The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), has issued a joint advisory warning of increased cyber threat activity from Iranian state-sponsored and affiliated actors, urging organizations, particularly in the defense sector, to remain vigilant.
The agencies said recent months have seen a notable uptick in activity from Iranian-linked hacktivists and government-affiliated threat groups, with expectations that the efforts may escalate amid ongoing geopolitical tensions.
“These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices,” the advisory said. “At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the US that can be attributed to Iran. However, CISA, FBI, DC3, and NSA strongly urge critical infrastructure asset owners and operators to implement the mitigations.”
The advisory also warned of possible distributed denial-of-service (DDoS) and ransomware attacks targeting both US and Israeli entities.
Attackers are known to conduct reconnaissance using tools like Shodan to locate vulnerable industrial control systems (ICS) before exploiting misconfigured firewalls and poor network segmentation. Iranian groups have historically used tools such as remote access trojans (RATs), keyloggers, and legitimate administrative utilities like PsExec and Mimikatz to move laterally within networks while evading detection.
A new report by cybersecurity firm Censys revealed increasing online exposure of four device types frequently targeted by Iranian hackers, including Unitronics Vision PLCs, Orpak SiteOmat, Red Lion industrial equipment, and the Tridium Niagara framework.
All but Orpak devices saw exposure increases between 4.5% and 9.2% from January to June 2025. It should be noted that Unitronics and Orpak devices are known to ship with default credentials, making them easy targets for cyber intrusions.
