Iranian Cyber Threats: What You Need To Know Now

By Seth Feldman | Head of Cyber Threat Engineering & Response

The geopolitical landscape shifted dramatically on February 28, 2026, when the United States and Israel launched Operation Epic Fury against Iranian nuclear facilities and military infrastructure. For organizations in healthcare, finance, insurance, engineering, and banking, this isn't just international news. It's a direct threat to your network.

Iran has a well-documented history of using cyber operations as a primary tool for asymmetric retaliation. When kinetic military options are limited, Iranian state-sponsored groups turn to keyboards instead of missiles. We've seen this pattern before in 2020 after the Soleimani strike. We saw it again during Israel-Gaza tensions in 2023. Now we're seeing it again.

This bulletin explains who's targeting your organization right now, what Ostra is actively doing to protect you, and best practices we recommend implemented.

Why This Threat Demands Immediate Attention

Iranian cyber capabilities are sophisticated, proven, and motivated. Over the past several years, Iranian threat actors have successfully compromised healthcare systems, financial institutions, defense contractors, and government networks across the United States and allied nations.

These aren't theoretical threats. In 2023-2024, IRGC-affiliated actors demonstrated the capability to compromise critical infrastructure at scale. Following the February 28 strikes, Iranian retaliation through cyber operations is not a question of "if" but "when."  

The most dangerous assumption you can make is that your organization isn't a target. Iranian cyber doctrine casts a wide net. Regional hospitals were targeted alongside major healthcare systems. Community banks were probed alongside multinational financial institutions.

Who's Targeting Your Organization

Iranian cyber operations are conducted through two primary organizational structures: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Both run sophisticated Advanced Persistent Threat (APT) groups with proven track records.

APT35 (Charming Kitten) specializes in spear-phishing campaigns targeting healthcare executives, financial services leadership, and professional services firms. They've successfully compromised major healthcare systems through credential harvesting attacks that bypass traditional email security.

APT33 (Elfin) focuses on destructive operations against organizations in the defense industrial base and aerospace sectors. Engineering firms supporting defense contracts face elevated risk. They're known for deploying wiper malware designed to destroy data rather than steal it.

APT34 (OilRig) targets financial services, insurance companies, and telecommunications providers. Their specialty is traditional cyber espionage: gaining persistent access, stealing sensitive data, and maintaining long-term presence in victim networks.

MuddyWater runs campaigns against professional services, financial institutions, and technology companies. They use PowerShell scripts, DLL sideloading, and living-off-the-land techniques that abuse legitimate system tools to evade detection.

Iran also maintains dozens of hacktivist personas like Moses Staff that provide plausible deniability while maintaining operational control. Don't be fooled by branding. These are state-sponsored operations with sophisticated capabilities.

What Sectors Face Highest Risk

Not all industries face equal risk. Based on historical targeting patterns and current geopolitical context:

Healthcare and Public Health organizations face direct targeting. APT35 has run extensive campaigns against US healthcare systems, targeting everything from patient data to medical research. Hospitals, insurance providers, and healthcare technology vendors should all implement heightened security posture immediately.

Financial Services including banks, insurance companies, and investment firms face both espionage operations and potential destructive attacks. APT34 specializes in this sector. Expect phishing campaigns, credential theft attempts, and probing attacks against online banking platforms.

Engineering and Professional Services firms, particularly those with defense or government contracts, are priority intelligence collection targets. Iranian groups seek intellectual property, contract details, and supply chain access.

How They Attack

Iranian threat actors use sophisticated but increasingly well-understood tactics.

Initial access typically comes through spear-phishing campaigns using fake academic conferences, research invitations, or business proposals. APT35 is particularly skilled at creating convincing personas and building trust before deploying malicious links. They also exploit internet-facing systems, particularly VPN gateways and web applications with unpatched vulnerabilities.

Credential theft is a primary objective. These groups use LSASS memory dumping to extract passwords from system memory, keylogging to capture credentials as they're typed, and OAuth phishing attacks to gain access to cloud services like Microsoft 365.

Persistence is established through scheduled tasks, registry modifications, and DLL sideloading techniques that make malware look like legitimate software. MuddyWater's signature technique involves hiding malicious DLLs in system directories where they blend in with normal files.

Command and control infrastructure often abuse legitimate services. We frequently see use of Ngrok tunneling, Cloudflared persistent tunnels, and DNS tunneling to maintain covert communication channels that bypass traditional network security.

