Iran’s Cyber Offensive: Assessing Capabilities, Probable Targets, and U.S. Defense Posture Amid Escalating Tensions

Vladimir Tsakanyan

I. Executive Summary

The current geopolitical landscape in the Middle East is marked by a significant escalation in tensions between Israel and Iran, with direct involvement from the United States. This heightened kinetic conflict has created a volatile environment ripe for increased cyber warfare. The recent intensification began with Israeli airstrikes targeting Iranian nuclear and military sites, including critical infrastructure and high-value military commanders.¹ In response, Iran has launched retaliatory missile attacks, notably a “limited missile attack” on U.S. forces in Qatar, signaling a clear intent for further “punishment operations”.¹ The direct U.S. military intervention, specifically “Operation Midnight Hammer” aimed at dismantling Iran’s nuclear enrichment capacity, further amplifies the cyber threat landscape.⁴ In light of these developments, the Department of Homeland Security (DHS) has issued advisories warning of likely “low-level cyberattacks” from pro-Iranian hacktivists and potential “targeted intrusions” by government-affiliated actors against U.S. networks, underscoring the immediate nature of the threat.⁶

Iran operates a highly structured and multi-layered cyber strategy, leveraging both official government entities like the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), alongside a network of private contractors.¹¹ Iran’s cyber capabilities span a range of activities, from sophisticated espionage and data exfiltration to disruptive and destructive attacks. A crucial aspect of Iran’s cyber operations is their strong emphasis on psychological manipulation, aiming to sow fear, disrupt public trust, and control the narrative surrounding purported breaches.⁵ This approach is evident in instances where Iranian actors fabricate or exaggerate the effects of their cyber activities, as seen with the CyberAv3ngers’ false claims regarding Israel’s Dorad power station, where only a temporary Distributed Denial of Service (DDoS) attack was confirmed, while the primary effort was to create a misleading narrative.¹³ This deliberate focus on psychological impact means that U.S. and Israeli defense strategies must extend beyond purely technical cybersecurity measures to include robust public communication and counter-disinformation campaigns. Avoiding the inadvertent amplification of Iranian claims is critical, as this directly plays into their strategic objectives.¹⁰

Likely targets for Iranian cyber campaigns include critical infrastructure sectors such as water, energy, and healthcare, as well as financial institutions, government networks, and defense-related entities in both Israel and the U.S..⁵ The U.S. defense posture relies on a collaborative effort involving key government agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), DHS, the Federal Bureau of Investigation (FBI), and U.S. Cyber Command (USCYBERCOM).¹⁹ This defense is guided by national strategies that prioritize risk reduction, bolstering critical infrastructure resilience, and enhancing interagency and public-private information sharing.¹⁹

II. Geopolitical Drivers and Iran’s Motivation for Cyber Warfare

The current geopolitical climate in the Middle East is characterized by a rapid escalation of direct military confrontations between Israel and Iran, drawing in the United States. The conflict intensified with Israel’s “surprise barrage of attacks” on June 13, 2025, targeting Iran’s nuclear and military sites, including critical infrastructure and high-ranking military officials.² These strikes aimed to systematically dismantle Iran’s air defenses and offensive missile capabilities, while also damaging its nuclear enrichment facilities.⁴ The United States further escalated its involvement on June 21st with “Operation Midnight Hammer,” launching coordinated strikes against three Iranian nuclear facilities at Fordow, Isfahan, and Natanz. This operation, as stated by President Trump, was intended to “destroy Iran’s nuclear enrichment capacity” and eliminate the nuclear threat.⁴

In direct retaliation, Iran has explicitly vowed “further attacks” and a “punishment operation”.¹ This has included a “limited missile attack” on U.S. forces at Qatar’s Al Udeid Air Base, an action described as “more symbolic than harmful” due to advance notice given to Qatar.² The U.S. has responded to these threats by strategically repositioning military aircraft and warships in the Middle East to protect Israel and prepare for potential Iranian threats against U.S. military installations.¹

Iran has a well-established history of deploying “retaliatory cyber operations” in response to military interventions, economic sanctions, and broader geopolitical pressures.⁵ The Department of Homeland Security (DHS) anticipates a “heightened threat environment” in the U.S., with cyberattacks identified as a highly probable form of Iranian retaliation following recent kinetic actions.⁴ This strategic choice of cyber warfare is particularly significant given that Iran’s conventional military capabilities are considered “completely outmatched” by Israel.⁸ Furthermore, the Russian and Chinese-assisted air defense systems in Iran have proven “useless” against Israeli F-35s, highlighting a critical limitation in Iran’s conventional defense.²⁴ This context suggests that cyber warfare serves as Iran’s most viable and preferred asymmetric tool, allowing it to inflict costs, project power, and achieve strategic objectives without risking a disproportionate conventional conflict that it cannot sustain.

Beyond intelligence gathering, Iranian cyberattacks are explicitly used to “intimidate and destabilize political opponents”.¹¹ Iranian actors often prioritize “high-impact, very visible and very inconvenient” targets designed to disrupt daily life and induce societal panic, even if the actual technical damage is contained.⁹ This aligns directly with their broader psychological warfare objectives.¹³ The pattern of Iran’s kinetic and cyber responses reveals a deliberate strategy where the perception of impact and capability is prioritized over achieving extensive, deep technical damage. For instance, Iran’s missile attack on the U.S. air base in Qatar was described as “more symbolic than harmful” due to advance notice.⁵ Similarly, Iranian cyber operations are known to “fabricate and exaggerate their effects” ⁵ and aim to “get on the nerves of people who aren’t that educated on cyber”.⁵ The CyberAv3ngers’ false claims about the Dorad power station hack and their defacement of U.S. water systems exemplify this approach.¹³ This means that for U.S. and Israeli cyber defenders, differentiating between genuine technical compromises and Iranian influence operations or exaggerated claims is crucial. Overreacting to purely symbolic or propagandistic cyber actions could inadvertently serve Iran’s psychological warfare goals, necessitating a calm, factual, and resilient response to deny Iran its desired psychological impact.

