“Flashpoint has [previously] observed notable Iranian attack types, including direct attacks on critical infrastructure such as power grids, water and transportation, often using DDoS attacks against aerospace, oil, gas and telecom sectors,” he shared. “Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive attacks.”
Iran exploits known vulnerabilities to deploy harmful web shells to gain initial access and conduct further reconnaissance, Warnick stated. And the persistent nature of the country’s attacks requires diligent patching, regular security audits and strong intrusion detection to remove unauthorized web shells.
“Many groups, including Homeland Justice and Moses Staff, engage in data exfiltration and then leak sensitive data on their online platforms (websites, Telegram channels, Twitter) to promote their attacks and propaganda,” he said. “[This] highlights the need for data loss prevention and outbound traffic monitoring.”
In addition, groups have specialized in cyber-physical attacks on industrial control systems and operational technology—such as reported attacks by CyberAv3ngers—requiring network segmentation and operational technology monitoring for critical infrastructure.
“They also conduct large-scale disruptive attacks on government and critical infrastructure (e.g., Homeland Justice), requiring robust incident response and redundant systems,” Warnick noted. “DDoS attacks are a frequent tactic (used by Cyber Islamic Resistance), emphasizing the need for mitigation services. Groups like Black Shadow/Tapandegan target financial institutions with disruptive attacks and data leaks. Finally, these groups engage in information warfare via social media, and their interest in supply chain disruption suggests a need for enhanced vendor risk management.”
In Monday’s joint bulletin, the federal agencies outlined commonly used techniques and examples of Iranian cyber campaigns and advised companies to understand the destructive approaches.
“Organizations should review this information to become familiar with the tactics utilized by these malicious cyber actors,” the agencies advised. “Critical infrastructure asset owners and operators should review this guidance to assess their cybersecurity weaknesses and update incident response plans.”
