A dramatic and perilous chapter in Middle Eastern geopolitics is unfolding with the outbreak of open conflict involving the Islamic Republic of Iran, Israel, and the United States. Last week, U.S. and Israeli forces launched Operation Lion's Roar, a coordinated military strikes on Iranian military and nuclear sites. The attack has triggered retaliation from Iran. This escalation has rapidly expanded beyond kinetic battlefields, encompassing missile and drone strikes across the Gulf region, engagements with Iranian-backed militias and serious impacts on civilian infrastructure throughout the Middle East. Regional capitals have witnessed direct attacks, from Gulf Arab states to Israel and beyond, disrupting energy networks, air travel and diplomatic stability.
Amid this kinetic conflict, the cyber domain has emerged as a critical front. Iranian state-affiliated cyber actors, long recognized for their advanced persistent threat (APT) capabilities, routinely target foreign networks and industrial control systems as part of broader strategic objectives. These operations aim to disrupt, degrade or influence adversary infrastructure and decision-making processes, especially in times of heightened geopolitical tension.
Critical infrastructure operators now face increased risk from Iranian threat actors known for destructive malware campaigns, espionage and infrastructure attacks. Historical patterns indicate that Iran leverages digital operations as a force multiplier, seeking strategic effects without further inflaming kinetic hostilities. In the context of this conflict, defenders must anticipate both opportunistic and state-directed cyber activity as part of a broader hybrid campaign.
In this blog post, we’ll explore how the evolving conflict may drive Iranian cyber activity, the types of threats organizations should prepare for, and actionable steps for resilience in an era where geopolitical warfare increasingly blurs the line between physical and digital battlefields.
Recent Activity of Iran-affiliated Threat Actors
Nozomi Networks has been monitoring the situation in this region for a while, carefully tracking the activity of threat actors associated with Iran and making sure our customers remain constantly protected against them. In our July blog post, we observed a spike in their activity during the previous stage of the conflict known as the Twelve-Day War. At that time, based on our anonymized telemetry sent by participating customers:
- Attackers prioritized the Transportation and Manufacturing sectors
- MuddyWater and APT33 were the most active Iran-linked APTs during that period
Here’s what we’ve observed over the last two weeks.
As we are still in the early days of the conflict and the situation remains fluid, not enough data has been collected yet to draw any definitive conclusions. However, we already observe a systematic increase in the activity associated with Iran-linked APTs. For now, the Manufacturing and Transportation sectors are most targeted. Note that many of our customers in the Middle East are still not participating in the telemetry submission program. In those cases we’re communicating with them directly to address a significant number of escalations and give them the support they need.
Here are the threat actors we’re detecting.
MuddyWater
MuddyWater (also tracked as APT34, OilRig or Seedworm) is an Iranian state-aligned threat actor believed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Active for nearly a decade, MuddyWater is known for cyber espionage campaigns targeting government agencies, telecommunications providers, energy companies and critical infrastructure organizations across the Middle East, Europe, Asia and North America. The group frequently leverages spear-phishing, compromised credentials and exploitation of public-facing applications for initial access, followed by the use of living-off-the-land techniques and legitimate administrative tools to evade detection. MuddyWater has also deployed custom malware families and remote access tools to maintain persistence, conduct intelligence collection and position themselves for potential disruptive operations during periods of geopolitical tension.
OilRig
OilRig (also known as APT34 and Helix Kitten) is another Iranian state-sponsored threat group. Active for many years, OilRig primarily conducts cyber espionage operations targeting government entities, financial services, telecommunications, defense contractors and energy organizations, particularly in the Middle East. The group commonly relies on spear-phishing campaigns, credential harvesting and exploitation of internet-facing applications for initial access, followed by the use of custom backdoors and web shells to maintain persistence. OilRig is known for blending bespoke malware with living-off-the-land techniques. The group leverages tools such as PowerShell and legitimate system utilities to evade detection while conducting long-term intelligence collection and network reconnaissance.
APT33
APT33 (also known as Elfin or Refined Kitten) is an Iranian state-aligned threat group commonly associated with operations supporting Iran’s strategic and military objectives. The group has historically targeted aerospace, aviation, energy, manufacturing and government sectors across the Middle East, the U.S. and Europe. APT33 is known for conducting both cyber espionage and potentially disruptive operations, leveraging spear-phishing, supply chain compromises and password spraying for initial access.
In addition to these threat groups, we have been closely watching the UNC1549 threat actor (overlapping with CURIUM/Tortoise Shell/Crimson Sandstorm); according to our telemetry it was the fourth most active actor in 2H 2025. The group has focused on defense, aerospace, telecommunications and regional government entities, often aligning its operations with Iran’s geopolitical priorities.
Attack Surface in the Middle East
There are many ways attackers may penetrate the perimeter of the targeted organization. One of them is to exploit vulnerabilities present in the victim’s environment. Here is what the situation looks like for Middle Eastern organizations that we currently monitor based on the anonymized telemetry we receive from this region.
