Iranian Cyber Actors Exploit Weak Security in U.S. Critical Infrastructure
Iran-aligned cyber threat groups are intensifying efforts to target poorly secured U.S. critical infrastructure, leveraging gaps in basic cybersecurity practices to infiltrate operational technology (OT) systems. A recent analysis by the Foundation for Defense of Democracies (FDD) reveals that attackers have accessed exposed industrial environments, including gas station tank gauge systems across multiple states, by exploiting default or absent passwords. While these intrusions have not yet caused physical disruptions such as altering fuel levels they have manipulated display data, potentially obscuring critical issues like leaks or empty tanks.
The campaign reflects a broader pattern of Iranian-linked groups probing internet-facing industrial control systems (ICS), particularly where authentication and network segmentation are weak. Though many incidents have resulted in limited operational impact, U.S. officials warn that the intent is evolving toward disruption and psychological pressure, especially in sectors with outdated or minimal security controls. Targets include energy, water, and other essential services, with adversaries frequently exploiting vulnerabilities in programmable logic controllers (PLCs) and supervisory control systems.
Iranian threat actors, while less sophisticated than their Chinese or Russian counterparts, combine cyber operations with influence campaigns to maximize societal impact. Groups linked to the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security often operate through hacktivist fronts, as seen in past incidents involving high-profile targets, including an attempted breach of FBI Director Kash Patel and an attack on medical technology firm Stryker.
Recent examples highlight Iran’s persistent but often overstated claims of success. In April, the group Ababil of Minab took credit for an attack on the Los Angeles transit authority, asserting control over internal systems though officials confirmed only partial access with no disruption to services. Similarly, the IRGC-affiliated APTIRAN previously claimed to have compromised gas station systems in Pennsylvania, though no public confirmation of the breach was provided.
The FDD report underscores that many exploited systems rely on default credentials or lack password protection entirely, emphasizing the need for stronger baseline security. The U.S. government’s Secure by Design initiative aims to address these vulnerabilities by working with vendors to enforce security-by-default measures, such as requiring password changes during installation.
Separately, Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation active since May 2025. The platform, used by ransomware gangs and other threat actors, abused Microsoft’s code-signing infrastructure to distribute malicious software, including strains like Oyster, Lumma Stealer, and Akira, infecting thousands of systems globally.
Stryker cybersecurity rating report: https://www.rankiteo.com/company/stryker
"id": "STR1779452900",
"linkid": "stryker",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Energy',
'location': 'United States',
'name': 'Gas station operators (multiple states)',
'type': 'Critical Infrastructure'},
{'industry': 'Transportation',
'location': 'Los Angeles, United States',
'name': 'Los Angeles transit authority',
'type': 'Government/Transportation'},
{'industry': 'Medical Technology',
'location': 'United States',
'name': 'Stryker',
'type': 'Corporation'}],
'attack_vector': ['Exploitation of default/absent passwords',
'Internet-facing industrial control systems (ICS)'],
'description': 'Iran-aligned cyber threat groups are intensifying efforts to '
'target poorly secured U.S. critical infrastructure, '
'leveraging gaps in basic cybersecurity practices to '
'infiltrate operational technology (OT) systems. Attackers '
'have accessed exposed industrial environments, including gas '
'station tank gauge systems across multiple states, by '
'exploiting default or absent passwords. While these '
'intrusions have not yet caused physical disruptions, they '
'have manipulated display data, potentially obscuring critical '
'issues like leaks or empty tanks.',
'impact': {'operational_impact': 'Manipulation of display data (e.g., '
'obscuring leaks or empty tanks)',
'systems_affected': ['Gas station tank gauge systems',
'Operational technology (OT) systems',
'Industrial control systems (ICS)',
'Programmable logic controllers (PLCs)',
'Supervisory control systems']},
'lessons_learned': 'Exploitation of weak authentication and lack of network '
'segmentation in critical infrastructure highlights the '
'need for stronger baseline security measures, such as '
'enforcing password changes during installation and '
'implementing security-by-default practices.',
'motivation': ['Disruption', 'Psychological pressure', 'Societal impact'],
'post_incident_analysis': {'corrective_actions': ['Secure by Design '
'initiative',
'Vendor collaboration for '
'security-by-default '
'measures'],
'root_causes': ['Weak authentication',
'Lack of network segmentation',
'Default credentials']},
'recommendations': ['Enforce security-by-default measures (e.g., requiring '
'password changes during installation)',
'Implement network segmentation for industrial control '
'systems',
'Enhance monitoring of internet-facing OT systems',
'Collaborate with vendors to improve default security '
'settings'],
'references': [{'source': 'Foundation for Defense of Democracies (FDD)'},
{'source': 'Microsoft (Fox Tempest disruption)'}],
'response': {'network_segmentation': 'Recommended (Secure by Design '
'initiative)'},
'threat_actor': ['Islamic Revolutionary Guard Corps (IRGC)',
'Ministry of Intelligence and Security',
'Ababil of Minab',
'APTIRAN'],
'title': 'Iranian Cyber Actors Exploit Weak Security in U.S. Critical '
'Infrastructure',
'type': ['Cyber Espionage', 'Data Manipulation'],
'vulnerability_exploited': ['Weak authentication',
'Lack of network segmentation',
'Default credentials']}