III. Iran’s Cyber Capabilities: Structure, Key Groups, and Attack Modus Operandi

A. Command and Control

Iran’s cyber strategy is built upon a “highly structured and multi-layered approach,” which integrates both government-controlled organizations and private contractors to conduct offensive cyber operations.¹¹ This organizational model provides Iran with flexibility and efficiency while ensuring governmental control and ideological alignment.¹¹ The two primary state actors orchestrating Iran’s cyber activities are the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).¹¹ These entities frequently operate with overlapping objectives, creating a dynamic of both collaboration and internal competition within the Iranian intelligence apparatus.¹²

The IRGC’s Cyber-Electronic Command, established in 2015, holds specific responsibility for cyber warfare and cybersecurity operations.²⁵ Within the IRGC, the Intelligence Organization focuses on analyzing and collecting information.¹² The MOIS plays an expansive role, deeply involved in foreign intelligence operations, gathering information on Iranian opposition groups, and neutralizing perceived threats to the regime. It comprises 15 directorates covering various aspects of security, counterintelligence, foreign operations, and economic activities.¹² Both the IRGC commander, the IRGC Quds Force (IRGC-QF) commander, and the intelligence minister report directly to Iran’s Supreme Leader, Ali Khamenei, indicating a centralized ultimate authority over strategic cyber objectives.¹² The Quds Force, functioning as Iran’s external intelligence and covert operations arm, collaborates closely with the MOIS on managing proxy militias, conducting assassinations, and running disinformation campaigns abroad.¹²

The Basij militias, a paramilitary organization under IRGC control, reportedly command over 1,000 cyber battalions across the country, suggesting a broad base of potential cyber operatives and a capacity for large-scale, lower-sophistication attacks.¹¹ Furthermore, Iranian foreign officers and diplomats frequently maintain ties to either the MOIS or IRGC, often utilizing embassies, cultural centers, and charities as hubs for espionage, logistical coordination, and intelligence gathering abroad.¹² This operational model, characterized by centralized strategic control and decentralized operational execution, allows Iran to be agile and provides plausible deniability for its cyber actions. By using ostensibly independent hacktivist groups or private contractors, often with clear state ties, Iran complicates attribution efforts, making it harder to hold the Iranian state directly accountable under international law. For defenders, this means that any significant “hacktivist” activity aligning with Iranian interests should be considered potentially state-directed or at least state-supported, requiring a more robust and comprehensive response than typical criminal hacktivism.

B. Prominent Advanced Persistent Threat (APT) Groups

Iran fields a diverse array of active APT groups, many with direct links to the IRGC or MOIS, engaged in a spectrum of cyber operations from espionage to disruption and influence campaigns.¹¹

• MuddyWater (APT MuddyWater, Seedworm, Static Kitten, TEMP.Zagros): This state-sponsored APT group is widely believed to operate under the direction of the MOIS. Its primary focus is espionage and disruption, targeting government agencies, critical infrastructure, telecommunications, energy, airlines, and media, particularly in the Middle East, including Israel.¹¹ MuddyWater employs sophisticated phishing campaigns, malware-laden documents, custom backdoors, and abuses legitimate tools like Atera for remote monitoring and management.²⁶ It has also deployed destructive malware such as PowGoop and Thanos ransomware variants.²⁷
• APT33 (Elfin, Magnallium): A sophisticated cyber espionage group with deep roots in Iran, active since at least 2013.¹¹ APT33 targets sectors vital to global infrastructure, including aerospace, defense, energy, and petrochemicals, with a specific emphasis on infiltrating critical systems in the Middle East, Europe, and North America.¹¹ Known for spear-phishing, password spraying, and credential theft, it utilizes destructive tools like StoneDrill (paralleling Shamoon malware) in high-impact attacks.²⁶ Recent campaigns have seen the deployment of a new custom multi-stage backdoor named Tickler, leveraging Microsoft Azure infrastructure for command-and-control.²⁶
• CyberAv3ngers: This group is suspected of being an Iranian Government-affiliated APT linked to the IRGC, active since at least 2020.⁷ They gained notoriety for defacing numerous water system displays in the U.S. in late 2023 and have increasingly shifted operations from technical intrusions to psychological manipulation.¹³ The group has been tied to at least 29 confirmed intrusions into industrial control systems (ICS) and operational technology (OT) environments in the U.S. between November 2023 and April 2024, affecting municipal water utilities, energy networks, and camera systems.¹³ They exploited Israeli-made Unitronics PLCs by leveraging default credentials.⁷ CyberAv3ngers utilizes custom Linux-based malware for persistent access ¹³ and IOCONTROL modular malware.²⁶ Notably, they have employed AI tools like ChatGPT for reconnaissance, coding, and vulnerability research.²⁶
• APT34 (OilRig, Helix Kitten, Chrysene, Earth Simnavaz): A long-standing Iranian cyberespionage group with confirmed links to the Ministry of Intelligence and Security (MOIS), active since 2014.¹¹ OilRig primarily targets organizations in the Middle East, focusing on the financial, energy, telecom, and government sectors.¹¹ The group is known for its modular malware, PowerShell-based tools, DNS tunneling, and custom backdoors such as Helminth, QUADAGENT, Stealthhook, MINIBIKE, and MINIBUS.²⁶ They frequently exploit on-premises Microsoft Exchange servers and publicly known vulnerabilities for initial access.²⁶
• Magic Hound (APT 35, Charming Kitten, Cobalt Illusion): Directly tied to the IRGC.¹¹ This group is infamous for its extensive use of social engineering, particularly spear-phishing campaigns designed to harvest credentials or gain access to personal accounts.¹¹ Their targets typically include journalists, researchers, human rights activists, and government officials, especially those critical of the Iranian regime.²⁷ Magic Hound often employs fake personas (e.g., academics, journalists) to build trust and has exploited software vulnerabilities.²⁷ Recently, it has been observed leveraging tactics similar to North Korea’s ‘Dream Job’ campaign.²⁸
• APT 42: Reportedly affiliated with the IRGC Intelligence Organization, this group focuses on the surveillance of individuals and institutions perceived as adversarial to the Iranian regime.²⁷ They utilize cloud-based platforms, mobile spyware, and credential phishing to collect information and monitor dissident activity.²⁷
• Fox Kitten (Pioneer Kitten, Parisite): An Iranian state-sponsored threat group active since at least 2017.²⁶ Fox Kitten specializes in exploiting edge infrastructure vulnerabilities, specifically targeting VPN gateways, Citrix appliances, and remote desktop solutions for initial access.⁷ Their operations focus on establishing long-term persistence and privilege escalation, often using open-source tools. They have reportedly sold or shared access with other Iranian APTs and have assisted ransomware affiliates by providing initial network access.²⁶
• Agrius (TA455, Smoke Sandstorm): This Iranian threat actor is known for conducting wiper attacks disguised as ransomware, deploying malware families such as Apostle and Deadwood.²⁷ Their primary targets are Israeli organizations.²⁷
• Moses Staff: An Iranian-linked group that employs custom ransomware, defacement, and data leaks to embarrass or undermine targets, primarily focusing on Israeli public and private sector entities.²⁷
• Other notable groups include Tracer Kitten (spearphishing, credential harvesting, targets Western think tanks, academic institutions, dissidents) ²⁷,
  Tortoiseshell (targets IT service providers and supply chain entities) ²⁷,
  HomeLand Justice (combines ransomware with hacktivist branding) ²⁷, and
  GreenCharlie (a newer group focusing on cyber espionage).²⁷

