By: Jairo J. Rodriguez U. – Senior Cybersecurity Engineer

U.S. federal agencies are warning that Iranian state-sponsored hackers are ramping up operations against a broad range of American targets, including defense contractors, operational technology (OT) networks, and other critical infrastructure systems.

The joint alert—issued by CISA, the FBI, and the NSA—describes an aggressive uptick in reconnaissance, phishing, and intrusion attempts aimed at both government-linked organizations and private-sector operators essential to national security.

A Broader, More Coordinated Threat

While Iranian cyber units have long been active in espionage and disruptive campaigns, officials say the recent wave is more sustained, more targeted, and better resourced than in past years.

Instead of opportunistic hits, these groups are mapping networks, identifying high-value OT systems, and leveraging custom malware designed to pivot from IT to OT environments. The goal: disrupt operations, steal sensitive data, and undermine the reliability of key infrastructure services.

Tactics Observed in the Wild

The advisory highlights several techniques seen in recent incidents:

• Spear-phishing with operational lures — Emails crafted to mimic contractors, supply chain partners, or regulatory bodies to trick recipients into opening malware-laced attachments.
• Living off the land — Using built-in admin tools like PowerShell, WMI, and RDP to blend in with legitimate activity.
• Credential harvesting — Targeting VPNs, webmail, and cloud admin portals to gain initial access.
• Custom OT malware — Deploying payloads capable of interacting with industrial protocols such as Modbus and DNP3, potentially to manipulate process control.

Why OT Environments Are in the Crosshairs

Unlike IT systems, OT assets often can’t be patched or taken offline easily—a reality that plays to an attacker’s advantage. Even partial access can allow adversaries to disrupt operations or create safety hazards.

Sectors under the heaviest pressure include:

• Defense manufacturing and R&D
• Energy generation and transmission
• Water utilities and desalination plants
• Port and shipping operations

Immediate Actions Recommended

Agencies are urging organizations—especially those in defense and critical infrastructure—to act now:

1. Harden remote access points and enforce multi-factor authentication everywhere.
2. Segment OT from IT networks with strict firewall rules and monitored gateways.
3. Review incident response plans to ensure they address OT-specific scenarios.
4. Enable continuous logging for both IT and OT systems, and centralize monitoring.
5. Conduct threat-hunting sweeps focused on lateral movement and domain privilege escalation.

The Bigger Picture

The U.S. has previously attributed destructive OT-focused incidents in the Middle East to Iranian threat actors. Officials warn that those same capabilities—refined over years of regional conflict—are now being applied more aggressively toward U.S. assets.

One senior cybersecurity official put it bluntly:

“Iranian operators are probing for the weak seams between IT and OT. If they can get in, they will use that foothold not just to spy—but to disrupt.”

“Disclaimer: The views, opinions, and statements expressed in articles and content on this website are solely those of the author and do not reflect the official policy or position of GE Vernova, its affiliates, or its employees. This website is a personal project and is not endorsed by, affiliated with, or connected to GE Vernova in any formal or official capacity. All content is provided for informational and personal expression purposes only.”