The US Department of Homeland Security (DHS) recently warned that cyberattacks targeting US companies and infrastructure are likely to increase in frequency as part of Iran’s response to the US strikes on Iranian nuclear sites that took place on June 22, 2025. In this article Conor Osthoff provides advice all organizations can take to prepare for any increase in attacks.
Threat profile and intelligence
On June 22, the National Terrorism Advisory issued by DHS stated that “low-level cyberattacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.” Following this bulletin, a shaky ceasefire between Israel and Iran, brokered by the US, came into effect on the June 25. However, the risk of a reescalation in the conflict both in the region and through the use of proxies is still high.
The full extent of Iran’s cyber capabilities is unclear, though there is consensus within the intelligence community that they are less advanced than those of other nation-state actors, such as Russia and China. Nevertheless, Iran is capable of impactful attacks designed to gather intelligence or disrupt, and may also lean on proxies or affiliated criminal groups to further its objectives. In recent years, Iran has been observed using similar ‘grey-zone’ tactics to plan and undertake physical attacks on targets in Europe.
Types of cyberattacks and targets
Since the start of the conflict US financial institutions, oil companies, and defense contractors have already been targeted by Iran-affiliated groups with Distributed Denial of Service (DDoS) attacks, which disrupt the operational availability of their internet-accessible services. If disruption continues to be a primary objective, other types of attack, such as the deployment of wiper malware or even ransomware, which is typically deployed for commercial purposes but has the potential to cause operational impact, may follow.
The DHS Advisory did not specify which sectors are likely to be targeted by Iran or Iran-affiliated actors. However, government-affiliated companies operating in the US energy, finance and defense sectors are likely to be at higher risk. Any networks that are poorly secured but whose compromise has the potential for significant disruption, such as local governments or public utilities, may also represent attractive targets.
Security
Organizations concerned by the heightened risk may want to consider the following mitigation measures.
- Avoid migrating to new IT solutions and implementing new self-hosted services, unless these migrations are implemented to address a security concern.
- If you are in the middle of a technology migration or implementation, accelerate your timeline to avoid partial configurations.
- Restrict the number of accounts and technologies that have remote access to your internal network.
- Enforce multi factor authentication (MFA) for all means of remote access, with no exceptions.
- Ensure that a physical copy of your backups are held offsite and know your process for restoring from them.
- Retain as much host and network logging as possible (preferably stored in a cloud-based solution).
For security teams, we recommend additional scrutiny on behavioral and identity based security alerts, particularly:
- Authentication events from datacenter or VPN IP address ranges.
- Unique remote desktop connections from identities or accounts.
- Misuse of service accounts.
- Execution of network and active directory reconnaissance commands.
- High-volume file and folder access events.
If you are at all concerned about your organization’s cyber resilience, please do not hesitate to reach out to S-RM.