Table 1: Key Iranian APT Groups, Affiliations, and Primary Tactics/Targets

Group Name (Aliases)	Primary Affiliation	Primary Focus	Key Tactics/Tools	Typical Targets
MuddyWater (Seedworm, Static Kitten, TEMP.Zagros)	MOIS-linked	Espionage, Disruption	Sophisticated phishing, Malware-laden documents, Custom backdoors, Abuse of Atera RMM, PowGoop, Thanos ransomware	Government agencies, Critical infrastructure (Telecommunications, Energy), Airlines, Media, Israel, Turkey, Saudi Arabia, Azerbaijan
APT33 (Elfin, Magnallium)	State-sponsored	Cyber espionage, Destructive operations	Spear-phishing, Password spraying, Credential theft, StoneDrill wiper, Tickler backdoor, Microsoft Azure C2	Aerospace, Defense, Energy, Petrochemicals, Critical infrastructure in Middle East, Europe, North America, Saudi Arabia, US, South Korea, UAE
CyberAv3ngers	Suspected IRGC-affiliated, Hacktivist front	Psychological operations, Disruptive attacks, ICS/OT targeting	Defacement, DDoS, Exploiting default credentials, Custom Linux malware, IOCONTROL malware, AI tools (ChatGPT) for recon/coding	U.S. water utilities, Energy networks, Camera systems, Israeli-made PLCs, Israeli infrastructure, Western institutions
APT34 (OilRig, Helix Kitten, Chrysene, Earth Simnavaz)	MOIS-linked	Cyber espionage	Modular malware, PowerShell tools, DNS tunneling, Custom backdoors (Helminth, QUADAGENT, Stealthhook, MINIBIKE, MINIBUS), Exploiting Microsoft Exchange & public vulnerabilities	Financial, Energy, Telecom, Government sectors across Middle East
Magic Hound (APT 35, Charming Kitten, Cobalt Illusion)	IRGC-tied	Cyber espionage, Credential harvesting	Social engineering, Spear-phishing, Fake personas, Exploiting software vulnerabilities, Leveraging ‘Dream Job’ campaign tactics	Journalists, Researchers, Human rights activists, Government officials critical of Iran, Aerospace industry
APT 42	IRGC Intelligence Organization	Surveillance, Human intelligence collection	Cloud-based platforms, Mobile spyware, Credential phishing	Journalists, Researchers, NGOs, Iranian diaspora
Fox Kitten (Pioneer Kitten, Parisite)	State-sponsored	Initial access broker, Espionage	Exploiting VPN/edge infrastructure vulnerabilities (Fortinet, Citrix, F5), SSH tunneling, Mimikatz	Corporate networks, Oil & gas, Technology, Government, Defense, Healthcare, Manufacturing, Engineering (Middle East, North Africa, Europe, Australia, North America)
Agrius (TA455, Smoke Sandstorm)	State-sponsored	Destructive wiper attacks (disguised as ransomware)	Apostle, Deadwood malware, Legitimate remote access tools, Custom loaders	Primarily Israeli organizations
Moses Staff	Iranian-linked	Ransomware, Defacement, Data leaks	Custom ransomware, Telegram for public victim information	Primarily Israeli entities (public and private sector)

C. Cyberattack Techniques and Tools

Iranian cyber actors employ a diverse toolkit and a range of techniques, often prioritizing effectiveness and psychological impact over sheer technical sophistication.

• Destructive Malware (Wipers): Iran has a history of deploying highly destructive wiper malware, such as Shamoon, which caused “considerable damage” to IT systems in 2012, 2016, and 2018.⁵ Other groups like APT33 employ StoneDrill ²⁶, and Agrius utilizes Apostle and Deadwood.²⁷ The potential for similar destructive attacks remains a significant concern, particularly as a form of retaliation.⁵
• Distributed Denial of Service (DDoS) Attacks: These are a frequently used tactic aimed at overwhelming target websites and services with traffic, rendering them inaccessible.⁷ Historical targets include Israeli radio stations, government websites, telecommunications services ³⁰, major U.S. financial institutions (e.g., Bank of America, JPMorgan Chase, Wells Fargo in 2016) ¹⁷, and even political platforms like President Trump’s Truth Social network.⁵
• Phishing and Spear Phishing: These remain highly effective techniques for stealing user credentials and gaining initial access to target networks.¹¹ Groups like Charming Kitten ¹¹, MuddyWater ²⁶, APT33 ²⁶, and APT 42 ²⁷ extensively use these methods, often employing deceptive tactics such as fake login pages, password reset lures, and impersonation.²⁷
• Exploitation of Known Vulnerabilities: Iranian actors consistently exploit publicly known vulnerabilities for initial access, particularly targeting VPN gateways and firewalls from various vendors (e.g., Pulse Secure, Fortinet, Palo Alto Networks, F5, Citrix).⁷ Specific Common Vulnerabilities and Exposures (CVEs) previously exploited include CVE-2024-30088 (Windows Kernel), CVE-2022-47966 (Zoho ManageEngine), CVE-2022-42475 (Fortinet FortiOS), CVE-2021-34473 (Microsoft Exchange), CVE-2020-5902 (F5 BIG-IP TMUI), CVE-2020-1472 (Microsoft Windows Netlogon), and CVE-2019-19781 (Citrix ADC).⁷
• Targeted Intrusions into Industrial Control Systems (ICS) / Operational Technology (OT): This is a significant and growing area of focus, notably by CyberAv3ngers, who have targeted water, energy, and manufacturing sectors.⁷ These intrusions often leverage basic security weaknesses such as default credentials and publicly exposed systems.⁷ Malware like IOCONTROL is specifically designed for Unix-based IoT/OT platforms to establish persistent backdoors.²⁶ This continued focus on ICS/OT systems underscores Iran’s intent to cause physical disruption or the
  perception of it, leveraging the high societal and economic impact of such attacks.
• Credential Harvesting and Brute Force Attacks: These are common methods employed to compromise networks and obtain credentials, including multi-factor authentication “push bombing” or “fatigue attacks”.¹⁵
• Abuse of Legitimate Tools: Iranian threat actors frequently abuse legitimate Remote Monitoring and Management (RMM) tools (e.g., Atera, AnyDesk, SimpleHelp, ScreenConnect, RemoteUtilities) and communication platforms like Telegram for data exfiltration and to evade detection.⁷
• Emerging Use of AI: CyberAv3ngers has notably leveraged AI tools, including ChatGPT, for tasks such as reconnaissance, coding, and vulnerability research, indicating a trend towards accelerating attack preparation.²⁶ Google’s findings corroborate this, reporting that hackers from China, Iran, and North Korea are using AI-enabled Gemini chatbots to “supercharge cyberattacks,” making them more efficient.³¹ The adoption of AI by Iranian threat actors, even if not yet a “game changer” in terms of fundamentally new attack types, signifies a critical evolution. This implies that future attacks will be executed with greater speed, scalability, and potentially more precise target identification and initial access. This development necessitates that U.S. and Israeli defense strategies rapidly integrate AI into their own detection, analysis, and prevention mechanisms to maintain parity in the evolving cyber arms race. Proactive research into AI’s defensive applications is crucial to counter the increased efficiency of adversarial AI-assisted campaigns.

