial Cyber, July 2, 2025. https://industrialcyber.co/critical-infrastructure/critical-infrastructure-warned-of-rising-iranian-cyber-threats-urged-to-detect-disconnect-vulnerable-ot-ics-devices/