Ceasefire That Isn’t: Day 59 of Iran’s Cyber War on U.S. Critical Infrastructure

Anomali Threat Research

Published on

April 27, 2026

Table of Contents

Threat Assessment Level: ELEVATED — SUSTAINED Iranian cyber operations continue unabated 59 days into the U.S.–Iran conflict. Despite active ceasefire negotiations, DDoS campaigns are expanding into supply-chain targets, a firmware-persistent backdoor threatens every unimaged Cisco ASA in your environment, and the actors you can’t see may be the ones that matter most. <h2> Introduction                                            </h2> We are now 59 days into the U.S.–Iran conflict that began on February 28, 2026. U.S. envoys Witkoff and Kushner are traveling to Islamabad for peace talks. Headlines suggest progress. But beneath the diplomatic veneer, Iranian cyber operations have not paused for a single day. This week’s intelligence paints a picture that every CISO protecting critical infrastructure, defense industrial base (DIB) assets, or cloud-dependent enterprises needs to internalize: a ceasefire that ignores cyber is not a real ceasefire. That assessment, first articulated by Forbes on April 18, has only grown more accurate. Former NSA Director Tim Haugh and Mandiant’s Kevin Mandia confirmed at the Asness Summit on April 24 that Iran’s cyber posture is defined not by sophisticated zero-days but by something far harder to detect — stolen credentials, legitimate tooling abuse, and information operations that amplify every intrusion. Meanwhile, CISA published a formal Malware Analysis Report on a backdoor that survives Cisco firmware updates, a joint advisory from the National Council of ISACs catalogued every active Iranian threat group, and DDoS campaigns expanded from consumer nuisances to MSP infrastructure — a supply-chain escalation that should alarm every managed service provider and their downstream clients. Here’s what changed, what it means, and what you should do about it. <h2> What Changed This Week                   </h2> Seven developments define this intelligence cycle: <ol> <li> FIRESTARTER backdoor confirmed “widespread” on Cisco ASA/FTD — CISA’s Malware Analysis Report (ar26-113a, published April 23) confirms a Linux ELF backdoor that persists through firmware updates and reboots. Patching is not sufficient. Only a full reimage or hard power cycle removes it. </li> <li> Iranian DDoS expands to MSP/supply-chain targets — The campaign that hit Cinemark, Yelp, Expedia, Bluesky, and others now includes ConnectWise , an IT services platform used by thousands of managed service providers. This is no longer just consumer disruption. </li> <li> NCI Joint Advisory validates the full Iranian threat taxonomy — The National Council of ISACs published the most comprehensive institutional assessment of Iranian cyber actors during the conflict, confirming 10+ groups are active or capable, from state APTs to IRGC-aligned hacktivists. </li> <li> “Low and slow” identity attacks confirmed as Iran’s primary model — Former NSA Director Tim Haugh and Kevin Mandia publicly characterized Iranian intrusions as credential-based, identity-focused attacks amplified by information operations. The Stryker medical device wipe (March 2026) was accomplished entirely through purchased credentials and legitimate MDM tools. </li> <li> Pre-Stuxnet sabotage malware “Fast16” disclosed — SentinelOne revealed a U.S. offensive tool from before 2005 that introduced small systematic errors into precision engineering calculations. While historical, this TTP — calculation sabotage — has no defensive detection coverage and could be mirrored by adversaries. </li> <li> Russian-Iranian infrastructure sharing confirmed at HIGH confidence — APT28 (Russian GRU) has expanded to three new IPs on Iranian ASN 213790, placing direct Russian-Iranian cyber infrastructure convergence at HIGH confidence. NoName057(16) conducted DDoS against Israeli organizations on March 4, further confirming Russian-aligned actors are operating in coordination with Iranian operations. </li> <li> UNC1549/Imperial Kitten resumes aerospace and DIB targeting — The IRGC-linked actor resumed operations against aerospace and defense industrial base organizations on April 22–23 via fake GitHub resume repositories containing malicious payloads, signaling renewed pre-positioning activity against the defense supply chain. </li> </ol> <h2> Conflict & Threat Timeline                     </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 2026-02-28 </td> <td> U.S.