IV. Probable Targets: Critical Infrastructure and Strategic Assets in Israel and the U.S.

A. Targets in Israel

Iranian-linked groups have explicitly claimed to compromise the Israeli early warning system, Tzofar, which is crucial for alerting civilians to incoming missile attacks.³⁰ While some claims may be exaggerated, the intent to target such critical systems is clear. Israeli radio stations, government websites, and telecommunications services have been subjected to coordinated Distributed Denial of Service (DDoS) attacks, aiming to disrupt public communication and services.³⁰ The purported hack of Israel’s Dorad power station by CyberAv3ngers, although later debunked as psychological manipulation, demonstrated a clear intent to target energy infrastructure.¹³ The fact that they

claimed this attack highlights the sector’s perceived strategic value. The healthcare sector in Israel is also at risk, as evidenced by a kinetic missile strike on Soroka Medical Center ³, and general warnings about the vulnerability of healthcare and public health organizations to Iranian cyber threats.¹⁵ The pro-Israeli group Predatory Sparrow’s claims of draining $90 million from Iran’s largest crypto exchange, Nobitex, and attacking the Iranian state bank Bank Sepah ⁶ indicate that financial institutions are a mutual and highly contested target in the cyber domain.

B. Targets in the United States

DHS warnings consistently highlight various critical infrastructure sectors as historical and likely future targets for Iranian cyber operations. These include water systems, financial institutions, energy pipelines, and government networks.⁵

• Water and Wastewater: The Iranian-affiliated group CyberAv3ngers notably infiltrated U.S. water utilities in late 2023, exploiting Israeli-made programmable logic controllers (PLCs) and causing “limited but symbolic disruptions”.⁷
• Energy and Utilities: Oil, gas, electric grids, and pipelines have been previously targeted by Iranian threat actors.⁷ Historical attacks include destructive wiper malware campaigns and targeted intrusions.⁷ Custom malware has also been developed to target fuel management systems.⁵
• Healthcare: U.S. federal authorities have issued warnings about an increased risk of Iranian cyber threats against healthcare and public health sector organizations, including ransomware and DDoS attacks.¹⁵ A specific incident includes a thwarted cyberattack on Boston Children’s Hospital in 2021.¹⁷
• Transportation and Supply Chains: Ports, rail, and logistics networks have been identified as past targets, indicating their vulnerability in heightened geopolitical tensions.¹⁶

The pervasive interconnectedness and often insufficient segmentation within critical infrastructure mean that even a successful, limited breach in one part of the system can have cascading and amplified effects across multiple dependent systems and supply chains.¹⁵ This significantly increases the potential impact of an attack, making the entire ecosystem more vulnerable. This highlights that U.S. and Israeli defense strategies must adopt a holistic, ecosystem-wide approach to critical infrastructure protection, meticulously mapping and securing supply chain dependencies, and ensuring robust segmentation between IT and OT networks to contain potential breaches and prevent widespread disruption.

• Financial Institutions: A 2016 indictment revealed that seven individuals linked to the IRGC conducted DDoS attacks against major U.S. banks (e.g., Bank of America, JPMorgan Chase, Wells Fargo), resulting in tens of millions of dollars in losses.¹⁷ The financial sector is explicitly anticipated to be a target for destructive wiper and malware attacks.¹⁴
• Government Networks: DHS alerts indicate that “low-level cyber-attacks” against U.S. networks by pro-Iranian hacktivists are likely, and that government-affiliated cyber actors may conduct more direct attacks.⁶ Iranian hackers previously pilfered and distributed sensitive documents from President Donald Trump’s 2024 campaign.⁶ Cyberespionage against federal government departments is also a noted activity.¹⁴
• Psychological Targets: Beyond technical disruption, Iranian hackers may post fabricated screenshots of operational technology (OT) systems to create a “show of force” and generate psychological impact, even if full system control is not achieved.⁵ Influence operations, involving the use of fake accounts on social media platforms (like Telegram and X) to disseminate demoralizing messages, are also actively underway.¹⁴ Iranian cyber campaigns are fundamentally multi-faceted, aiming not just for technical compromise but equally for shaping public perception, undermining trust in institutions, and creating a sense of vulnerability. The technical attacks often serve as a pretext or a component of a larger psychological operation. This necessitates a defense strategy that seamlessly integrates traditional cybersecurity measures with robust public information campaigns and counter-disinformation efforts. Governments and critical infrastructure operators must be prepared to rapidly and transparently communicate accurate information to the public to neutralize Iranian attempts at narrative control and prevent panic.

Table 2: Historical and Likely Future Iranian Cyberattack Targets and Methods against the U.S. and Israel

Target Sector/Entity	Year(s) of Incident(s)	Key Iranian Group(s) Involved	Primary Attack Method(s)	Impact/Objective	Likely Future Threat Level
U.S. Water Utilities	Late 2023, Nov 2023-Apr 2024	CyberAv3ngers, IRGC-linked actors	Exploiting default credentials, Custom Linux malware, Defacement, Symbolic disruption	Limited but symbolic disruption, Psychological impact	High, Persistent
Israeli Early Warning System (Tzofar)	Recent days (June 2025)	Iranian-linked groups	Claimed compromise, DDoS	Disrupt public alerts, Psychological impact	High, Persistent
U.S. Financial Sector	2016, Recent warnings	IRGC-linked actors, APTs	DDoS attacks, Destructive wiper/malware	Financial loss, Operational disruption, Psychological impact	High, Persistent
Israeli Financial Sector	Recent days (June 2025)	APT34 (OilRig), CyberAv3ngers	Claimed compromise (Dorad), DDoS, IOCONTROL malware	Operational disruption, Data destruction, Psychological impact	High, Persistent
U.S. Energy & Utilities (Oil, Gas, Electric Grids, Pipelines)	Historical, Late 2023, Recent warnings	CyberAv3ngers, APTs	Destructive wiper malware, DDoS, Targeted intrusions, Custom malware (fuel management systems)	Operational disruption, Psychological impact	High, Persistent
U.S. Healthcare Sector	2021 (thwarted), Recent warnings	Iranian-linked actors, MuddyWater	Ransomware, DDoS, Brute force, MFA push bombing, Spear-phishing	Operational disruption, Data breaches, Psychological impact	High
U.S. Government Networks	2024 (Trump campaign), Recent warnings	Pro-Iranian hacktivists, Government-affiliated actors, IRGC-CEC	Low-level cyberattacks, Targeted intrusions, Data pilfering, Cyberespionage, DDoS	Data theft, Disruption, Psychological impact	High, Persistent
U.S. Political Campaigns	2024	Iranian state-backed threat actors	Spear-phishing, Accessing sensitive data	Sow discord, Espionage	Persistent
Israeli Radio/Telecom	Recent days (June 2025)	Iranian-linked groups	Coordinated DDoS attacks	Disrupt public communication, Psychological impact	Moderate to High
Psychological Targets (Social Media)	Recent days (June 2025)	Iranian accounts, 313 Team	Fabricated screenshots, Demoralizing messages, DDoS (Truth Social)	Narrative control, Erosion of public trust, Psychological impact	Very High, Persistent

