Iran-linked cyber activity is rising, targeting U.S. critical infrastructure, water systems, healthcare, and financial services. Learn key defenses to implement now.

Modern geopolitical conflicts rarely remain confined to the physical battlefield. Escalating conflicts in the Middle East include increased cyber attacks against Western targets from Iran state-sponsored hackers and affiliates, with a heavy focus on U.S. critical infrastructure and high-profile targets of opportunity. Organizations protecting state, local, commercial, and critical infrastructure in the U.S. need to verify their basic defenses are in place and actively monitored.

It is important to separate credible risk from worst-case speculation. Despite Iran’s near-total internet blackout, their geographically dispersed proxies—including IRGC-affiliated cyber actors and hacktivist groups, continue to operate through VPNs and external infrastructure, and sometimes-allies in the region are increasing their attacks. A catastrophic Iranian cyber attack against U.S. infrastructure seems unlikely, but organizations should expect an increase in disruptive attacks designed to create high-visibility, disruptive, and psychological impacts.

Recent reporting indicates U.S. intelligence and cyber resources expect an increase in Distributed Denial of Service (DDoS) attacks, website defacements, and disruptive activity like ransomware and system disruptions. Financial institutions have reportedly moved to heightened alert levels based on the threat of disrupting operations and causing financial losses.

An important complicating factor is the impact to the Department of Homeland Security, specifically the Cybersecurity & Infrastructure Security Agency (CISA). CISA’s budgets and staffing have already had significant disruption, and the government shutdown threatens to further limit their support against these types of attacks. Organizations that have relied on CISA for threat intelligence and incident response coordination should be prepared to operate with reduced federal support.

U.S. Sectors at Highest Risk from Iran-Linked Cyber Attacks

Iran and affiliated groups have a well-established playbook. Their tactics are not always sophisticated—they typically exploit gaps in basic cyber hygiene. Previous successful operations have relied on exploiting default or weak passwords on internet-facing systems, brute-force credential attacks and MFA push-bombing, partnerships with ransomware operators, and targeted phishing and social engineering campaigns.

Based on historical patterns and current threat warnings from CISA, CrowdStrike, and Google Threat Intelligence Group, the sectors at highest risk include:

• Water and wastewater systems: A long history of targeting this sector for disruption. In 2023–2024, IRGC-affiliated threat actors compromised U.S. water utilities by exploiting default passwords on internet-facing programmable logic controllers (PLCs)—a basic vulnerability that remains unaddressed at many facilities.
• Healthcare networks: Hospitals and health systems remain attractive targets due to the urgency of restoring operations and the sensitivity of patient data. Iranian actors have used brute-force credential attacks and ransomware partnerships to compromise healthcare organizations.
• State and local government: Constrained budgets, limited personnel, legacy systems, and limited security monitoring provide a target of opportunity. An Iranian national previously pleaded guilty to ransomware attacks that crippled Baltimore and other U.S. municipalities, causing tens of millions in damages.
• Financial services: JPMorgan Chase CEO Jamie Dimon publicly stated that banks should expect a rise in cyber and terrorist attacks. Iran conducted massive denial-of-service attacks against major U.S. banks in 2012–2013, and CrowdStrike has reported a surge in claimed disruptions targeting the financial sector.
• Defense industrial base: CISA specifically flagged defense contractors with holdings or relationships tied to Israeli defense firms as at increased risk of attack.

Recommended Cybersecurity Steps to Defend Against Iran-Linked Attacks

It is neither time to panic, nor is it the time to think about a multi-year initiative. A quick check to ensure basic security blocking and tackling measures are in place is an excellent idea—you can bet attackers will take advantage of low-hanging fruit. We recommend verifying the following basics are in place:

• Multi-Factor Authentication: Validate that email, remote access, and (ideally) privileged account use requires multi-factor authentication. Be aware that Iranian actors have used MFA push-bombing—flooding users with authentication requests—to bypass this control. Consider number-matching or phishing-resistant MFA where possible.
• Privileged Account Review: Always good to do this annually, but now is a good time for a quick review of the administrator accounts on critical systems and applications to ensure old accounts are disabled and double check these accounts have been hardened and are monitored.
• Internet-Accessible Solutions: Verify recent vulnerability scans (or conduct one) and any organizationally controlled accounts have long passphrases and multi-factor authentication. Pay particular attention to email, remote access solutions, and devices that could provide access to the interior network (e.g., IoT, OT, control systems, etc.).
• Incident Response Plan: Run a tabletop exercise (CISA has free resources) to review and test the plan. Clever attackers will eventually compromise most environments—be prepared to respond with less stress.
• Security Awareness Training: Take a moment to do a quick refresher on phishing, social engineering, and related attacks with staff. If you have one of the training/phishing solutions in place, consider increasing the frequency in the short term.
• Monitoring: Ensure security monitoring tools are in place and are being actively monitored. The best solutions monitor for anomalous behavior, but use the tools available to actively watch for attacks, particularly across critical infrastructure and internet exposed solutions and services.
• Backups: Review your backup solution to verify ongoing backups are in progress, recoverability is tested and verified, and are protected against deletion or corruption. Wiper malware is a documented component of Iran’s cyber toolkit.
• Qualified Support: Identify qualified individuals on staff or from outside the organization you can quickly engage if the organization has questions, needs help, or has to respond to an incident.

A Real but Manageable Cyber Threat from Iran

Iran, Iranian state-sponsored hackers, and their affiliates have the capability and motivation to create chaos, disruption, and possibly damage with cyber attacks. Historically, their tactics and attacks are sometimes clever, but are typically not that sophisticated, they generally exploit gaps in cyber hygiene, human elements, or recycle old passwords from dark web disclosures that were never changed.

The Bottom Line: Do Not Be an Easy Target

Calmly, but with perhaps a sense of urgency, address the basics, stay vigilant, and continue with longer-term plans to improve the organization’s security posture.
 

The RubinBrown Cyber Security Services team is dedicated to helping organizations identify risks, strengthen defenses, and build lasting cybersecurity resilience through proactive strategy, education, and technical expertise. If you have questions or need assistance please reach out to your RubinBrown point of contact or submit a message.
 

Published: 03/11/2026

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}