惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

Cybersecurity Dive - Latest News

Dozens of Red Hat npm packages targeted in supply chain attack Turning tension into collaboration: How CIOs and CISOs can lead together Trump signs EO seeking early government access to powerful AI models Anthropic shares Mythos with 150 more organizations, including critical infrastructure operators Without strong governance, companies put credit ratings at risk in AI era CISA adds critical Palo Alto Networks firewall flaw to KEV as company, researchers warn of exploitation How Canva scaled to 260+M users while elevating security and productivity Top 4 data security best practices for the AI-enabled enterprise CISA urges security teams to check for software development compromises How CISOs can manage sovereign-cloud security risks IBM’s new $5B initiative will help enterprises rapidly patch open-source vulnerabilities Enterprise data is creeping its way into shadow AI tools Coordinated operation takes down Glassworm botnet Leading AI models are more vulnerable to malicious prompts than vendors claim Iranian government, not hacktivist group, breached LA Metro system, security firm says FBI warns about PhaaS platform used to access Microsoft 365 environments Iran-linked hackers target key US, allied sectors with sophisticated spear-phishing messages New York regulator calls for additional cyber mitigation amid heightened threat environment CISA asks cybersecurity community to alert it to vulnerability exploitation Grafana Labs links GitHub environment breach to TanStack npm supply chain attack 7-Eleven hit by data breach Microsoft disrupts cybercrime operation that hid behind legitimate software Compromised coding tool helped hackers breach thousands of GitHub repositories Telecom sector launches its own private ISAC Patch bypass allows hackers to exploit prior flaw in SonicWall SSL-VPN Grafana Labs says hacker gained access to codebase through leaked token How a government contest launched a revolution in AI-based bug hunting Attackers exploit critical flaw in Cisco Catalyst SD-WAN Controller MSPs need AI to fight AI-fueled cyberthreats: Guardz More money is going to physical security, but it’s often CISOs that oversee it: EY Frontier AI models reap rapid discovery of security vulnerabilities West Pharmaceutical starts restoring operations after ransomware attack Foxconn confirms cyberattack affecting some North American facilities OpenAI launches Daybreak to combat cyber threats Canvas owner reaches ‘agreement’ with threat actors after data breach Guardrail Technologies launches Traffic Light for Code & AI™; first security technology to verify & secure AI code and the people creating it Identity takes center stage as a leading factor in enterprise cyberattacks AI and an absent government: Takeaways from RSAC 2026 Second Canvas data breach causes major disruptions for schools, colleges AI used to develop working zero-day exploit, researchers warn New cybersecurity industry alliance aims to lead US critical infrastructure protection Identity is the new perimeter as rapid NHI proliferation threatens visibility and control Instructure confirms cybersecurity incident Anthropic’s Claude used in attempted compromise of Mexican water utility Businesses hide vast majority of ransomware attacks, report finds Palo Alto Networks warns state-linked cluster behind zero-day exploitation Businesses eager but unprepared for AI to transform their security strategies Iran-sponsored threat group behind false flag social engineering campaign NIST will test three major tech firms’ frontier AI models for cybersecurity risks Trellix investigating breach of source code repository CISA urges critical infrastructure firms to ‘fortify’ before it’s too late Critical vulnerability in cPanel leads to widespread exploitation New MOVEit vulnerabilities prompt urgent patch warning How OpenClaw’s agent skills become an attack surface White House questions tech industry on defensive AI use, cybersecurity resilience As email phishing evolves, malicious attachments decline and QR codes surge US and allies urge ‘careful adoption’ of AI agents PwC partners with Google Cloud to take on the managed security market US agencies promote zero-trust practices for operational technology networks CISA adds Microsoft, ConnectWise vulnerabilities to active exploitation catalog State CISOs losing confidence in ability to manage cyber risks ‘Fundamental tension’ undermines manufacturers’ cybersecurity North Korea-linked actor targets Web3 execs in social-engineering campaign US, UK authorities warn that Firestarter backdoor malware survives patching Major critical infrastructure supplier reports cyberattack When security becomes the attack surface: Why endpoint protection must evolve Hasbro expects March cyberattack to impact second-quarter revenue AI-written software creates hassles for wary security teams China disguises cyberattacks with ‘covert network’ botnets, US and allies warn Trump’s CISA director pick withdraws after tumultuous nomination Phishing — sometimes with AI’s help — topped initial-access methods in Q1, Cisco says Microsoft SharePoint vulnerability widely exposed across multiple countries CISA urges security teams to view environments following axios compromise Big banks seek to ease security worries as AI push accelerates CISA confirms exploitation of 3 more Cisco networking device vulnerabilities Stellantis teams with Microsoft to strengthen digital capabilities Vulnerability exploitation surges often precede disclosure, offering possible early warnings Vercel systems targeted after third-party tool compromised Beyond IT: Cybersecurity is a strategic business risk TP-Link routers face exploitation attempt linked to high-severity flaw US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms CIOs fret over rising security concerns amid AI adoption CISA cancels prestigious summer internships, citing government shutdown NIST limits vulnerability analysis as CVE backlog swells Medium-severity flaw in Microsoft SharePoint exploited FCC exempts Netgear from foreign router ban FCC signals continued commitment to Cyber Trust Mark program Brute-force cyberattacks originating in Middle East surge in Q1 CISOs see gaps in their incident response playbooks US, Indonesia shut down ‘sophisticated’ phishing kit Nearly 4K industrial control devices vulnerable to Iran-linked hacking campaign Stryker warns of earnings fallout from March cyberattack NERC is ‘actively monitoring the grid’ following Iran-linked cyber threat CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog US operation evicts Russia from hacked SOHO routers used to breach critical infrastructure Iran-linked hackers target water, energy in US, FBI and CISA warn React2Shell vulnerability helps hackers steal credentials, AI platform keys and other sensitive data Olympic Games, FIFA World Cup offer huge platforms, rich cyberattack surface Threat cluster launches extortion campaign using social engineering CISA’s vulnerability scans, field support on chopping block in Trump budget
Iran-nexus threat groups refine attacks against critical infrastructure
David Jones · 2026-04-23 · via Cybersecurity Dive - Latest News