–Iran conflict begins (Operation Epic Fury) </td> <td> DieNet, Handala, Cyber Av3ngers activate immediately </td> </tr> <tr> <td> 2026-03-04 </td> <td> NoName057(16) DDoS attacks against Israeli organizations </td> <td> Russian hacktivist alignment with Iranian operations confirmed </td> </tr> <tr> <td> Mid-March 2026 </td> <td> Stryker medical device wipe via stolen credentials + MDM abuse </td> <td> Identity-based attack model validated — no malware required </td> </tr> <tr> <td> March 2026 </td> <td> NCI Joint Advisory drafted (published to partners April 26) </td> <td> Institutional confirmation of full Iranian actor taxonomy </td> </tr> <tr> <td> 2026-04-18 </td> <td> Forbes publishes “A ceasefire that ignores cyber is not a real ceasefire” </td> <td> Defines the analytical frame for the conflict’s cyber dimension </td> </tr> <tr> <td> 2026-04-19 </td> <td> UNC5866/Emennet Pasargad deploys destructive wiper against Israeli targets </td> <td> Wiper use elevates Western expansion risk </td> </tr> <tr> <td> 2026-04-20 </td> <td> Iranian-backed DDoS hits 9+ U.S. platforms including ConnectWise </td> <td> Supply-chain escalation from consumer to MSP infrastructure </td> </tr> <tr> <td> 2026-04-22 </td> <td> UNC1549/Imperial Kitten resumes aerospace/DIB targeting via fake GitHub repos </td> <td> DIB pre-positioning activity detected </td> </tr> <tr> <td> 2026-04-23 </td> <td> CISA publishes MAR ar26-113a on FIRESTARTER backdoor </td> <td> Confirms firmware-persistent compromise of U.S. federal Cisco ASA </td> </tr> <tr> <td> 2026-04-24 </td> <td> Haugh & Mandia characterize Iran’s “low and slow” identity attack model </td> <td> Reframes threat from malware to credential theft + IO </td> </tr> <tr> <td> 2026-04-24 </td> <td> CVE-2024-7399 (Samsung MagicINFO) added to CISA KEV </td> <td> Active exploitation of digital signage management servers </td> </tr> <tr> <td> 2026-04-24 </td> <td> APT28 (Russian GRU) expands to 3 new IPs on Iranian ASN 213790 </td> <td> Russian-Iranian infrastructure sharing at HIGH confidence </td> </tr> <tr> <td> 2026-04-26 </td> <td> SentinelOne discloses Fast16 pre-Stuxnet sabotage malware </td> <td> Reveals calculation-tampering TTP with no current detection coverage </td> </tr> <tr> <td> 2026-04-27 </td> <td> Day 59 — ceasefire talks active, cyber operations unabated </td> <td> Intelligence collection cutoff for this report </td> </tr> </tbody> </table> <h2> Key Threat Analysis                                   </h2> <h3> 1. FIRESTARTER: The Backdoor That Survives Your Patches </h3> CISA’s Malware Analysis Report on FIRESTARTER is the most operationally urgent finding this cycle. This Linux ELF backdoor targets Cisco ASA and FTD appliances — the same devices protecting the perimeters of federal agencies, energy utilities, and defense contractors. What makes FIRESTARTER exceptional: <ul> <li> Firmware persistence : It manipulates the startup mount list and hooks the LINA engine. Standard firmware updates do not remove it. Only a full reimage or hard power cycle (physically pulling the power cord) eliminates the implant. </li> <li> Post-exploitation toolkit : FIRESTARTER deploys LINE VIPER , which provides CLI execution, packet capture, VPN AAA bypass, and syslog suppression — meaning it can watch your traffic, bypass your VPN authentication, and hide its own logs. </li> <li> Exploited vulnerabilities : CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) </li> <li> Attribution : UAT4356 / Storm-1849, assessed as China-nexus and linked to the ArcaneDoor campaign. Shares overlap with the RayInitiator bootkit. </li> </ul> Why this matters for the Iran conflict : While FIRESTARTER is attributed to a China-nexus actor, it compromises the exact same Cisco infrastructure that Iranian actors target. A FIRESTARTER-compromised device could mask or enable Iranian operations on the same network segment. Multi-actor convergence on shared attack surface is the new reality. Bottom line : If you have Cisco ASA/FTD devices and you have only patched them, you may still be compromised. Reimaging is required. <h3> 2. The Full Iranian Actor Taxonomy — Confirmed and Active </h3> The NCI Joint Advisory, published in March 2026 and distributed to ISACs through April, provides the most authoritative institutional mapping of Iranian cyber actors during the conflict. Every CISO should know these