The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) joined the FBI, National Security Agency and the Department of Defense Cyber Crime Center to “strongly urge” that U.S. critical infrastructure organizations keep watch for attacks on their electronic networks from Iran-affiliated groups.
The agency’s June 30 warning came after several weeks of conflict between Iran and the U.S. and Israel, starting with missile attacks that, Iran’s government said, killed more than 900 people and damaged the country’s nuclear program. (The extent of harm to the nuclear program is in dispute.) Subsequent retaliatory strikes by Iran killed 28 people in Israel, according to the Times of Israel.
Iran also fired more than a dozen missiles at a U.S. military base in Qatar. All but one of the missiles were destroyed before reaching Qatar; the last hit an uninhabited area and caused minimal damage.
CISA and the other agencies said in their press release that they had “not seen indications of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran.” However, an accompanying fact sheet cited “the current geopolitical environment” as cause for concern “despite a declared ceasefire and ongoing negotiations towards a permanent solution.”
“Over the past several months, Iranian-aligned hacktivists have increasingly conducted website defacements and leaks of sensitive information exfiltrated from victims,” the agencies said. “These hacktivists are likely to significantly increase distributed denial of service (DDoS) campaigns against U.S. and Israeli websites due to recent events.”
Cybersecurity firm CloudSek determined that in the week after Israel’s first strike, more than 35 pro-Iranian cybercriminal groups launched coordinated attacks against Israeli infrastructure. Most of these attacks targeted government agencies, but victims also included energy infrastructure and electric vehicle fleet management software.
Campaigns by Iran-backed actors occurred in late 2023 and early 2024 during Israel’s military campaign in Gaza, the agencies said, with actions against targets worldwide including “dozens of U.S. victims in the water and wastewater, energy, food and beverage manufacturing, and healthcare and public health sectors.” Groups sponsored by Iran also stole and published secret data, primarily from Israeli companies but with one instance involving a U.S.-based internet TV company.
Recommended mitigations to “harden … cyber defenses against malicious actors” include identifying and disconnecting ICS and operational technology assets from the public internet and implementing multi-factor authentication for accessing OT networks from other networks. Agencies also reminded entities to make sure passwords are strong and unique, and to review and update their incident response and business continuity plans.
Cybersecurity firm Dragos noted that Iran continued to pose an active cybersecurity threat in its 2024 Year In Review report, released in February. The report included a newly identified threat group, Bauxite, that “shares substantial technical overlaps … with the pro-Iranian hacktivist persona CyberAv3ngers,” and has reached Stage 2 of SANS Institute’s ICS kill chain, meaning the capability to “meaningfully attack” a target’s industrial control systems. (See Dragos: Attacks on ICS Increased in 2024.)
Leaders from the Electricity Information Sharing and Analysis Center also listed Iran among the top cyber threats to the U.S. grid at the most recent meeting of NERC’s Board of Trustees in May. (See E-ISAC Reports on Cyber, Physical Threats.)
CISA’s warning comes as the agency lacks a permanent director following the departure of Jen Easterly before President Donald Trump’s inauguration. Trump nominated Sean Plankey, former head of cyber policy at the National Security Council, to replace her. However, the Senate Committee on Homeland Security and Governmental Affairs has not yet voted to recommend Plankey to the full Senate and his nomination faces a hold from Sen. Ron Wyden (D-Ore.). Wyden is demanding that CISA publicly release a 2022 report on U.S. telecommunications security to lift the hold.
CISA currently is led by Deputy Director Madhu Gottumukkala, who joined the agency in May from South Dakota’s Bureau of Information and Technology, where he served as chief information officer.