Iran, long considered a steady and persistent cyber threat to the U.S., has raised its game in the months since the two nations went to war in February. 

Iranian-backed cyber threat groups, which range from state-sponsored actors to pro-Iranian hacktivists and financially motivated hackers, appear to have evolved some of their motivations and capabilities in cyber, according to analysts and security researchers. 

“What we are seeing are attacks that are aiming to have a more destructive effect,” Annie Fixler, director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies told Cybersecurity Dive. 


What we are seeing are attacks that are aiming to have a more destructive effect.

Annie Fixler

Director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies


Specifically, Iran-linked actors have increased the use of data wiping malware in recent attacks against Israel and demonstrated greater capability to evade detection, according to researchers at Palo Alto Networks. 

In another alarming development, Darktrace last week published an analysis of a malware strain called ZionSiphon, to potentially tamper with chlorine levels and pressure controls in Israeli water facilities. The malware was embedded with pro-Iran and Palestinian messaging for additional psychological impact. 

Recent military strikes by Iran may have combined exploitation of flaws in video cameras and kinetic military strikes, according to Check Point Research. The activity may indicate a higher level of coordination and could be used potentially against critical infrastructure, surveillance and other targeted threat activity, CCTI’s Fixler noted.

Meanwhile, the bombing campaign by the U.S. and Israel exposed weaknesses in Iran’s traditional military capabilities, such as its limited ability to control and defend its own airspace and directly challenge allied bombing campaigns. But the Iranians have used cyberattacks as a way to send messages to neighboring Gulf states, Israel, the U.S., and to its own political dissidents, for intimidation, espionage and destructive acts.

Iran-nexus hackers target critical infrastructure

  • February 28

    U.S. and Israel launch coordinated bombing campaign against Iran.

  • March 11

    Medtech company Stryker hit by wiper attack.

  • March 19

    DOJ announces seizure of domains linked to Handala.

  • April 7

    FBI, CISA warn of Iran-nexus hackers targeting flaws at water, energy providers.

Cyber threat warnings

In March, cyber-threat-sharing groups across various critical infrastructure sectors issued a joint advisory warning about the heightened threat of cyberattacks from Iran-aligned actors. 

“Since we released the report, we have indeed seen reports from the critical infrastructure community about Iranian-aligned activity,” Scott Algeier, executive director of the Information Technology-ISAC, told Cybersecurity Dive. 

The data-wiping cyberattack on medical device maker Stryker in March represented the most high-profile example of an Iran-linked attack, Algeier noted, but there have been reports of cyberattacks targeting critical sites as well. Iran-nexus actors are continuing to focus on programmable logic controllers used in OT environments, for instance, he said. 

Nick Andersen, acting director at CISA, said at a Thursday hearing before the House Appropriations Subcommittee on Homeland Security that Iran-linked actors have stepped up activity against poorly configured critical infrastructure sites in the U.S., but have thus far been unable to make significant inroads. 

CISA and other agencies have warned for several years about hacktivist groups exploiting weak security controls at critical infrastructure sites. 

Anderson noted the U.S. has a “tremendous amount” of IT and OT being used to support critical infrastructure that is exposed to the public internet, unsecured and “not necessarily taking advantage of modern security practices” like changing default passwords.

“When we look at them [Iran] as a specific nation-state threat actor, they’ve been very opportunistically focused where we see unsecured devices that are internet accessible,” Andersen testified during the hearing. “It provides them with an opportunity to attempt to make connections to those devices.”


When we look at them [Iran] as a specific nation-state threat actor, they’ve been very opportunistically focused where we see unsecured devices that are internet accessible.

Nick Andersen

Acting Director at CISA


CISA and the FBI, meanwhile, led a joint advisory about the Iran-nexus threat activity on April 7, warning that malicious hackers were targeting Rockwell Automation/Allen-Bradley devices at water utilities, energy facilities and other industrial sites. 

The advisory, which was co-authored by the U.S. Department of Energy, the Environmental Protection Agency and other federal partners, warned that attackers tried to manipulate human machine interfaces and supervisory control and data acquisition displays.