names: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Primary TTPs </th> <th> Key Targets </th> </tr> </thead> <tbody> <tr> <td> APT33 (Elfin) </td> <td> IRGC </td> <td> Password spraying, zero-day exploitation </td> <td> Energy, aviation </td> </tr> <tr> <td> APT34 (OilRig) </td> <td> MOIS </td> <td> Supply-chain compromise, LinkedIn phishing </td> <td> Government, finance, telecom </td> </tr> <tr> <td> APT35 (Charming Kitten) </td> <td> IRGC </td> <td> Spearphishing U.S. political/military targets </td> <td> Political figures, military, commercial </td> </tr> <tr> <td> APT42 </td> <td> IRGC-IO </td> <td> Credential harvesting, social engineering </td> <td> Researchers, university personnel, diaspora </td> </tr> <tr> <td> MuddyWater (TEMP.Zagros) </td> <td> MOIS </td> <td> Espionage, RMM tool abuse (SimpleHelp, Atera) </td> <td> Government, defense, energy, telecom, finance </td> </tr> <tr> <td> Fox Kitten (Pioneer Kitten/UNC757) </td> <td> IRGC-adjacent </td> <td> VPN exploitation (Pulse Secure, Citrix, F5), sells access to ransomware affiliates </td> <td> DIB contractors, IT services </td> </tr> <tr> <td> UNC1860 (Scarred Manticore) </td> <td> MOIS </td> <td> Persistent access, web shell deployment </td> <td> Government, telecom </td> </tr> <tr> <td> Cyber Av3ngers </td> <td> IRGC-CEC </td> <td> ICS/OT exploitation, Unitronics PLC default credentials </td> <td> Water, energy utilities </td> </tr> <tr> <td> Handala (Void Manticore/UNC5203) </td> <td> IRGC-aligned </td> <td> Hack-and-leak, supply-chain footholds, wiper deployment </td> <td> Israeli targets, expanding to Western </td> </tr> <tr> <td> DieNet </td> <td> Pro-Iran hacktivist </td> <td> DDoS, defacement </td> <td> U.S. consumer platforms, government </td> </tr> <tr> <td> FAD Team (Fatimion Cyber Team) </td> <td> IRGC-aligned </td> <td> Wiper malware, SQL injection, SCADA/PLC access claims </td> <td> Critical infrastructure </td> </tr> <tr> <td> Cyber Islamic Resistance (Team 313) </td> <td> Coordination umbrella </td> <td> Multi-group coordination, health sector targeting </td> <td> Attacked 9 health sector orgs in 12-day war </td> </tr> </tbody> </table> Additionally, Russian-aligned actors are providing direct support: NoName057(16) conducted DDoS against Israeli organizations on March 4, and APT28 (Russian GRU) has expanded to three new IPs on Iranian ASN 213790 — placing Russian-Iranian infrastructure sharing at HIGH confidence. <h3> 3. Identity Is the New Perimeter — And Iran Knows It </h3> Former NSA Director Tim Haugh and Kevin Mandia’s public assessment at the Asness Summit on April 24 should reshape how you think about Iranian threats. Their characterization: <ul> <li> Iran’s cyber capability is “closer to a criminal actor” — targeted opportunity attacks amplified by information operations </li> <li> The Stryker medical device attack (March 2026) required no malware: attackers purchased valid credentials from the dark web, logged into a legitimate mobile device management (MDM) platform, and wiped devices at scale </li> <li> “It’s gonna be logging in. It’s gonna be an identity security issue.” </li> <li> Iranian actors manipulate timing — claiming targets they’ve already compromised to create the perception of rapid capability </li> </ul> This means your EDR and network IDS may see nothing. The attacker logs in with valid credentials, uses legitimate administrative tools, and achieves their objective. Detection requires identity analytics, not signature matching. <h3> 4. DDoS Escalation: From Consumer Nuisance to Supply-Chain Threat </h3> Iranian-backed groups conducted denial-of-service attacks against Cinemark, Yelp, Expedia, Vrbo, Hotels.com, Travelocity, Orbitz, Bluesky, and ConnectWise between April 20–25. The addition of ConnectWise is the escalation signal. ConnectWise ScreenConnect is used by thousands of managed service providers to remotely manage client endpoints. ConnectWise ScreenConnect was previously exploited in mass campaigns (CVE-2024-1709). If Iranian actors move from DDoS to exploitation of ConnectWise infrastructure, they gain downstream access to thousands of MSP-managed endpoints — a supply-chain multiplier. <h3> 5. Fast16: A Ghost From the Past With Future Implications </h3> SentinelOne’s disclosure of Fast16 — a pre-2005 U.S. offensive sabotage tool found in the ShadowBrokers’ 2016 NSA leak — reveals a TTP that has no current defensive coverage: calculation sabotage . The