Amidst the unprecedented escalation of the current 2026 cyber and kinetic war involving Iran, Israel and the United States — marked by massive internet blackouts and highly active state-sponsored threat clusters — understanding the adversary's playbook is more critical than ever. Iran’s cyber operations are state-directed, mission-driven and geopolitically motivated, primarily supporting intelligence collection, regional influence, deterrence and retaliation.
Iranian actors tend to emphasize persistence, espionage, psychological impact and disruptive operations over highly sophisticated zero-day exploitation. The actors could be Islamic Revolutionary Guard Corps (IRGC)-sponsored APTs or proxies focused on destruction and DDoS, or lone wolves that are sympathetic to the Iranian or Palestinian cause and have access to wipers or RaaS.
Common characteristics across Iranian actors
While distinct groups exist, there are several common threads in how these threat actors operate:
- Strong alignment with state and IRGC objectives.
- Heavy reliance on phishing and credential access.
- Frequent targeting of OT and critical infrastructure.
- Use of wiper malware during periods of geopolitical escalation.
- Less emphasis on stealthy zero-days, more on persistence and scale.
Active Iranian-linked threat actors
Two examples of active Iranian-linked threat actors demonstrate these methodologies:
MuddyWater (Static Kitten/Seedworm)
- Primary focus: Middle East government, defense and critical infrastructure.
- Objectives: Espionage and regional intelligence dominance.
- Tactics: PowerShell-based backdoors, spear-phishing, commodity malware.
- Assessment: High operational tempo, moderate technical sophistication.
Cyber Av3ngers (IRGC-linked)
- Primary focus: Critical infrastructure (water, energy, ICS/OT systems).
- Objectives: Disruption, signaling and psychological impact.
- Tactics: Exploitation of exposed OT systems, hack-and-leak operations.
- Assessment: Politically motivated, increasingly visible, OT-focused.
- Notable incident: Aliquippa, Pennsylvania in 2023, and dozens of water and wastewater systems across the US.
- Methodology: They exploited Unitronics Vision Series PLCs, often exposed to the internet with default credentials.
Defending against the threat: The Center of Internet Security (CIS) and ISA/IEC 62443 Playbook
Here is a summary of what to do based on the CIS "How to Defend Against Iran's Cyber Retaliation Playbook" and mapped to the ISA/IEC 62443 series of standards:
- Ensure Internet-facing devices are patched: VPNs, firewall, mail servers, etc. This aligns with ISA/IEC 62443 2-1: Security Requirement 2.6 Patch Management, as well as Resource Availability (supporting vulnerability reduction).
- Ensure strong MFA is enforced, auditing these accounts and monitoring for brute force attempts. This aligns with ISA/IEC 62443 3-3: SR 1.1 – Human User Identification and Authentication.
- Prepare for highly sophisticated spear phishing — that means executives and engineers. Let them know about impersonation. This aligns with ISA/IEC 62443 2-1: CR 2 – Security Awareness and Training.
- Ensure anomaly detection is tuned for lateral movement that looks like legitimate traffic related to PowerShell, registry changes, scheduled tasks and shell activity. This aligns with ISA/IEC 62443 3-3: SR 6.2 - Continuous Monitoring and ISA/IEC 62443 2-1: CR 6 – Event Detection and Response.
- Review and test your IR and backup recovery with this type of attack as your scenario. This aligns with ISA/IEC 62443 2-1: CR 6 IR Planning and Testing, 2-1: CR 7 – Business Continuity and Disaster Recovery and 3-3: SR 7.3 Backup and Recovery.
Conclusion
As geopolitical tensions continue to spill over into cyberspace, organizations must remain highly vigilant against state-sponsored disruption and proxy threats. By adopting a proactive defense posture and mapping security practices to robust, established frameworks such as ISA/IEC 62443, critical infrastructure defenders can build the resilience required to withstand not just espionage but also the aggressive, disruptive operations characteristic of these threat actors.
Transparency Statement: AI tools were utilized to assist in drafting and structuring portions of this article. The author maintains full responsibility for the final content and its intended message. This content is provided for informational purposes only and does not constitute formal professional or legal advice.
