Despite the ceasefire announced earlier this week, hostilities continue to exist in the ongoing conflict with Iran. While the bombing might be paused, that counterattacks from Iranian-based hackers and state-sponsored groups has not subsided.
U.S. agencies, including CISA, have issued an advisory regarding the compromising of PLCs in use at critical infrastructure organizations in the U.S. by bad actors tied to Iran. This has led to diminished PLC functionality, data manipulation, and operational disruption in human-machine interface and supervisory control and data acquisition (SCADA) displays.
Additionally, Kathryn Raines, Cyber Threat Intelligence Team Lead for the National Security Solutions team at Flashpoint, offered the following:
“The current environment reflects a fragmented ceasefire. Hostilities are continuing across key theaters, particularly in Lebanon and across Gulf energy infrastructure. That fragmentation introduces additional uncertainty. When activity continues despite formal agreements, it becomes more difficult to anticipate escalation pathways.
“A military ceasefire does not translate to a cyber pause. What we’re seeing is continuity in activity, with threat actors maintaining tempo while adjusting targeting and messaging. For organizations, that means risk remains elevated. Critical infrastructure, particularly in energy and water systems, continues to be actively targeted.”
Flashpoint has also reported on the following claims:
- The state-sponsored Handala group is taking credit for hacking the "Iran International" network, extracting internal information and disabling servers. Iran International is a news service that is often critical of Iranian leadership and been branded a terrorist group by officials in the counry.
- The Conquerors Electronic Army has launched distributed denial-of-service (DDoS) attacks against Israeli volunteer associations Beit Cham and All Volunteer Force, the global pharmaceutical company Teva Pharmaceutical Industries, and the freelancer platform Upwork. The group explicitly stated the attacks were powered by a commercial IP stresser panel.
- The Cyber Islamic Resistance group has expressed solidarity with the Russian hacktivist group Team Kilnet, signaling a potential alignment of goals against Western entities.
Flashpoint is recommending a strong review of ICS defenses, with the industrial sector reviewing the tactics, techniques, and procedures (TTPs) detailed in the joint U.S. cybersecurity advisory, and apply recommended mitigations to secure PLCs. Other industry experts and stakeholder are also weighing in on these developments.
Joe Saunders, CEO, RunSafe Security: “Cyber attacks are key components now in all war and kinetic attacks. Not only does Iran have the means, it has the motivation to undermine the U.S. Government and disrupt a well-functioning society.
"Cyber attacks are one way to break down physical barriers and can be executed at a time and place of a nation-state’s choosing to achieve counter-effects. We should all be prepared for cyberattacks, with an eye toward resilience and recovery. This proves critical infrastructure is an extension of national security.”
Bradley Smith, SVP, Deputy CISO at BeyondTrust: "The Iranian cyber proxy ecosystem is not waiting for an escalation trigger — it is already operating at a wartime tempo. BeyondTrust has been tracking this activity since the early hours of Operation Epic Fury. What we have assessed is that the operational preparation phase for multiple Iran-aligned actors was complete before the first strikes landed on February 28.
"Tools were staged, reconnaissance was reported, and targets were identified. The threat now is not that these groups will activate — it is that strikes against civilian infrastructure will remove any remaining restraint on target selection and destructive intent.
"The effectiveness of these operations has increased in both quality and scale compared to previous Iranian cyber campaigns. A significant contributing factor is the documented use of AI-enhanced social engineering by groups such as APT42, which has degraded the reliability of traditional detection indicators.
"Phishing lures and credential harvesting operations are more convincing, more scalable, and harder to distinguish from legitimate communications than in any prior campaign cycle we have tracked. This is compounding an already elevated risk to identity infrastructure, where a single compromised credential can provide an adversary the foothold needed to move laterally into critical systems.
"The elimination of Iran's senior leadership has not neutralized its cyber offensive capability — our assessment is that it has decentralized it, shifting execution authority to a pre-positioned proxy ecosystem that is now operating with both the motivation and the autonomy to escalate."
Louis Eichenbaum, Federal CTO at ColorTokens: "Based on current U.S. military actions involving Iran, there is a high likelihood of continued retaliatory cyber activity from Iranian state actors and affiliated proxy groups aimed at causing widespread disruption and executing targeted intrusions.
"These operations will likely leverage proven, opportunistic techniques, including phishing campaigns that enable credential theft and account takeover, exploitation of unpatched edge devices such as VPNs and firewalls, distributed denial-of-service attacks against public-facing services, and hack-and-leak or extortion campaigns designed to drive both operational and reputational impact.
"There is also a credible risk of opportunistic compromise of exposed operational technology and industrial control systems, particularly where those systems remain accessible from the internet. Based on prior activity, priority targets are expected to include sectors such as energy, water, transportation, and telecommunications, along with the defense industrial base, federal contractors, and government mission-support systems.
"Organizations operating exposed OT environments or maintaining weak remote access controls are especially vulnerable, and executives’ and employees’ personal accounts are likely to be targeted as initial entry points to enable broader compromise.
"These actors will continue to exploit well-known and frequently targeted weaknesses, including internet-exposed PLCs and OT management interfaces, weak or absent multi-factor authentication, particularly for privileged and remote access, unpatched known exploited vulnerabilities in edge infrastructure, and common identity risks such as credential reuse and password spraying."
Shane Barney, CISO at Keeper Security: "The recent wave of cyber activity targeting critical infrastructure in Western democracies is part of a broader shift in how conflict is playing out in the modern world. Recent reports and warnings of nation state activity targeting Industrial Control Systems (ICS) highlight a structural reality that security teams have been grappling with for years: the convergence of IT and operational technology has eliminated any meaningful separation between digital access and physical impact.
"These attacks are not defined by novel exploitation techniques, but by the systematic identification and abuse of exposed systems, weak identity controls and persistent access pathways. Internet-facing management tools, particularly those tied to legacy or poorly segmented environments, create a predictable attack surface.
"When combined with automated scanning and AI-assisted reconnaissance, threat actors can continuously probe global infrastructure at scale, identifying misconfigurations in minutes rather than months. The more significant issue is what happens after gaining initial access.
"Once a foothold is established, lateral movement becomes the primary objective. Attackers harvest credentials, escalate privileges and move toward core systems where operational disruption becomes possible. In environments where privileged access is poorly governed or insufficiently monitored, this activity can remain undetected long enough to create material impact.
"This reinforces a critical shift in defensive strategy, where identity is now the primary control plane. Hardware-level protections and network segmentation remain important, but they are insufficient if identity systems allow unauthorized or persistent access. If an attacker can authenticate, they can often operate as a legitimate user, bypassing traditional security controls entirely.
Morey Haber, Chief Security Advisor at BeyondTrust: "The moment kinetic threats target civilian infrastructure; cyber retaliation becomes not just probable, but an inevitable outcome. Donald Trump signaling escalation against Iran shifts the battlefield into this asymmetric domain where Iran and their supporters have just as much experience in cyberattacks as any other group in the world.
"Groups aligned with Iran have consistently leveraged identity attack vectors, distributed denial of service, and destructive wiper campaigns to create disruption without direct attribution.
"Unfortunately, if this conflict continues to escalate, the world should expect attacks, not only against critical infrastructure, but also financial systems, supply chains, and cloud providers both electronically and physically. Cyberattacks will not mirror military precision, however. They will exploit weakest links, especially identity, where one compromised credential can cascade into a systemic shock once the adversary has an electronic beach head into an environment.
"In this security professionals opinion, I hope we can avoid the potential risks of full blown cyber warfare."