While authorities have not provided details breaking down the specific pattern of attacks, researchers have been able to trace some of the activity to specific threat groups.

Palo Alto Networks Unit 42 linked a cluster of threat activity in late March to the same Rockwell Automation devices cited in the FBI advisory, according to an updated blog post released Friday. 

A threat group tracked as CL-STA-1128 (also tracked as Cyber Av3ngers or Storm-0784) abused Rockwell Automation’s Factory Talk software by installing it onto virtual private server infrastructure, according to Unit 42 researchers. 

Asymmetric cyber capabilities

Iran in recent years has demonstrated the ability to leverage a network of state-sponsored and hacktivist operatives to sow fear, discord and operational disruption via cyber campaigns. 

U.S. authorities, including CISA, have tracked a group of advanced persistent threat actors since at least 2018 under the name MuddyWater, also known as Seedworm or Static Kitten. The group, operating under Iran’s Ministry of Intelligence and Security (MOIS), has targeted rival governments, defense industries, telecommunications and energy providers through spear phishing, exploitation of known vulnerabilities and abuse of open source tools for conducting cyber espionage, stealing sensitive data and deploying ransomware.  

In 2022, the U.S. Treasury sanctioned MOIS in connection with threat activity against the U.S. and other allies dating back to 2007. Treasury cited a July 2022 cyberattack against the Albanian government, where an Iran-linked group called HomeLand Justice gained access to a targeted computer network for 14 months before unleashing ransomware and disk-wiping malware. 

Iran also has long used cyber to target critical infrastructure against Israel, its leading geopolitical rival. During the Gaza War starting in 2023, these attackers also targeted water utilities and other critical infrastructure in the U.S. 

Drinking water and wastewater treatment facilities in the U.S. also have been victims of Iran-linked cyberattacks, specifically in a campaign that exploited weaknesses in Unitronics PLCs. The U.S. has about 150,000 public water facilities and 16,000 wastewater treatment sites, most of which lack the manpower, funding or training to thwart such attacks. 

The water sector has traditionally been a relatively easy target. A federal probe in 2024 found hundreds of U.S. water sites were either exposed to the internet or contained other configuration weaknesses. The report also found the Environmental Protection Agency lacked an incident reporting plan or documented procedures to coordinate with CISA. 

Security industry leaders say the current cyber threat to water and other utilities represents a clear escalation of capabilities by Iran-linked threat groups. 

Jennifer Lyn Walker, director of infrastructure cyber defense at the Water Information Sharing & Analysis Center, said the prior activity linked to CyberAv3ngers was more of a “nuisance threat” that lacked sophistication. But the current threat activity represents an “escalation to include intent to cause disruption with malicious actions,” Walker told Cybersecurity Dive. 

Despite the recent threat activity, the EPA said drinking water remains secure.“The ability of water systems to deliver safe drinking water to communities has not been impacted,” a spokesperson said.

The feds have taken some action against Iranian threat actors: following the attacks on water systems and other critical sectors, the Treasury Department in 2024 issued sanctions against members of the Islamic Revolutionary Guard Corp., citing malicious activity against various critical sectors in the U.S. Among those attacks was an 2021 ransomware attack targeting Boston Children’s Hospital that was disrupted by the FBI.

Hackers gain persistence

The cyberattack against Stryker demonstrated a capability that exceeds what was previously known about Iran-linked actors: the deployment of a destructive wiper that abused the company’s Microsoft Intune environment and deleted data from thousands of mobile devices. 

CCTI’s Fixler and other analysts say the attackers likely obtained credentials and established a foothold in Stryker long before the attack. However, the attack remains under investigation, so an official breakdown has not yet been released. 

Handala, the cyber threat group linked to the Stryker attack, now claims to have gained persistent access to Microsoft Entra, VMware vSphere and IBM FlashSystem environments across multiple targeted organizations, according to researchers at Flashpoint. 

“The screenshots that they shared in their channel indicate that these are part of several attack campaigns, though it is difficult to verify until we have confirmation from the victims,” Ian Gray, VP of intelligence at Flashpoint, told Cybersecurity Dive. 

Those screenshots show the attackers’ ability to generate Temporary Access Passes within Microsoft Entra, which allows the hackers to bypass multifactor authentication, according to Flashpoint. 

Microsoft officials declined to comment. IBM and Broadcom officials were not immediately available for comment.

In March, CISA urged security teams across the country to harden their endpoint security following the Stryker attack.

Defending against Iran cyber threats

There are several steps that security teams should take to mitigate against potential attacks from Iran-nexus threat actors. For one, internet-facing devices should be removed from open access, and multifactor authentication should be enabled, according researchers. 

Security teams should also create strong backup copies of PLCs, which include the logic and configurations for industrial equipment and systems.

If controllers include a physical mode switch, it should be placed in the run position to prevent remote modification, according to the CISA and FBI advisory. 

To protect against wiper attacks, security teams should eliminate standing privileges and also harden Entra ID administrator accounts, according to Palo Alto Networks researchers.