V. Iran’s Cyber Collaboration and Proxy Networks

A. State-Level Cooperation

Iran’s cyber strategy is noted to be in “possible cooperation with Russia”.⁹ The Office of the Director of National Intelligence (ODNI) 2025 Threat Assessment explicitly states that Iran has become a “key military supplier to Russia,” particularly of Unmanned Aerial Vehicles (UAVs), and in return, Moscow has offered Tehran “military and technical support to advance Iranian weapons, intelligence, and cyber capabilities”.³⁴ Russia is recognized for its advanced cyber capabilities and its unique experience in integrating cyberattacks with wartime military actions, which could potentially amplify its combined impact on U.S. targets in times of conflict.³⁴ However, recent events suggest potential limitations in the practical effectiveness of this military cooperation, as Russian-supplied S-300 air defense systems proved “useless” against Israeli F-35s over Iran.²⁴ This observed limitation in kinetic defense might influence Iran’s reliance on cyber as a primary retaliatory tool, potentially pushing it to seek more direct assistance or inspiration from its cyber allies.

With China, the 2021 China-Iran 25-Year Cooperation Agreement includes provisions for significant investments in key sectors, including energy, banking, transportation, and cybersecurity, indicating a strategic alignment and potential for deeper collaboration in the cyber domain.³⁵ Chinese government-backed breaches of U.S. telecommunications and critical infrastructure have been documented.³⁶ Google’s recent report indicates that Chinese hackers are actively using AI-enabled Gemini chatbots to “supercharge cyberattacks,” suggesting a shared interest in leveraging advanced technologies for offensive cyber operations.³¹

For North Korea, the current geopolitical climate presents an opportunity for Pyongyang to “flex its military muscle and potentially deepen ties with Iran”.³⁷ Experts have warned of potential North Korean assistance to Iran in missile technology and and even in providing nuclear materials for “dirty bombs”.³⁷ The ODNI 2025 Threat Assessment identifies North Korea as a state actor challenging U.S. interests through cyber operations.³⁴ Furthermore, Iranian state-sponsored actors, specifically Charming Kitten, have been observed leveraging North Korea’s ‘Dream Job’ spear-phishing campaign tactics, although direct North Korean assistance in these specific attacks remains unclear.²⁸ North Korean state-backed APTs are also noted for their use of AI tools like Gemini.³¹ While a formal, unified “axis” might be an oversimplification, there is clear evidence of technology sharing, tactical inspiration, and strategic alignment among these states in the cyber domain. This creates a more complex and interconnected adversarial ecosystem for the U.S. and its allies. U.S. and allied defenses cannot view Iranian cyber threats in isolation; they must be understood and countered within this broader, interconnected adversarial ecosystem. Enhanced intelligence sharing among allies regarding the capabilities, tactics, and intentions of all these state actors is critical.

B. State-Backed Hacktivism and Proxies

Iran frequently “may support sympathetic hacktivist groups or create fake ones as fronts for state operations” to obscure attribution and broaden its reach.⁸ The CyberAv3ngers group is a prime example of this strategy, blurring the lines between independent activism and state-sponsored operations, with strong and suspected ties to Iran’s IRGC.⁷ The “313 Team,” a Shia hacking group operating in Iraq, claimed responsibility for a DDoS attack on President Trump’s Truth Social network shortly after U.S. strikes, illustrating the role of aligned non-state actors in immediate retaliation.⁵

Hezbollah, a well-known Iranian proxy, is believed to have a significant presence in Latin America, including Bolivia, Chile, and the tri-border area of Argentina, Brazil, and Paraguay.³⁹ This group has been linked to thwarted terrorism plots against Jewish and Israeli interests in the region.³⁹ This presence suggests a potential for Iran to leverage these proxies for both physical and cyberattacks outside the immediate Middle East conflict zone. A 2023 accord between Bolivia and Iran on cybersecurity and military training further indicates Iran’s interest in expanding its influence and potentially capabilities in the region.³⁹ Iran has a history of “attacking in an asymmetrical manner” and “reacting outside of the country”.³⁹ The established presence of its proxies and growing state-level ties in Latin America provide a plausible avenue for Iran to conduct cyber or even kinetic attacks against U.S. or Israeli interests in a geographically distant and potentially less fortified theater. This means the theater of potential conflict extends beyond the immediate Middle East, requiring U.S. and Israeli intelligence and defense agencies to expand their vigilance and intelligence sharing with Latin American partners to monitor and preempt potential Iranian proxy activities in this region.

VI. U.S. Defense and Protection Strategies Against Iranian Cyber Threats

A. Key Government Agencies

The United States employs a multi-agency, collaborative approach to cyber defense against threats like those posed by Iran.