malware introduced small systematic errors into precision engineering calculations in software like LS-DYNA 970 (documented use in Iran’s nuclear weapons program), degrading scientific research over time without obvious failure. While this is a historical disclosure, the TTP is live intelligence. Any adversary with access to engineering or simulation environments — including Iranian actors pre-positioned in DIB contractor networks — could deploy similar calculation-tampering techniques against Western defense engineering programs. There is currently no detection framework for this attack class. <h2> Predictive Analysis: What Comes Next </h2> Based on the convergence of intelligence from this cycle, we assess the following probabilities for the next 72 hours and beyond: <table> <thead> <tr> <th> Probability </th> <th> Scenario </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> 70% </td> <td> DDoS campaigns continue against U.S. consumer and commercial platforms through the weekend, potentially expanding to additional MSP/SaaS targets </td> <td> Consistent tempo since April 20; ConnectWise targeting indicates escalation appetite </td> </tr> <tr> <td> 55% </td> <td> MuddyWater resurfaces with a retooled campaign within 14 days </td> <td> 30+ days of silence during active conflict is historically anomalous for this group; likely indicates retooling, not retirement </td> </tr> <tr> <td> 40% </td> <td> CISA issues new advisory on Iranian exploitation of specific ICS/OT devices (Rockwell/Allen-Bradley PLCs) </td> <td> NCI advisory language and CISA acting director testimony suggest forthcoming guidance </td> </tr> <tr> <td> 35% </td> <td> Credential-based intrusion at a U.S. healthcare or energy organization is publicly disclosed within 30 days </td> <td> Haugh/Mandia confirm identity-based attacks as primary vector; health sector previously targeted by Team 313 </td> </tr> <tr> <td> 25% </td> <td> Fox Kitten/Pioneer Kitten detected in a DIB contractor network </td> <td> 30 days of silence on PIR-007 does not mean 30 days of inactivity — Fox Kitten is known to sell network access to ransomware affiliates. Low probability of detection , not low probability of activity </td> </tr> <tr> <td> 15% </td> <td> Destructive wiper deployed against a Western (non-Israeli) target </td> <td> UNC5866 deployed a wiper against Israeli targets on April 19; Western expansion is the next logical step but represents a significant escalation threshold </td> </tr> </tbody> </table> <h2> SOC Operational Guidance                 </h2> <h3> What to Hunt For Now </h3> Hypothesis 1: FIRESTARTER persistence on Cisco ASA/FTD - ATT&CK : T1542.004 (Pre-OS Boot: ROMMONkit), T1562.001 (Impair Defenses: Disable or Modify Tools), T1040 (Network Sniffing) - Hunt : Audit all Cisco ASA/FTD devices for unexpected modifications to the startup mount list. Check for syslog gaps or suppression — FIRESTARTER’s LINE VIPER toolkit actively suppresses logging. Verify VPN AAA configurations have not been modified to bypass authentication. Any device that has only been patched (not reimaged) since CVE-2025-20333 disclosure should be treated as potentially compromised. - Detection : Monitor for anomalous CLI commands on ASA devices, unexpected packet capture processes, and VPN authentication events that bypass MFA. Hypothesis 2: Identity-based intrusion via purchased credentials - ATT&CK : T1078 (Valid Accounts), T1078.004 (Cloud Accounts), T1528 (Steal Application Access Token), T1531 (Account Access Removal) - Hunt : Review authentication logs for impossible travel, credential stuffing patterns, and logins from residential proxy networks. Focus on M365/Entra ID, VPN portals, and MDM platforms. The Stryker attack used legitimate MDM to wipe devices — audit MDM administrative actions for anomalous bulk operations. - Detection : Implement conditional access policies that flag logins from new device + new location combinations. Alert on MDM mass-action commands (device wipe, lock, retire) outside of change windows. Hypothesis 3: Fox Kitten pre-positioning in VPN infrastructure - ATT&CK : T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1199 (Trusted Relationship) - Hunt : Query Pulse Secure/Ivanti Connect Secure, Citrix NetScaler, and F5 BIG-IP authentication logs for anomalous service account activity, especially dormant accounts with recent authentication. Look for Rclone or Wasabi-based exfiltration signatures. Fox Kitten