RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: iran (2 articles)Clear
threat
2026-04-24

Iran operating like a criminal actor, ex-NSA director says - opportunistic credentials and amplification, not novel exploits

At the Asness Summit in Nashville on April 24, former NSA director Tim Haugh and Mandiant founder Kevin Mandia argued Iran's current cyber posture more closely resembles a criminal actor than a sophisticated APT - reliant on dark-web-purchased credentials, basic security gaps, and information operations to amplify modest intrusions. They cited the March 11 Stryker attack as the template: no malware, no zero-day, just legitimate credentials used to abuse MDM and delete data the attacker had permission to delete. Mandia's CISO advice: assume valid credentials for your staff are already on sale and build detection around their misuse.

iranhaughmandiastrykercredential-theftmdm-abuseinformation-operationshandalathreat-assessment
Check
Run a credential-monitoring service against your domain this week and put alerts in place for impossible-travel and unusual-MDM-action patterns on admin accounts.
Affected
Any organization with US or Israeli ties, plus their suppliers and contractors, fits the Iranian targeting profile. Acute risk: organizations where MDM, RMM, or any endpoint-management platform can issue destructive commands without out-of-band approval; environments without credential-monitoring services watching dark-web markets for staff logins.
Fix
Subscribe to a credential-monitoring service (HaveIBeenPwned Enterprise, SpyCloud, Flare) and alert on staff credentials surfacing in stealer logs. Require step-up auth on any MDM or RMM destructive action (wipe, uninstall, mass-deploy). Brief comms staff that any Iran-claimed breach should be verified before public response - operators routinely overclaim to amplify modest access.
threat
2026-04-07

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

iranicsplcrockwellcritical-infrastructurefbicisawaterenergy
Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.