• Cybersecurity and Infrastructure Security Agency (CISA): CISA is the designated national leader for understanding, managing, and reducing risk to U.S. cyber and physical infrastructure.¹⁹ It serves as the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience.¹⁹ CISA actively provides timely alerts, advisories, and comprehensive resources, including the crucial Known Exploited Vulnerabilities (KEV) Catalog, to both government and private sector entities.⁴⁰ Its strategic plan (2023-2025) emphasizes spearheading national cyber defense and mitigating significant cyber risks to National Critical Functions.²³ CISA also plays a pivotal role in coordinating incident response across public and private sectors.⁴¹
• National Security Agency (NSA): The NSA leads the U.S. government in cryptology, signals intelligence (SIGINT), and cybersecurity.²¹ Its core cybersecurity mission is to prevent and eradicate threats to U.S. national security systems, with a particular focus on the Defense Industrial Base (DIB) and enhancing weapons systems security.²¹ The NSA develops advisories and mitigations for evolving cybersecurity threats and engages in combined defense and offense operations with key government partners.⁴² It also collaborates with CISA on developing cybersecurity guidance.⁴³
• Department of Homeland Security (DHS): DHS issues National Terrorism Advisory System (NTAS) bulletins to warn the public and private sectors about potential cyber threats, including those from Iran.⁴ DHS administers the Cyber Safety Review Board (CSRB) through CISA, fostering public-private collaboration in incident review.¹⁹
• Federal Bureau of Investigation (FBI): The FBI actively collaborates with CISA and NSA, issuing joint advisories regarding Iranian cyber threats.¹⁵ It is involved in investigating and disrupting Iranian plots on U.S. soil, including both kinetic and cyber threats.⁴⁴
• U.S. Cyber Command (USCYBERCOM): USCYBERCOM is a unified combatant command of the Department of Defense (DoD) responsible for unifying cyberspace operations, strengthening DoD cyber capabilities, and bolstering cyber expertise.²⁰ It operates in both defensive and offensive cyber operations, with missions including U.S. election defense, counter-ransomware operations, global hunt operations to combat foreign malicious cyber actors, and providing support to national security operations.²⁰ USCYBERCOM’s Cyber National Mission Force (CNMF) conducts global hunt operations to identify malicious cyber activity and vulnerabilities on significant networks, having been requested in 18 countries and over 50 foreign networks since 2018.²⁰

B. National Cybersecurity Strategy and Frameworks

U.S. cyber defense is guided by comprehensive national strategies and frameworks designed to enhance resilience and response capabilities. President Biden’s National Cybersecurity Strategy aims to rebalance the responsibility for cyber defense onto more capable actors and realign incentives for long-term cybersecurity investments.²² The National Cybersecurity Strategy Implementation Plan (NCSIP) serves as a roadmap, outlining 100 high-impact initiatives across five pillars, including setting cybersecurity requirements for critical infrastructure sectors, integrating federal cybersecurity centers, and disrupting and dismantling threat actors.²²

CISA’s 2023-2025 Strategic Plan further details the agency’s commitment to spearhead national cyber defense, reduce risks to critical infrastructure, and strengthen “whole-of-nation operational collaboration and information sharing”.²³ This emphasis on collaboration extends to state, local, tribal, and territorial (SLTT) governments, the private sector, and international partners.¹⁹

The National Institute of Standards and Technology (NIST) provides foundational guidelines for cybersecurity, including the NIST framework for incident response. This framework outlines a structured process for organizations to prepare for, detect, contain, and recover from security incidents, emphasizing continuous improvement.⁴⁶ Federal agencies are mandated to adhere to NIST guidelines for demonstrating incident response capabilities under the Federal Information Security Modernization Act (FISMA).⁴⁷

C. Defensive Measures and Best Practices

Effective defense against Iranian cyber threats requires a multi-layered approach incorporating both technical and procedural measures.

• Vulnerability Management and Patching: Prioritizing the patching of known vulnerabilities, especially those previously exploited by Iranian threat actors, is critical.⁷ This includes vulnerabilities in Windows Kernel (CVE-2024-30088), Zoho ManageEngine (CVE-2022-47966), Fortinet FortiOS (CVE-2022-42475), Microsoft Exchange (CVE-2021-34473), F5 BIG-IP TMUI (CVE-2020-5902), Microsoft Windows Netlogon (CVE-2020-1472), and Citrix ADC (CVE-2019-19781).⁷ CISA and NSA also issue guidance on reducing memory-related vulnerabilities in software development.⁴³
• Access Control and Authentication: Enforcing strong, unique passwords across all systems and enabling multi-factor authentication (MFA) for all accounts are fundamental.⁷ Monitoring for credential reuse, especially for administrative accounts, is also advised.¹⁶ Iranian government-affiliated actors are known to utilize brute force methods, such as password spraying and MFA “push bombing,” to compromise networks and obtain credentials.¹⁵
• Network Segmentation and Hardening: Robust network segmentation is crucial to limit the impact of potential compromises and prevent lateral movement to sensitive operational networks, particularly between IT and OT layers.⁷ Disabling unused services or ports and minimizing internet exposure of ICS/SCADA devices are essential hardening measures.⁷ The continued targeting of legacy and poorly secured ICS/OT systems, often through default credentials and publicly exposed systems, highlights that fundamental cyber hygiene remains a paramount defensive measure.⁷
• Incident Response Planning: Organizations must have a well-defined and regularly tested Incident Response Plan (IRP) that includes clear escalation paths, communication protocols, and backup procedures.¹⁶ This aligns with the NIST incident response framework, which emphasizes preparation, detection/analysis, containment/eradication, and post-incident activity.⁴⁶
• Threat Intelligence Sharing: Leveraging threat intelligence is critical for strengthening cybersecurity defenses, allowing organizations to anticipate and mitigate risks proactively.⁴⁸ Government agencies encourage this sharing, especially in regulated industries like finance and critical infrastructure.⁴⁸ Platforms like the Cyber Threat Alliance (CTA) facilitate secure, timely exchange of threat intelligence among cybersecurity companies.⁴⁸
• Supply Chain Security: Given the increasing reliance on third-party vendors and the potential for supply chain compromise, securing the supply chain is vital.³² The FDA emphasizes embedding cybersecurity into advanced technologies used in medical product manufacturing, and federal programs like FedRAMP ensure security requirements for cloud systems.³³
• Cyber Hygiene and Awareness Training: Embedding cyber hygiene in society from an early age is crucial, as the human factor remains the weakest link in the cybercrime chain, responsible for almost 70% of incidents.³⁶ Ongoing cybersecurity awareness training for employees empowers them to recognize and mitigate cyber risks effectively.⁷

D. International Cooperation and Information Sharing

In an era where cyber threats seamlessly bypass national boundaries, focusing solely on internal cyber defense is inadequate.³⁶ The globalized technology market means devices and software are built from components sourced worldwide, including from potential adversaries, making it impossible for a country to be resilient against cybercrimes by protecting only its borders.³⁶

Over the past few years, all NATO member states have made significant efforts to enhance cross-border collaboration and counter emerging cyber threats.³⁶ Rapid intelligence sharing, multinational cyber drills (like TRYZUB, which leverages Ukrainian experience with Russian APTs), and public-private partnerships are crucial for strengthening cyber resilience and staying ahead of adversaries.³⁶ These partnerships, such as those between Ukrainian state cyber forces and U.S.-based companies, demonstrate effective models for sharing war-tested experience in withstanding advanced persistent threats.³⁶

VII. Conclusions and Recommendations

The escalating geopolitical tensions between Iran, Israel, and the United States have significantly heightened the risk of a widespread and impactful cyberattack campaign. Iran, facing limitations in conventional military capabilities, views cyber warfare as a primary asymmetric tool for retaliation, deterrence, and, crucially, psychological manipulation. Its cyber strategy is characterized by centralized control but decentralized execution, often leveraging state-backed hacktivist groups to obscure attribution and amplify perceived impact. The increasing adoption of AI tools by Iranian actors signals a future where attacks will be more efficient and scalable. Furthermore, the persistent targeting of legacy and poorly secured Industrial Control Systems (ICS) and Operational Technology (OT) highlights a pragmatic focus on high-impact targets with easily exploitable vulnerabilities.