is known to exploit CVE-2024-21887 (Ivanti) and CVE-2023-3519 (Citrix). - Detection : Alert on VPN authentication from previously unseen source IPs for service accounts. Monitor for large outbound data transfers to cloud storage services. Hypothesis 4: ConnectWise exploitation (beyond DDoS) - ATT&CK : T1190 (Exploit Public-Facing Application), T1219 (Remote Access Software) - Hunt : If your organization uses ConnectWise ScreenConnect, audit for exploitation attempts against CVE-2024-1709 and monitor for unauthorized remote access sessions. Check for new ScreenConnect extensions or agents deployed outside of change management. - Detection : Alert on ScreenConnect authentication from non-corporate IP ranges and new agent installations on endpoints. Hypothesis 5: MuddyWater retooling deployment - ATT&CK : T1219 (Remote Access Software — SimpleHelp, Atera), T1059.001 (PowerShell), T1566.001 (Spearphishing Attachment) - Hunt : MuddyWater (MOIS) historically abuses legitimate RMM tools (SimpleHelp, Atera, ScreenConnect) for C2. Hunt for unauthorized RMM agent installations, especially in government, defense, energy, and telecom environments. Query for PowerShell execution with encoded commands following email delivery. <h3> Key CVEs to Prioritize                                     </h3> <table> <thead> <tr> <th> CVE </th> <th> CVSS </th> <th> Product </th> <th> Status </th> </tr> </thead> <tbody> <tr> <td> CVE-2025-20333 </td> <td> 9.9 </td> <td> Cisco ASA/FTD </td> <td> Exploited by FIRESTARTER — patching insufficient, reimage required </td> </tr> <tr> <td> CVE-2025-20362 </td> <td> 6.5 </td> <td> Cisco ASA/FTD </td> <td> Exploited by FIRESTARTER </td> </tr> <tr> <td> CVE-2024-7399 </td> <td> 8.8 </td> <td> Samsung MagicINFO 9 Server </td> <td> Added to CISA KEV 2026-04-24, active exploitation </td> </tr> <tr> <td> CVE-2026-41242 </td> <td> 9.8 </td> <td> protobuf.js </td> <td> Critical deserialization vulnerability </td> </tr> <tr> <td> CVE-2026-39987 </td> <td> 9.8 </td> <td> Marimo (Python notebook) </td> <td> RCE — exploited within 10 hours of disclosure </td> </tr> <tr> <td> CVE-2026-5194 </td> <td> 9.1 </td> <td> wolfSSL </td> <td> Critical TLS library vulnerability </td> </tr> <tr> <td> CVE-2026-34621 </td> <td> 8.6 </td> <td> Adobe Acrobat </td> <td> Arbitrary code execution </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Iranian actors — particularly OilRig (APT34) and MuddyWater — have historically targeted financial institutions for espionage and supply-chain compromise. OilRig’s preferred vector is compromising a trusted vendor and pivoting into the financial target via the trusted relationship (T1199). MuddyWater, operating under MOIS direction, brings persistent espionage tradecraft to financial sector targeting. <ul> <li> Priority : Audit third-party vendor access, especially IT service providers and consultants with VPN or API access to banking infrastructure. Enforce just-in-time access provisioning. </li> <li> Identity focus : Implement real-time monitoring of privileged account authentication across SWIFT terminals, core banking systems, and treasury management platforms. Iranian actors are buying credentials — your perimeter is your identity plane. </li> <li> DDoS preparedness : Financial institutions are high-value symbolic targets. Ensure DDoS mitigation contracts are active and tested, with runbooks for sustained multi-day campaigns. </li> </ul> <h3> Energy </h3> APT33 (Elfin) targets energy and aviation with password spraying and zero-day exploitation. Cyber Av3ngers (IRGC-CEC) has exploited Unitronics PLCs across dozens of devices in prior operations. FAD Team claims SCADA/PLC access. <ul> <li> Priority : Audit all Unitronics Vision PLCs and Rockwell/Allen-Bradley controllers for default credentials. Segment OT networks from IT with unidirectional gateways where possible. </li> <li> Cisco ASA urgency : Energy utilities are explicitly named in CISA’s FIRESTARTER advisory. Any Cisco ASA/FTD device protecting OT network boundaries must be reimaged, not just patched. </li> <li> ICS monitoring : Deploy passive OT network monitoring to detect anomalous Modbus/TCP, EtherNet/IP, or CIP commands. Alert on PLC firmware changes and logic modifications outside maintenance windows. </li> </ul> <h3> Healthcare </h3> Cyber Islamic Resistance (Team 313) attacked 9 health sector organizations during a 12-day war. The Stryker medical device wipe demonstrated that