Impact operations range from data theft to complete destruction. APT33 deploys wiper malware that destroys boot sectors and overwrites disk data. Others use ransomware not for financial gain but as a cover for data destruction.

What Ostra is Doing for You

The Ostra Security Operations Center is actively working to protect you from these threats. Here's what we're doing on your behalf:

SIEM Monitoring: We've deployed Iranian APT-specific detection rules across our logging platform. We're actively monitoring credential theft attempts, PowerShell abuse, LSASS dumping, suspicious authentication patterns, and command-and-control traffic associated with these threat actors.

EDR Detection: Our EDR deployment is running tuned detection rules for Iranian threat groups. We've activated the full Platform Detection Library for MuddyWater DLL sideloading, credential harvesting, Ngrok/Cloudflared tunneling, BloodHound reconnaissance, and wiper malware indicators. Behavioral AI provides zero-day protection against novel techniques.

Automation: Our Automation platform runs automated triage playbooks. When potential compromise indicators appear, automated enrichment and escalation workflows kick in immediately.

Threat Hunting: Our SOC analysts are conducting proactive threat hunts across the entire customer base. We're searching for dormant backdoors, credential access attempts, and persistence mechanisms that might have been established before heightened monitoring. You don't have to wait for an alert. We're actively looking.

Intelligence Updates: As new Iranian tactics emerge, we're continuously updating detection rules, correlation logic, and hunting procedures.

What We Need from You

While Ostra maintains your security infrastructure, there are critical actions we recommend you implement ASAP:

Enforce Multi-Factor Authentication. This is not negotiable. Enable MFA on all accounts, particularly administrative access, VPN connections, and cloud services. Prioritize phishing-resistant MFA using hardware tokens or FIDO2 where possible. Credential theft is the primary Iranian tactic. MFA stops it.

Security Awareness Training. Educate your users on spear-phishing recognition. Iranian groups like APT35 are extremely sophisticated. Their emails don't look like obvious scams. They reference real conferences, use convincing personas, and build relationships over time. Train your people to verify unexpected requests and report suspicious emails immediately.

Report Suspicious Activity. If something feels off, tell us. Immediately. Don't wait to be sure. We'd rather investigate ten false alarms than miss one real compromise. Contact Ostra support via email support@ostrasecurity.com. Speed matters.

Review Privileged Access. Audit who has administrative rights in your environment. Remove unnecessary privileges. Implement just-in-time access where possible. Iranian groups target domain administrators and privileged accounts for lateral movement. Limit the blast radius.

Validate Your Backups. Don't assume backups work. Test restoration procedures on a non-production system. Ensure you have offline backups that ransomware or wiper malware can't reach. Iranian APT33 deploys destructive malware designed to destroy data. Backups are your recovery plan.

Patch Internet-Facing Systems. Prioritize VPN gateways, web applications, email servers, and any public-facing infrastructure. Iranian groups actively scan for known vulnerabilities. Don't give them easy entry point. Apply security updates within days of release, not weeks.

What You Do Next Matters

Iranian state-sponsored threat actors are sophisticated, well-resourced, and highly motivated following US-Israel military operations. They have demonstrated both the capability and intent to compromise healthcare, financial, insurance, engineering, and banking organizations.

The good news: you're not facing this alone. The Ostra Security Operations Center is actively monitoring, hunting, and defending your environment with tuned detection, automated response, and analyst coverage. The defensive infrastructure is in place and working.

The reality: security is a partnership. We maintain security platforms. We watch for threats and respond to incidents. But you control user access, enforce policies, and manage privileged accounts.

The actions you take in the next 48 hours may determine whether your organization successfully defends against this threat. Start with the fundamentals: enforce MFA, train users on phishing recognition, validate backups, and report anything suspicious to Ostra immediately.

For Ostra Security Customers

If you identify suspected Iranian cyber activity or anything unusual in your environment, contact our Security Operations Center immediately:

Email: support@ostrasecurity.com  

Questions about implementing MFA, backup validation, or security awareness training? Ostra Security can help with technical guidance and best practice recommendations.

If you observe indicators of compromise:

Also report to government authorities:

• CISA: contact@cisa.dhs.gov or 1-888-282-0870

• FBI: Your local field office or IC3.gov

This threat is real. It's active right now. And we're on it, together.

‍