The interconnectedness of critical infrastructure means that even limited breaches can have cascading effects, posing a dual threat of technical disruption and information warfare aimed at eroding public trust. While Iran’s state-level cyber collaborations with Russia, China, and North Korea create a complex adversarial ecosystem, the practical effectiveness of these partnerships in all domains may vary, potentially driving Iran to lean more heavily on its indigenous cyber capabilities and less sophisticated, high-volume attacks. The potential for Iranian proxies, such as Hezbollah, to conduct cyber or kinetic operations in regions like Latin America also expands the theater of concern beyond the immediate Middle East.

To effectively protect itself against this evolving threat, the United States should implement the following recommendations:

1. Prioritize Fundamental Cyber Hygiene and Resilience: Aggressively enforce patching of known vulnerabilities, particularly those in the CISA KEV Catalog, and ensure robust multi-factor authentication across all systems. Critical infrastructure operators must prioritize network segmentation, minimize internet exposure of ICS/SCADA devices, and change all default passwords. These basic measures remain the most effective defense against many common Iranian tactics.
2. Enhance AI-Driven Defense Capabilities: Rapidly integrate AI into U.S. cyber defense mechanisms for detection, analysis, and prevention. Proactive research into AI’s defensive applications is crucial to counter the increased efficiency of adversarial AI-assisted campaigns.
3. Strengthen Public Communication and Counter-Disinformation: Develop and execute robust public communication strategies to counter Iranian psychological operations. This includes rapidly and transparently communicating accurate information during and after cyber incidents to neutralize Iranian attempts at narrative control and prevent public panic. Avoid inadvertently amplifying exaggerated claims by Iranian actors.
4. Deepen Intelligence Sharing and International Collaboration: Intensify intelligence sharing with allies, particularly Israel and NATO partners, regarding the evolving tactics, techniques, and procedures (TTPs) of Iranian APTs and their state-level collaborators (Russia, China, North Korea). Engage in more multinational cyber drills and public-private partnerships to enhance collective defense capabilities and share lessons learned from real-world incidents.
5. Expand Vigilance to Non-Traditional Theaters: Extend intelligence gathering and defensive measures to regions like Latin America, where Iranian proxies may seek to exploit “soft targets” to conduct cyber or kinetic attacks against U.S. or Israeli interests. This requires a broader geopolitical and cybersecurity lens to anticipate and mitigate threats.
6. Reinforce Supply Chain Security: Implement stringent cybersecurity requirements for all third-party vendors and supply chain entities, especially those involved in critical infrastructure, to mitigate the risk of compromise through trusted suppliers.