healthcare MDM platforms are a viable attack vector requiring no malware. <ul> <li> Priority : Audit MDM platform administrative access — who can issue bulk device wipe commands? Implement approval workflows for mass device actions. </li> <li> Medical device inventory : Ensure all network-connected medical devices are inventoried and segmented. Devices running legacy OS (Windows XP/7) should be isolated behind application-layer firewalls. </li> <li> Credential hygiene : Healthcare environments frequently have shared credentials and service accounts with excessive privileges. Conduct an emergency audit of accounts with MDM, EHR, and PACS administrative access. </li> </ul> <h3> Government </h3> FIRESTARTER has confirmed compromise of a U.S. federal civilian agency’s Cisco ASA device. APT35 (Charming Kitten) targets U.S. political and military figures. APT42 (IRGC-IO) harvests credentials from government-adjacent researchers and policy advisors. <ul> <li> Priority : All federal and state/local government Cisco ASA/FTD devices must be reimaged per CISA MAR ar26-113a. This is not optional — patching does not remove FIRESTARTER. </li> <li> Spearphishing defense : Government employees and political appointees are high-value targets for APT35 and APT42. Enforce hardware security keys (FIDO2) for all email and cloud authentication — SMS and app-based MFA are insufficient against these actors. </li> <li> Insider threat awareness : Two fatwas calling for revenge after the Khamenei killing create a homegrown violent extremist (HVE) threat. Brief security teams on physical security indicators alongside cyber. </li> </ul> <h3> Aviation & Logistics </h3> APT33 (Elfin) has a documented history of targeting aviation. UNC1549/Imperial Kitten resumed aerospace and defense industrial base targeting via fake GitHub resume repositories on April 22–23. <ul> <li> Priority : Alert recruiting and HR teams to the fake GitHub resume/coding challenge TTP. UNC1549 uses repositories that appear to be legitimate coding assessments but contain malicious payloads. Verify all candidate-submitted code repositories before execution in any environment. </li> <li> DIB contractor access : If your organization provides components or services to the defense industrial base, you are a Fox Kitten target. Audit all VPN and remote access infrastructure for Pulse Secure (CVE-2024-21887), Citrix (CVE-2023-3519), and F5 exploitation. </li> <li> Supply-chain integrity : The Fast16 disclosure reveals that calculation sabotage — introducing small errors into engineering simulations — is a proven TTP. Aviation and aerospace organizations using precision simulation software (LS-DYNA, ANSYS, MATLAB/Simulink) should implement output integrity verification for critical calculations. </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Reimage all Cisco ASA/FTD devices — patching does not remove FIRESTARTER. If reimage is not immediately possible, perform a hard power cycle (physically pull the power cord) as an interim measure. Verify VPN AAA configurations post-reimage. </td> <td> IT Ops / Network Engineering </td> </tr> <tr> <td> Verify MFA enforcement on all externally-facing authentication portals — VPN, M365, MDM platforms, ConnectWise ScreenConnect. Disable SMS-based MFA where possible; enforce FIDO2 hardware keys for privileged accounts. </td> <td> Identity & Access Management </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Conduct proactive threat hunt for Fox Kitten TTPs in VPN authentication logs — specifically Pulse Secure/Ivanti, Citrix NetScaler, and F5 BIG-IP. Look for dormant service accounts with recent authentication, impossible travel, and Rclone/Wasabi exfiltration patterns. </td> <td> SOC / Threat Hunting </td> </tr> <tr> <td> Patch Samsung MagicINFO 9 Server to version ≥ 21.1050 for CVE-2024-7399 (CVSS 8.8, added to CISA KEV April 24). Audit all digital signage management infrastructure. </td> <td> IT Ops </td> </tr> <tr> <td> Audit ConnectWise ScreenConnect deployments for unauthorized agents, exploitation attempts against CVE-2024-1709, and remote access sessions from non-corporate IPs. </td> <td> IT Ops / SOC </td> </tr> <tr> <td> Brief recruiting and HR teams on the UNC1549/Imperial Kitten fake GitHub resume TTP. Establish a policy: no candidate-submitted code repositories are executed outside of isolated sandbox environments. </td> <td> HR / Security Awareness </td> </tr> <tr> <td> Review and test DDoS mitigation for all public-facing web properties. Iranian-backed DDoS campaigns are sustained (multi-day) and expanding in scope. Ensure runbooks are current and mitigation provider SLAs are validated. </td> <td> IT Ops / CISO </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Commission integrity verification program for high-precision engineering simulation software (LS-DYNA, ANSYS, MATLAB/Simulink) in any DIB-adjacent environment. The Fast16 disclosure reveals a calculation-sabotage TTP with zero current detection coverage. </td> <td> CISO / Engineering </td> </tr> <tr> <td> Implement conditional access policies that enforce device compliance, location restrictions, and risk-based step-up authentication for all cloud platforms. Iranian actors are purchasing valid credentials — your identity plane is the primary attack surface. </td> <td> Identity & Access Management </td> </tr> <tr> <td> Request APT42 IOC feed access from Google Threat Intelligence or equivalent trusted sharing circle to close the collection gap on credential harvesting campaigns targeting researchers and government officials. </td> <td> CTI Team </td> </tr> <tr> <td> Conduct tabletop exercise simulating an Iranian identity-based intrusion: attacker logs in with valid credentials, uses legitimate MDM to wipe medical devices or deploy ransomware via RMM tools. Test detection, response, and recovery procedures. </td> <td> CISO / IR Team </td> </tr> <tr> <td> Evaluate OT network segmentation for all ICS/SCADA environments. Ensure Unitronics Vision PLCs, Rockwell/Allen-Bradley controllers, and IP camera systems (Xiongmai, Milesight, Hikvision/Dahua) are isolated from corporate IT networks with monitored chokepoints. </td> <td> OT Security / Engineering </td> </tr> </tbody> </table> <h2> The Silence That Should Worry You Most </h2> There is one finding in this cycle that contains no IOCs, no CVEs, and no malware samples — and it may be the most important signal of all. Fox Kitten (Pioneer Kitten/UNC757) has been silent for 30 consecutive days. This is the Iranian actor known to exploit VPN vulnerabilities in Pulse Secure, Citrix, and F5 — and then sell that network access to ransomware affiliates . The NCI Joint Advisory explicitly names this actor and this TTP. Thirty days of silence during an active military conflict, from an actor whose business model is selling access, does not mean thirty days of inactivity. It means thirty days without detection. Similarly, MuddyWater — one of Iran’s most prolific MOIS espionage operators, with 19+ known aliases — has produced no new campaign or IOC reporting in over 30 days. For a group that historically operates on a weekly tempo, this silence during active conflict is anomalous. It likely indicates retooling, not retirement. And Cyber Av3ngers — the IRGC-CEC-aligned group that has demonstrated both the intent and capability to attack water and energy infrastructure through exploitation of Unitronics PLCs in prior operations — have been quiet for 30 days. Their silence, combined with the expanding OT attack surface documented in CISA’s ICS advisories this week (Xiongmai XM530, Milesight, Intrado 911 Emergency Gateway), represents a pre-positioning indicator that demands proactive hunting, not passive monitoring. Absence is signal, not the absence of signal. <h2> Bottom Line                                         </h2> Day 59 of this conflict has produced a clear intelligence picture: Iranian cyber operations are structurally decoupled from ceasefire negotiations. The actors are active. The TTPs are evolving — from malware-dependent intrusions toward credential-based, identity-focused attacks that bypass traditional detection. The infrastructure is shared — with Russian GRU expanding onto Iranian ASNs and China-nexus backdoors compromising the same Cisco devices that Iranian actors target. The three actions that matter most right now: <ol> <li> Reimage your Cisco ASA/FTD devices. Patching is not enough. </li> <li> Treat identity as your primary attack surface. MFA enforcement, conditional access, and credential monitoring are not nice-to-haves — they are the frontline. </li> <li> Hunt for what you can’t see. Fox Kitten, MuddyWater, and Cyber Av3ngers are quiet. That is not reassurance. That is a collection gap. </li> </ol> The ceasefire may come. The cyber operations will not stop. Prepare accordingly.

FEATURED RESOURCES

April 27, 2026

Anomali Cyber Watch