In the wake of the Trump administration’s strikes on Iran’s nuclear facilities over the weekend, the National Terrorism Advisory System (NTAS) warned American businesses that the ongoing conflict caused a heightened threat environment for critical infrastructure in the U.S.The June 22 advisory by the Homeland Security Department’s NTAS said low-level cyberattacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks.Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency (CISA), said security teams should be “Shields Up,” warning that U.S. critical infrastructure owners and operators should be vigilant for malicious cyber activity in the wake of the U.S. military action against Iranian nuclear targets.
“While it’s unclear whether its cyber capabilities were at all impacted by recent Israeli strikes, Iran has a track record of retaliatory cyber operations targeting civilian infrastructure, including water systems, financial institutions, energy pipelines, and government networks.” said Easterly in a Sunday LinkedIn post.The NTAS added that Iran has a long-standing commitment to target U.S. government officials it views as responsible for the death of an Iranian military commander killed in January 2020. The agency said the likelihood of violent extremists in the U.S. independently mobilizing to violence in response to the conflict would likely increase if Iranian leadership issued a religious ruling calling for retaliatory violence against targets.“Multiple recent Homeland terrorist attacks have been motivated by anti-Semitic or anti-Israel sentiment, and the ongoing Israel-Iran conflict could contribute to U.S.-based individuals plotting additional attacks,” said the NTAS. “Since the start of the conflict, we have seen media releases by foreign terrorist organizations, including Hamas, Lebanese Hizballah, the Houthis, and the Popular Front for the Liberation of Palestine, among others — some of which have called for violence against U.S. assets and personnel in the Middle East because of Israel’s attack.”John Hultquist, chief analyst, Google Threat Intelligence Group, added that in light of recent developments in the Middle East, the likelihood of disruptive cyberattacks against U.S. targets by Iranian actors has increased. Hultquist said in recent years Iran has primarily focused this activity on Israel, especially following the Oct. 7, 2023, attacks. Those incidents offer useful insight into the capability and limitations of Iranian actors.“Iran has had mixed results with disruptive cyberattacks and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact,” said Hultquist. “We should be careful not to overestimate these incidents and inadvertently assist the actors. The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware.”Hultquist said Iran already targets the U.S. with cyberespionage, which they use to directly and indirectly gather geopolitical insight and surveil persons of interest. Persons and individuals associated with Iran policy are frequently targeted through organizational and personal accounts and should be on the lookout for social engineering schemes, he said..“Individuals are also targeted indirectly by Iranian cyberespionage against telecoms, airlines, hospitality, and other organizations who have data that can be used to identify and track persons of interest,” added Hultquist in a Sunday LinkedIn post.Kevin Surace, chair at Token, said that given the recent Scattered Spider social-engineering hacks, which leverage auth apps and legacy MFA to gain access, everyone should begin to replace those techniques with next generation biometric MFA.Surace said the low-level DDoS attacks DHS warned about are noisy, short-term disruptions — easy to launch, but also easy to detect and mitigate if the team is monitoring the network load and reacting fast.“The real threat now comes from higher-level intrusions by Iranian APTs and others using basic social engineering: phishing emails, fake login pages, and tricking users into approving access through their own authentication apps,” said Surace. “These tactics don’t require sophisticated skills anymore, and they bypass legacy MFA daily.” Surace added that coordination with CISA, FBI, and DHS helps raise awareness through alerts, but most CISOs are already operating at full tilt within their budget constraints. He said the real shift now is the total failure of legacy MFA and auth apps — tools once trusted, now routinely bypassed by social engineering.“Scattered Spider proves it daily,” said Surace. “This is a defining moment for cybersecurity, and the hard truth is most companies remain exposed.”Easterly warned that U.S. critical infrastructure owners and operators — both at home and abroad — should be prepared for malicious cyber activity, including:Credential theft and phishing campaigns. Wipers disguised as ransomware. Hacktivist fronts and false-flag ops. Targeting of ICS/OT systems. Easterly added that it’s a familiar playbook, so the response should also be known by security teams:Enforce MFA across all cloud, IT, and OT systems. Patch every Internet-facing asset. Segment networks and elevate detection on OT traffic. Conduct tabletop cybersecurity drills, in particular with ICS scenarios. Subscribe to ISAC alerts for real-time intelligence (ICYMI: Recent statement from IT-ISAC & Ag-ISAC. Report suspicious activity immediately to the Cybersecurity and Infrastructure Security Agency or the Federal Bureau of Investigation (FBI)
