Iranian Cyberattacks Surge 133% Amid Geopolitical Tensions, Targeting U.S. Critical Infrastructure
Nozomi Networks Labs reported a sharp escalation in cyberattacks linked to Iranian threat groups, with a 133% increase in incidents during May and June 2024 compared to the previous two months. The surge peaking at 18 attacks in May before declining to 10 in June coincided with heightened regional conflicts involving Iran, with U.S. organizations as the primary targets.
At least 28 confirmed attacks were attributed to six Iranian state-sponsored or affiliated groups: MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice. The transportation and manufacturing sectors bore the brunt of the activity, though critical infrastructure, energy, and government entities were also heavily targeted.
Key Threat Actors & Their Campaigns
- MuddyWater emerged as the most active, compromising at least five U.S. companies in transportation and manufacturing. The group, operational since 2017, has historically focused on the Middle East but expanded its reach to North America, Europe, Asia, and the Middle East, targeting government, telecommunications, and energy sectors.
- APT33 conducted attacks against three U.S. firms, with infrastructure traced to operations spanning North America, Europe, the Middle East, and Asia, including Germany, France, Saudi Arabia, and Japan. The group’s focus on strategic geopolitical and economic hubs suggests intelligence-gathering and disruption objectives.
- OilRig maintained its long-standing campaign against Gulf region targets, including energy, government, and telecommunications sectors, but also extended operations to the U.S., Spain, and Turkey. Attack paths originating from Iran indicate a broader geopolitical and intelligence-driven agenda.
- CyberAv3ngers, known for targeting operational technology (OT), reused an IP address from a prior attack and deployed the OrpaCrab (IOCONTROL) malware, first identified in December 2023. The group’s recent activity targeted the U.S., Ukraine, Iraq, and Cyprus, with a focus on critical infrastructure and industrial sectors.
- FoxKitten concentrated on Israel, Greece, and North Macedonia, aligning with its history of espionage and long-term access within government and critical infrastructure networks in the Eastern Mediterranean and Middle East.
- Homeland Justice, a hacktivist collective, demonstrated a global reach, striking targets in the U.S., Canada, Saudi Arabia, India, and Australia. The group’s politically motivated attacks spanned critical infrastructure and government entities, reflecting a broad disruption strategy.
Geopolitical Context & U.S. Response
The surge in Iranian cyberactivity follows escalating regional tensions, prompting U.S. security agencies to issue warnings last week. Critical infrastructure operators were advised to monitor for threats and isolate OT/ICS assets from public internet access, particularly those with ties to Israeli defense or research entities. The agencies emphasized the heightened risk to the defense industrial base (DIB) and other high-value sectors in the near term.
Nozomi Networks confirmed that its threat intelligence feeds including a Mandiant TI Expansion Pack already contain signatures to detect these groups, though the broader threat landscape underscores the expanding scope and sophistication of Iranian cyber operations.
U.S. Department of Homeland Security cybersecurity rating report: https://www.rankiteo.com/company/us-department-of-homeland-security
Nozomi Networks cybersecurity rating report: https://www.rankiteo.com/company/nozomi-networks-sa
Trellix cybersecurity rating report: https://www.rankiteo.com/company/trellixsecurity
"id": "US-NOZTRE1774333876",
"linkid": "us-department-of-homeland-security, nozomi-networks-sa, trellixsecurity",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': ['Transportation',
'Manufacturing',
'Energy',
'Government',
'Telecommunications'],
'location': ['U.S.',
'Germany',
'France',
'Saudi Arabia',
'Japan',
'Spain',
'Turkey',
'Ukraine',
'Iraq',
'Cyprus',
'Israel',
'Greece',
'North Macedonia',
'Canada',
'India',
'Australia'],
'type': ['Transportation Company',
'Manufacturing Firm',
'Energy Sector',
'Government Entity',
'Telecommunications']}],
'attack_vector': ['Malware',
'Operational Technology (OT) Exploitation',
'Long-term Access'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2024-05-01',
'date_publicly_disclosed': '2024-06-30',
'description': 'Nozomi Networks Labs reported a sharp escalation in '
'cyberattacks linked to Iranian threat groups, with a 133% '
'increase in incidents during May and June 2024 compared to '
'the previous two months. The surge targeted U.S. '
'organizations, particularly in transportation, manufacturing, '
'critical infrastructure, energy, and government sectors. At '
'least 28 confirmed attacks were attributed to six Iranian '
'state-sponsored or affiliated groups: MuddyWater, APT33, '
'OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice.',
'impact': {'data_compromised': True,
'operational_impact': 'Disruption of critical infrastructure and '
'industrial sectors',
'systems_affected': ['Transportation',
'Manufacturing',
'Critical Infrastructure',
'Energy',
'Government',
'Telecommunications']},
'initial_access_broker': {'high_value_targets': ['Defense Industrial Base '
'(DIB)',
'Critical Infrastructure']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Heightened risk to critical infrastructure and defense '
'industrial base (DIB) due to geopolitical tensions. Need '
'for enhanced monitoring and isolation of OT/ICS assets.',
'motivation': ['Geopolitical Tensions',
'Intelligence Gathering',
'Disruption',
'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Enhanced monitoring',
'Isolation of OT/ICS assets',
'Threat intelligence '
'integration'],
'root_causes': ['Geopolitical tensions',
'State-sponsored cyber '
'operations']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['OrpaCrab (IOCONTROL)']},
'recommendations': ['Monitor for threats from Iranian state-sponsored groups',
'Isolate OT/ICS assets from public internet access',
'Leverage threat intelligence feeds for detection'],
'references': [{'date_accessed': '2024-06-30',
'source': 'Nozomi Networks Labs'},
{'date_accessed': '2024-06-30',
'source': 'U.S. Security Agencies'}],
'response': {'containment_measures': ['Isolation of OT/ICS assets from public '
'internet access'],
'enhanced_monitoring': True,
'third_party_assistance': 'Nozomi Networks (Threat Intelligence '
'Feeds)'},
'stakeholder_advisories': 'U.S. security agencies advised critical '
'infrastructure operators to monitor for threats '
'and isolate OT/ICS assets.',
'threat_actor': ['MuddyWater',
'APT33',
'OilRig',
'CyberAv3ngers',
'FoxKitten',
'Homeland Justice'],
'title': 'Iranian Cyberattacks Surge 133% Amid Geopolitical Tensions, '
'Targeting U.S. Critical Infrastructure',
'type': ['Cyber Espionage', 'Disruption', 'Hacktivism']}