On February 28, 2026, the United States, in coordination with Israel, launched a large-scale military campaign against Iran known as Operation Epic Fury, marking a significant escalation in direct hostilities. The operation involved coordinated air, missile, naval, and cyber strikes targeting Iranian military and nuclear facilities across the country. Iran retaliated with ballistic missile and drone strikes targeting Israeli territory and U.S. military installations across the region, including in Bahrain, Qatar, Kuwait, Jordan, and the United Arab Emirates.
Organizations in North America, the Middle East, the Schengen Area, and the Indo-Pacific, especially those in sectors historically targeted by Iranian threat groups such as energy, defense, transportation, healthcare, and government, should maintain heightened vigilance. Critical infrastructure providers (energy, utilities, telecommunications) and government- or defense-adjacent commercial organizations are particularly at risk, with collateral effects possible across other industries due to interconnected systems and shared third-party dependencies.
Organizations should also?anticipate?potential disruptions to internet services and increased risk of supply chain attacks, as past Iranian-linked cyber activity has occasionally been indiscriminate, affecting networks in countries not directly involved in the conflict, including U.S. water and wastewater systems, industrial control systems, and international corporate networks.
Historical context?
Historically, Iran has launched broad cyber operations in response to military interventions, sanctions, and various geopolitical pressures. These attacks have typically included:
- Destructive wiper malware campaigns.
- Distributed Denial of Service (DDoS) attacks.
- Targeted intrusions, particularly within energy and utility sector networks.
- with ransomware affiliate actors.
In late 2023, Iranian IRGC-linked cyber actors?operating?under the alias ¡°CyberAv3ngers¡± targeted Israeli-made?Unitronics?Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs). These devices, widely used across critical infrastructure sectors such as water, energy, and manufacturing, were compromised through exploitation of default credentials and publicly exposed systems. The attackers defaced affected systems with political messages and altered device configurations to disrupt operations and complicate recovery efforts.
Previous?threat activities tied to Iran have cast a?, and have affected countries throughout Europe, Asia, and North America. Historically, this has included Canada, the UK, France, Germany, the Netherlands, India, Kuwait, Pakistan, Qatar, Saudi Arabia,?Turkey, United Arab Emirates, China, and South Korea. While some of these operations began as an immediate reaction to Stuxnet in the early 2010s, they later evolved into long-term efforts focusing on intelligence collection, credential harvesting, and infiltration of supply chains, with lasting impact across multiple geographies.
How Arctic Wolf is Responding to Iran-Affiliated Cyber Threats
Arctic Wolf has implemented increased monitoring of organizations in sectors previously affected by Iran-affiliated threat activity. Additionally, Arctic Wolf is actively?monitoring?for new developments in the threat landscape around Iran-affiliated?threats, and?will alert Managed Detection and Response (MDR) customers?if and when?relevant malicious activities are?observed.
Recommendations
Reduce Exposure of ICS/SCADA Devices
Due to geopolitical interest that Iran-affiliated threat actors have historically shown towards ICS/SCADA devices, access to such devices should be minimized as much as possible. Following a 2023??by the IRGC-linked group CyberAv3ngers, CISA issued a??to protect PLCs.
- Internet exposure of ICS/SCADA devices and other critical infrastructure components should be limited wherever possible.
- Additionally, robust network segmentation should be implemented where possible to limit the impact of potential compromises and isolate threat actors from being able to move laterally to operationally sensitive networks.
- Efforts should be made to ensure that default passwords on ICS/SCADA devices are changed to avoid unauthorized access.
- Finally, critical vulnerabilities in SCADA devices such as? should be patched as soon as possible, as highlighted by CISA.
Patch Critical Vulnerabilities Leveraged by Iran-affiliated Threat Actors
The following vulnerabilities have been previously exploited in Iran-affiliated threat campaigns. This has included?targeting of?VPN gateways and firewalls in various products, including appliances from Pulse Secure, Fortinet, Palo Alto Networks, F5, and Citrix.
Wherever possible, previously targeted software listed here should be prioritized for patching:
| CVE? | Product? | Threat Actor? | CISA KEV? |
| CVE-2024-30088 | Windows Kernel | OilRig/APT34 | Added on 2024-10-15 |
| CVE-2022-47966 | Zoho ManageEngine | Mint Sandstorm | Added on 2023-01-23 |
| CVE-2022-42475 | Fortinet?FortiOS | Fox Kitten / Pioneer Kitten | Added on 2022-12-13 |
| CVE-2021-34473 | Microsoft Exchange | Multiple | Added on 2021-11-03 |
| CVE-2020-5902 | F5 BIG-IP TMUI | Fox Kitten | Added on 2021-11-03 |
| CVE-2020-1472 | Microsoft Windows?Netlogon | Multiple | Added on 2021-11-03 |
| CVE-2019-19781 | Citrix ADC | Fox Kitten | N/A |
Block Telegram and Unused Remote Monitoring and Management Tools if Possible
In??Iran-affiliated threat?, Telegram has been used as a means of conducting data exfiltration. Additionally, legitimate RMM tools such as Atera, Tactical,?SimpleHelp,?AnyDesk,?ScreenConnect, and?RemoteUtilities?have been used by Iranian threat actors to evade detection.
If you are not using these tools in your environment, consider blocking them altogether to prevent malicious use.??
Adopt Additional Security Best Practices
- Enforce strong, unique passwords across all systems and enable multi-factor authentication (MFA) for all accounts.
- Perform continuous security audits and?monitoring?to proactively?identify?and respond to suspicious activities and potential threats.
- Deliver ongoing cybersecurity awareness training to employees, empowering them to recognize and mitigate cyber risks effectively.
