Iranian Cyber Threats Persist Despite Ceasefire, US Intelligence Warns

Despite a declared ceasefire between Iran and Israel and ongoing negotiations towards a permanent resolution of the conflict, Iranian-backed cyber actors and hacktivist groups continue to pose a significant cyber threat. This alarming situation has been highlighted in a security advisory issued by four U.S. federal agencies on June 30, 2025.

The advisory indicates that these Iranian-affiliated threat actors may leverage poorly secured U.S. networks and internet-connected devices to orchestrate disruptive attacks. Their methods typically involve exploiting weak passwords or known vulnerabilities in outdated or unpatched software.

When targeting operational technology (OT), these malicious actors utilize system engineering and diagnostic tools to infiltrate critical components such as engineering and operator devices, performance and security systems, as well as vendor and third-party maintenance systems.

Furthermore, such Iranian-aligned hacktivists might engage in website defacements or leak sensitive information obtained from their victims. There is also a potential for collaboration with financially motivated groups to implement ransomware attacks and cyber extortion campaigns against U.S. organizations.

The advisory explicitly states that entities engaged in the U.S. Defense Industrial Base (DIB), especially those with ties to Israeli research and defense firms, face increased risks. The DIB consists of various domestic and foreign companies supplying essential goods and services to the U.S. Department of Defense (DoD), covering areas such as defense research and development, manufacturing, logistics, and maintenance of military equipment.

Recommendations to Mitigate Cyber Threats from Iranian-Aligned Hacking Groups

The advisory outlines several proactive measures that U.S.-based organizations should consider to reduce the risk posed by Iranian cyber threats:

• Disconnect OT and industrial control system (ICS) components from the public internet, especially those reliant on remote access technologies (e.g., VNC, RDP, SSH) and web management interfaces. For necessary remote access, it is advisable to enforce a deny-by-default allowlist policy to prevent unauthorized access.
• Implement stringent authentication protocols by enforcing strong, unique passwords—replacing any default or weak passwords—and apply phishing-resistant multifactor authentication (MFA) for accessing OT networks. Additionally, utilize role-based access controls (RBAC) and conditional access policies for cloud or managed services.
• Ensure that the latest software patches are applied to all internet-facing systems to guard against known vulnerabilities, and actively monitor user access logs for remote OT network usage and unauthorized configuration alterations.
• Institute operational safeguards to protect against unauthorized changes, loss of control, or visibility within OT environments. This might include keeping programmable logic controllers (PLCs) in run mode, employing hardware/software interlocks, and maintaining redundant safety systems.
• Develop robust business continuity and incident response plans, which encompass comprehensive system and data backups for recovery purposes. Regular reviews, updates, and rehearsals of incident response procedures are vital to bolster organizational readiness.
• Prepare for potential credential leaks by assessing how exfiltrated data could be weaponized and instituting security mechanisms to alleviate the impact of possible breaches.

This advisory, endorsed by the FBI, NSA, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the DoD’s Cyber Crime Center (DC3), comes shortly after the Department of Homeland Security (DHS) warned U.S. citizens about an elevated risk of cyber-attacks from Iranian state-sponsored threat actors and hacktivists following American military actions against Iranian targets.