Works cited

1. Intense Israeli strikes hit Tehran after Trump demands ‘unconditional surrender’, accessed June 24, 2025, https://apnews.com/article/israel-iran-missile-attacks-nuclear-news-tehran-trump-06-17-2025-3f08988b5e8fd375645967b6e22916f3
2. Travel disruptions still hit Middle East in wake of US-Israel-Iran conflict, accessed June 24, 2025, https://www.aljazeera.com/news/2025/6/24/travel-disruptions-still-hit-middle-east-in-wake-of-us-israel-iran-conflict
3. Trump says he’ll decide whether US will directly attack Iran within 2 weeks, accessed June 24, 2025, https://apnews.com/article/israel-iran-attacks-nuclear-news-06-19-2025-b508817b78ed8d2f6067c1516215cf94
4. The Latest: US claims strikes on Iran’s nuclear sites caused severe damage but full impact unclear, accessed June 24, 2025, https://apnews.com/article/israel-palestinians-iran-war-latest-06-22-2025-7ab46578cb56feecc16f4e4940a46e0a
5. Warnings Ratchet Over Iranian Cyberattack – BankInfoSecurity, accessed June 24, 2025, https://www.bankinfosecurity.com/warnings-ratchet-over-iranian-cyberattack-a-28793
6. DHS expects Iran’s cyber forces will target US networks after strikes on nuclear sites, accessed June 24, 2025, https://www.nextgov.com/cybersecurity/2025/06/dhs-expects-irans-cyber-forces-will-target-us-networks-after-strikes-nuclear-sites/406214/
7. Cybersecurity Risks Amid Rising Iran–U.S. Tensions – Arctic Wolf, accessed June 24, 2025, https://arcticwolf.com/resources/blog/cybersecurity-risks-amid-rising-iran-u-s-tensions/
8. Bay Area technology experts comment on possibility of cyberattacks following U.S. strikes on Iran – CBS News, accessed June 24, 2025, https://www.cbsnews.com/sanfrancisco/news/us-iran-strikes-potential-cyberattacks-bay-area-tech-experts-comment/
9. NTAS bulletin highlights rising cyber, terror threats to US critical infrastructure from Iran-linked hackers, accessed June 24, 2025, https://industrialcyber.co/threat-landscape/ntas-bulletin-highlights-rising-cyber-terror-threats-to-us-critical-infrastructure-from-iran-linked-hackers/
10. US Warns of Heightened Risk of Iranian Cyber-Attacks After Military Strikes, accessed June 24, 2025, https://www.infosecurity-magazine.com/news/us-risk-iranian-cyber-attacks/
11. Iran’s cyber capabilities and hackers – German Lawyer Ferner, accessed June 24, 2025, https://www.ferner-alsdorf.com/irans-cyber-capabilities-and-hackers/
12. Analysis: Unpacking Iran’s counterintelligence apparatus – FDD’s Long War Journal, accessed June 24, 2025, https://www.longwarjournal.org/archives/2025/02/analysis-unpacking-irans-counterintelligence-apparatus.php
13. Report: Iranian hackers are trying to create a psychological war in cyberspace – Nextgov, accessed June 24, 2025, https://www.nextgov.com/cybersecurity/2025/06/report-iranian-hackers-are-trying-create-psychological-war-cyberspace/406267/
14. Iran cyberattacks against US biz more likely following air strikes – The Register, accessed June 24, 2025, https://www.theregister.com/2025/06/23/iran_cyberattacks_against_us/
15. Feds Warn Healthcare Sector of Rising Iranian Cyberthreats – BankInfoSecurity, accessed June 24, 2025, https://www.bankinfosecurity.com/feds-warn-healthcare-sector-rising-iranian-cyberthreats-a-28804
16. Cyber Threats to U.S. Critical Infrastructure: What’s Going On and How to Stay Prepared, accessed June 24, 2025, https://www.bitlyft.com/resources/cyber-threats-to-u.s.-critical-infrastructure-whats-going-on-and-how-to-stay-prepared
17. Iran may hit US with ‘high-impact’ cyberattack as Israel tensions rise, expert warns, accessed June 24, 2025, https://www.fox5dc.com/news/iran-may-hit-us-high-impact-cyberattack-israel-tensions-rise-expert-warns
18. Cyber Threats Linked to Iran-Israel Conflict – ReliaQuest, accessed June 24, 2025, https://reliaquest.com/blog/cyber-threats-linked-to-iran-israel-conflict/
19. Cybersecurity | Homeland Security, accessed June 24, 2025, https://www.dhs.gov/topics/cybersecurity
20. United States Cyber Command – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/United_States_Cyber_Command
21. About the National Security Agency – Intelligence Careers, accessed June 24, 2025, https://www.intelligencecareers.gov/nsa/about-nsa
22. NATIONAL CYBERSECURITY STRATEGY IMPLEMENTATION PLAN – Biden White House Archives, accessed June 24, 2025, https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/05/National-Cybersecurity-Strategy-Implementation-Plan-Version-2.pdf
23. Strategic Plan – CISA, accessed June 24, 2025, https://www.cisa.gov/strategic-plan
24. Russiaworld, Iran and a Cascade of Collapse – CEPA, accessed June 24, 2025, https://cepa.org/article/russiaworld-iran-and-a-cascade-of-collapse/
25. Islamic Revolutionary Guard Corps Cyber Command – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/Islamic_Revolutionary_Guard_Corps_Cyber_Command
26. Middle East Geopolitical Tensions Driving the Evolution of AI-Driven …, accessed June 24, 2025, https://www.cyberproof.com/blog/middle-east-geopolitical-tensions-driving-the-evolution-of-ai-driven-cyber-warfare/
27. Inside the Shadows: Understanding Active Iranian APT Groups, accessed June 24, 2025, https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups
28. Iranian hackers now leveraging NK’s ‘Dream Job’ campaign – Field Effect, accessed June 24, 2025, https://fieldeffect.com/blog/iranian-hackers-now-leveraging-nks-dream-job-campaign
29. Feds Warn Healthcare Sector of Rising Iranian Cyberthreats, accessed June 24, 2025, https://www.govinfosecurity.com/feds-warn-healthcare-sector-rising-iranian-cyberthreats-a-28804
30. Cyber war: Iranian & Israeli hackers in a systems war | IT Security – BearingPoint Store, accessed June 24, 2025, https://bearingpoint.services/it-security/en/know-how/cybersecurity-insights-cyberattacks-iran-israel-critical-infrastructure/
31. Generative AI makes Chinese, Iranian hackers more efficient, report says – VOA, accessed June 24, 2025, https://www.voanews.com/a/generative-ai-makes-chinese-iranian-hackers-more-efficient-report-says/7956403.html
32. Top 10 Cybersecurity Risks Threatening Critical Infrastructure Today …, accessed June 24, 2025, https://www.certrec.com/blog/top-10-cybersecurity-risks-threatening-critical-infrastructure-today/
33. FDA warns of public health risks from lax cybersecurity in medical …, accessed June 24, 2025, https://industrialcyber.co/medical/fda-warns-of-public-health-risks-from-lax-cybersecurity-in-medical-product-manufacturing-calls-for-stronger-standards/
34. ODNI 2025 Threat Assessment notes threats from Russia, China, Iran, North Korea targeting critical infrastructure, telecom – Industrial Cyber, accessed June 24, 2025, https://industrialcyber.co/reports/odni-2025-threat-assessment-notes-threats-from-russia-china-iran-north-korea-targeting-critical-infrastructure-telecom/
35. War in Iran: China’s Short- and Long-term Strategic Calculations – The Diplomat, accessed June 24, 2025, https://thediplomat.com/2025/06/war-in-iran-chinas-short-and-long-term-strategic-calculations/
36. Bridging the Gap in Cross-Border Cyber Defense Strategies …, accessed June 24, 2025, https://www.afcea.org/signal-media/cyber-edge/bridging-gap-cross-border-cyber-defense-strategies
37. Experts Assess Iran Strikes, Response and What Comes Next – The Cipher Brief, accessed June 24, 2025, https://www.thecipherbrief.com/experts-assess-strikes-response-and-what-comes-next
38. Cyber Crossroads in the Indo-Pacific | CNAS, accessed June 24, 2025, https://www.cnas.org/publications/reports/cyber-crossroads-in-the-indo-pacific
39. Explainer: Iran’s Relationship with Latin America – AS/COA, accessed June 24, 2025, https://www.as-coa.org/articles/explainer-irans-relationship-latin-america
40. Cyber Threats and Advisories | Cybersecurity and Infrastructure …, accessed June 24, 2025, https://www.cisa.gov/topics/cyber-threats-and-advisories
41. National Cybersecurity Incident Response Plan – FDD, accessed June 24, 2025, https://www.fdd.org/analysis/2025/02/12/national-cybersecurity-incident-response-plan/
42. NSA Cybersecurity – National Security Agency, accessed June 24, 2025, https://www.nsa.gov/Cybersecurity/Overview/
43. New Guidance Released for Reducing Memory-Related … – CISA, accessed June 24, 2025, https://www.cisa.gov/news-events/alerts/2025/06/24/new-guidance-released-reducing-memory-related-vulnerabilities
44. As US cities heighten security, Iran’s history of reprisal points to murder-for-hire plots, accessed June 24, 2025, https://apnews.com/article/iran-fbi-justice-department-46d6b7dec78dca861a32c901f8e3b307
45. en.wikipedia.org, accessed June 24, 2025, https://en.wikipedia.org/wiki/United_States_Cyber_Command#:~:text=The%20Cyber%20National%20Mission%20Force%20operates%20in%20both%20defensive%20and,support%20to%20national%20security%20operations.
46. NIST Incident Response: 4-Step Life Cycle, Templates and Tips – Cynet, accessed June 24, 2025, https://www.cynet.com/incident-response/nist-incident-response/
47. NIST Incident Response: Framework and Key Recommendations – BlueVoyant, accessed June 24, 2025, https://www.bluevoyant.com/knowledge-center/nist-incident-response-framework-and-key-recommendations
48. Threat Intelligence Sharing: Can Competitors Collaborate To Strengthen Cyber Defense?, accessed June 24, 2025, https://brandefense.io/blog/drps/threat-intelligence-sharing-cyber-defense/