In general, the cybersecurity posture of the Middle Eastern organizations we can observe has room for improvement. For the second half of 2025, the proportion of detected vulnerabilities discovered in 2025 with a CVSS score of HIGH or CRITICAL combined is 61%, well above the global average of 48%.
Likewise, when we look at EPSS scores. Here, the number of vulnerabilities with a relatively high EPSS score (>1%) is approximately 8%, double the global average of 4% that we observed at the end of 2H 2025.
Companies in this region should heed the fact that being air-gapped (even if implemented properly, which is not always the case), is not enough protection. Efficient vulnerability management is also required to minimize the attack surface.
MITRE ATT&CK® TTPs Suggest Early-Stage Intrusions
Here are the top MITRE ATT&CK techniques we observed in the attacks we detected in the Middle East during the past two weeks.
Top 5 MITRE ATT&CK Techniques
The current detection pattern strongly suggests that adversaries are still in the exploratory and positioning phase of their operations. The dominance of default credential abuse and valid account usage, combined with brute force and scanning ,indicates that attackers are leveraging trusted access to quietly map environments to identify high-value assets and establish persistence. This is characteristic of early-stage intrusion activity, where the objective is to understand network architecture, privilege relationships and operational dependencies before escalating to disruptive or destructive tactics.
This stage presents a critical window of opportunity. Once attackers complete internal reconnaissance and solidify access, they often pivot to more advanced actions like privilege escalation, data exfiltration and operational disruption. Acting now to eliminate default credentials, tighten identity controls, validate segmentation and monitor authenticated activity can significantly disrupt adversary momentum. Organizations that respond decisively during this reconnaissance phase are far more likely to prevent future escalation.
Mitigation and Recommendations
1. Activate continuous monitoring and increase alert sensitivity to reflect escalated threat activity.
Cybersecurity alerts are only useful if they are constantly reviewed and addressed. Increase active monitoring, if not already in place, and prioritize threat intelligence related to Iranian-linked APT groups and the associated TTPs.
If you have deployed Nozomi Arc for OT endpoint monitoring, note that it not only can alert on but also block detected attacks, reducing the response time.
2. Update threat intel signatures and advisories.
Under current conditions, continuously updated threat intelligence feeds are requisite. They aggregate real-world observations from a broad community of victims and researchers, allowing organizations to benefit from collective visibility into adversary behavior and emerging tactics before those patterns are encountered locally. For anyone being targeted or in danger of being targeted:
- Ensure real-time threat feeds are enabled
- Immediately review newly published IOCs and threat advisories
- Validate detection coverage for ICS/OT-specific TTPs linked to regional threat groups
- Increase alert triage cadence for high-severity anomalies
- Run focused hunts across recent network traffic and asset telemetry to catch low-and-slow activity before it escalates into service disruption or safety risk
For Nozomi Networks customers specifically, make sure that your Nozomi Networks platform is updated to the current version and that all Threat Intelligence signatures are up to date. The Nozomi Networks Labs team is actively monitoring the current situation and regularly updating detection rules in response to activity in the region.
3. Reduce your external attack surface.
Unpatched vulnerabilities and weaknesses (such as unchanged default credentials) pose a real risk to the environments where they’re detected because they let attackers compromise the environment. Change them wherever possible to minimize the associated risk. OT and IoT devices especially often lack basic cybersecurity measures: they may be installed with default or easy-to-guess credentials and are infrequently updated to resolve new vulnerabilities. The best time to make sure these vulnerabilities are closed is typically before a period of increased targeted activity, but it is critical now to make sure the most urgent gaps are addressed. For systems that cannot be immediately patched, or where credentials cannot yet be changed, implement enhanced monitoring to detect abnormal behavior and potential signs of compromise.
4. Reassess risk to OT and industrial environments.
Everything starts with comprehensive visibility. Conduct comprehensive exposure reviews of connected assets, especially internet-facing ones, validating proper segmentation between IT and OT networks and proper isolation of IoT devices.
5. Fine-tune cybersecurity solutions.
OT monitoring solutions should be properly baselined with normal industrial protocol behavior so deviations above established thresholds will trigger alerts. During heightened geopolitical tensions, revisit muted alerts to ensure all the actionable information is displayed. Finally, ensure that all the threat intelligence detections are constantly updated
Conclusion
As geopolitical tensions escalate into open conflict, the cyber domain is no longer a parallel battleground, it’s an integrated component of modern warfare. Iranian threat actors have historically demonstrated a willingness to blend espionage, disruption and psychological impact operations to advance strategic objectives. In periods of instability, these operations often intensify, targeting critical infrastructure, energy networks, government entities and private industry far beyond the immediate conflict zone.
For defenders, the imperative is clear: assume heightened risk, reduce exposure and strengthen operational resilience. Organizations that combine deep network visibility, strong segmentation between IT and OT, disciplined identity controls and well-tested incident response plans will be best positioned to withstand both opportunistic and coordinated campaigns. Preparedness in cyberspace isn't optional, it’s foundational to operational continuity and national resilience.
Recently observed IOCs related to Iranian threat actor activity
- 37.1.213.152
- 184.75.210.206
- 162.0.230.185
.webp)
