Iranian Cyber Actors Escalate Targeting of U.S. Networks

Since late June, U.S. government agencies and security researchers have observed a sharp uptick in Iranian-linked cyber activity targeting American networks. This includes both state-backed APTs and loosely affiliated hacktivist groups ramping up operations across a range of sectors, from defense contractors and energy providers to public infrastructure and transportation.

What We’re Seeing

A joint cybersecurity advisory published June 30, 2025, by CISA, NSA, FBI, and the Department of the Air Force’s DC3 warned that Iranian cyber actors “may target vulnerable U.S. networks and entities of interest” in the near term. That advisory of course, wasn’t just theoretical: several reports since then show a measurable increase in targeting and successful compromises.

Security researchers at Nozomi Networks noted a 133% increase in Iranian-attributed attacks against U.S. industrial infrastructure during late spring. These included phishing campaigns, exploitation of unpatched systems, and initial access for ransomware deployment. Targets include logistics, energy, and even healthcare.

Following U.S. and Israeli strikes on Iranian nuclear facilities in late June, several Iran-aligned groups began retaliating online. We’ve seen a mix of tactics: coordinated website defacements, distributed denial-of-service (DDoS) attacks, data leaks, and active ransomware campaigns. While some of these groups appear to be ideologically motivated hacktivists, others are clearly aligned with or supported by Iranian intelligence operations.

Who’s Behind It

Several threat actors are either suspected or confirmed to be involved:

• APT35 (Charming Kitten): This group is known for its phishing operations against journalists, academics, and U.S. government personnel. They’ve ramped up activity in recent weeks, particularly using fake login portals to harvest credentials.

• APT33 (Elfin Team): A long-active crew focused on sectors like aerospace, energy, and transportation. Known for using wiper malware and targeting industrial control systems.

• Pay2Key.I2P: A newer ransomware-as-a-service group linked to Iranian infrastructure, active since early 2025. They’ve started pushing Linux variants of their ransomware and are offering incentives to new affiliates.

• Pro-Iran hacktivist groups: Loosely organized collectives coordinating DDoS campaigns and website defacements in response to geopolitical events.

Tactics and Techniques

The methods aren’t at all sophisticated, but they are effective, especially when defenses are weak:

• Unpatched vulnerabilities: Many Iranian actors take advantage of known exploits in internet-facing systems and OT environments.

• Credential stuffing and brute force: Weak passwords and lack of MFA are still a top vector.

• Phishing: Especially targeting people in energy, government, or defense-adjacent roles.

• Lateral movement: Once inside, groups like APT33 have shown they can move fast and do real damage.

More recently, ransomware activity has escalated. Pay2Key.I2P has been offering monetary rewards to affiliates who target Western infrastructure and government orgs. Their shift to Linux payloads suggests they’re adapting for broader enterprise environments.

What WRAVEN is Tracking

Our “WATCHTOWER” Threat Intelligence Dashboard has been flagging elevated Iranian-linked activity since early July. Indicators include:

• Suspicious DNS queries matching known APT35 infrastructure

• Payload delivery linked to recent Pay2Key campaigns

• Multiple leaked credentials from phishing kits hosted on bulletproof VPS nodes in Eastern Europe

We’re actively mapping attack flows and techniques and pushing new STIX/TAXII indicators to our internal OSINT feed as they’re validated.

What You Can Do

If you’re defending any org with exposed infrastructure, or just want to stay safe, here’s what you should be doing (and these are just generally good practices!):

• Patch external-facing apps and services ASAP

• Enforce strong, unique passwords and MFA

• Monitor for suspicious login activity and credential reuse

• Segment and isolate OT or critical systems from the internet

• Back up your data and practice restore procedures

Sources

• CISA | Iranian Cyber Actors May Target Vulnerable U.S. Networks

• NSA Press Release on Iranian Activity

• Deepwatch Advisory: Elevated Iranian Cyber Activity

• Nozomi Networks Analysis – June 2025

• Security Affairs on Pay2Key Ransomware

A post from the Western Research Advisory for Vulerabilities, Exploits, & Networks, a student cybersecurity organization @ Western Michigan University.