“While it’s unclear whether its cyber capabilities were at all impacted by recent Israeli strikes, Iran has a track record of retaliatory cyber operations targeting civilian infrastructure, including water systems, financial institutions, energy pipelines, and government networks.” said Easterly in a Sunday LinkedIn post.The NTAS added that Iran has a long-standing commitment to target U.S. government officials it views as responsible for the death of an Iranian military commander killed in January 2020. The agency said the likelihood of violent extremists in the U.S. independently mobilizing to violence in response to the conflict would likely increase if Iranian leadership issued a religious ruling calling for retaliatory violence against targets.“Multiple recent Homeland terrorist attacks have been motivated by anti-Semitic or anti-Israel sentiment, and the ongoing Israel-Iran conflict could contribute to U.S.-based individuals plotting additional attacks,” said the NTAS. “Since the start of the conflict, we have seen media releases by foreign terrorist organizations, including Hamas, Lebanese Hizballah, the Houthis, and the Popular Front for the Liberation of Palestine, among others — some of which have called for violence against U.S. assets and personnel in the Middle East because of Israel’s attack.”John Hultquist, chief analyst, Google Threat Intelligence Group, added that in light of recent developments in the Middle East, the likelihood of disruptive cyberattacks against U.S. targets by Iranian actors has increased. Hultquist said in recent years Iran has primarily focused this activity on Israel, especially following the Oct. 7, 2023, attacks. Those incidents offer useful insight into the capability and limitations of Iranian actors.“Iran has had mixed results with disruptive cyberattacks and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact,” said Hultquist. “We should be careful not to overestimate these incidents and inadvertently assist the actors. The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware.”Hultquist said Iran already targets the U.S. with cyberespionage, which they use to directly and indirectly gather geopolitical insight and surveil persons of interest. Persons and individuals associated with Iran policy are frequently targeted through organizational and personal accounts and should be on the lookout for social engineering schemes, he said..“Individuals are also targeted indirectly by Iranian cyberespionage against telecoms, airlines, hospitality, and other organizations who have data that can be used to identify and track persons of interest,” added Hultquist in a Sunday LinkedIn post.Kevin Surace, chair at Token, said that given the recent Scattered Spider social-engineering hacks, which leverage auth apps and legacy MFA to gain access, everyone should begin to replace those techniques with next generation biometric MFA.Surace said the low-level DDoS attacks DHS warned about are noisy, short-term disruptions — easy to launch, but also easy to detect and mitigate if the team is monitoring the network load and reacting fast.“The real threat now comes from higher-level intrusions by Iranian APTs and others using basic social engineering: phishing emails, fake login pages, and tricking users into approving access through their own authentication apps,” said Surace. “These tactics don’t require sophisticated skills anymore, and they bypass legacy MFA daily.” Surace added that coordination with CISA, FBI, and DHS helps raise awareness through alerts, but most CISOs are already operating at full tilt within their budget constraints. He said the real shift now is the total failure of legacy MFA and auth apps — tools once trusted, now routinely bypassed by social engineering.“Scattered Spider proves it daily,” said Surace. “This is a defining moment for cybersecurity, and the hard truth is most companies remain exposed.”Easterly warned that U.S. critical infrastructure owners and operators — both at home and abroad — should be prepared for malicious cyber activity, including:
