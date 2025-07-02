The United States Cybersecurity and Infrastructure Security Agency (CISA) has reiterated and extended previous warnings over the activities of Iranian threat actors targeting Western interests, following attacks on the Middle Eastern state’s alleged nuclear weapons programme conducted by Israel and the US.

The US strikes on 22 June prompted a swift alert from the Department of Homeland Security’s (DHS’) National Terrorism Advisory System (NTAS) warning of an uptick in “low-level” attacks from hacktivists and more damaging intrusions from threat actors backed by Tehran.

In a new update, CISA said that defence industrial base companies – especially those possessing holdings or relationships with counterparts in Israel – were at especially increased risk.

“At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the US that can be attributed to Iran,” the agency said in a statement.

“However, CISA urges owners and operators of critical infrastructure organisations and other potentially targeted entities to review this fact sheet to learn more about the Iranian state-backed cyber threat and actionable mitigations to harden cyber defences.”

In the alert, CISA advised that both Iranian and allied hackers are known to exploit opportunistic targets based on their use of unpatched or outdated software, or failure to change default passwords on internet-connected accounts or devices.

For critical national infrastructure (CNI) operators in particular, these threat actors have been observed using system engineering and diagnostic tools to target operational technology (OT) such as engineering devices, performance and security systems, and maintenance and monitoring systems.

CISA’s fact sheet also includes a number of mitigating steps that CNI operators can take at this time, much of it focused on identifying and disconnecting OT and industrial control system (ICS) assets from the internet, keeping such assets up to date, and maintaining appropriate monitoring and control policies – including enforcing password hygiene, role-based access controls, and phishing-resistant multifactor authentication (MFA).

CISA also said that for several months, Iran-aligned hacktivists have also been conducting website defacements and leaking sensitive information stolen from victims. The agency warned of the likelihood of more distributed-denial-of-service (DDoS) attacks, and even ransomware attacks run in collaboration with other groups.