Iran's Cyber Offensive Hits U.S. Fuel Infrastructure: What CISOs Must Know Now

Anomali Threat Research

Published on

May 19, 2026

Table of Contents

Threat Assessment Level: HIGH The ceasefire between the United States and Iran explicitly excludes cyber operations. Eighty days into this conflict, Iran is exploiting that gap with increasing precision — and as of May 18, 2026, confirmed breaches of U.S. civilian fuel monitoring systems prove the threat has moved from theoretical to operational. Russia continues to provide infrastructure support from Tehran-based networks, state-sponsored actors are refreshing command-and-control nodes weekly, and the boundary between Iranian "hacktivists" and intelligence services has effectively dissolved. This is not a future scenario. It is the current operating environment. <h2> What Changed </h2> The past five days brought several developments that shift the risk calculus: <ul> <li> Fuel infrastructure breached (May 18): Iranian hackers compromised Veeder-Root Automatic Tank Gauge (ATG) systems at U.S. gas stations — expanding offensive operations from military targets to civilian energy infrastructure for the first time in this conflict. </li> </ul> <ul> <li> Russian GRU refreshes Iranian-hosted infrastructure (May 14–17): APT28 (Fancy Bear / GRU Unit 26165) activated five new IP addresses on ASN 213790, a Tehran-based hosting provider. This marks 60+ continuous days of confirmed Russia-Iran cyber infrastructure cooperation. </li> </ul> <ul> <li> Defense-sector espionage campaign active (May 18): UNC5858 (Black Shadow), an MOIS-linked actor impersonating Israeli defense firm Rafael Advanced Defense Systems, refreshed its IOC infrastructure — confirming ongoing spear-phishing operations against defense-sector targets. </li> </ul> <ul> <li> Defense Industrial Base blind spot persists: No indicators of Iranian pre-positioning in DIB contractor networks have been detected in 30+ days — during active kinetic conflict. This silence is the most dangerous signal in the current intelligence picture. </li> </ul> <ul> <li> Hacktivist-state convergence confirmed (ongoing): UNC5855 (AnonymousForJustice) continues claiming breaches of Israeli government ministries while deploying ICYALARM Android malware via smishing. Infrastructure management cadence matches confirmed state APTs — the operational distinction between Iranian "hacktivists" and state intelligence services no longer exists. </li> </ul> <ul> <li> CISA publishes six ICS advisories (May 14): Advisories covering Siemens SIMATIC CN 4100, Ruggedcom ROX, and Universal Robots Polyscope 5 directly map to the ICS/OT attack surface Iranian actors are actively targeting. Patch windows are now measured in days, not weeks. </li> </ul> <ul> <li> MuddyWater OAuth phishing — 4+ weeks of silence (ongoing concern): MuddyWater (MOIS) was confirmed conducting OAuth device-code phishing against M365/Azure AD in mid-April. Four-plus weeks of silence during active conflict is assessed as retooling, not cessation — a resurgence is probable within the next two weeks. </li> </ul> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> U.S.-Iran major combat operations begin </td> <td> Kinetic conflict triggers asymmetric cyber doctrine </td> </tr> <tr> <td> 11 Mar 2026 </td> <td> Handala/Void Manticore destroys 200,000+ Stryker Corp endpoints via weaponized Microsoft Intune </td> <td> Largest single destructive cyber operation of the conflict </td> </tr> <tr> <td> 7 Apr 2026 </td> <td> Reuters confirms Russia supplying Iran with cyber support and satellite imagery </td> <td> Moscow-Tehran axis formalized </td> </tr> <tr> <td> 13 Apr 2026 </td> <td> Fast Company: "The Iran cyberattack everyone warned about hasn't really happened yet" </td> <td> Tempo paradox — Iran was pre-positioning, not abstaining </td> </tr> <tr> <td> Mid-Apr 2026 </td> <td> MuddyWater confirmed conducting OAuth device-code phishing against M365/Azure AD </td> <td> Cloud identity vector active </td> </tr> <tr> <td> 15–16 May 2026 </td> <td> CVE-2026-1340 (CVSS 9.8) added to CISA KEV — Iranian exploitation of Veeder-Root ATG confirmed </td> <td> ICS targeting validated by government </td> </tr> <tr> <td> 14 May 2026 </td> <td> CISA publishes six ICS advisories covering Siemens, Ruggedcom, and Universal Robots </td> <td> OT attack surface formally documented </td> </tr> <tr> <td> 14–17 May 2026 </td> <td> APT28 refreshes 5 IPs on Iranian ASN 213790 </td> <td> Russia-Iran infrastructure sharing deepens </td> </tr> <tr> <td> 18 May 2026 </td> <td> Dark Reading confirms Iranian breach of U.S. fuel ATG systems </td> <td> Civilian energy infrastructure now in scope </td> </tr> <tr> <td> 18 May 2026 </td> <td> UNC5858 (Black Shadow) IOCs refreshed — Rafael impersonation campaign active </td> <td> Defense-sector espionage ongoing </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Iranian Fuel Infrastructure Targeting — CyberAv3ngers / Ababil of Minab </h3> Iran's IRGC-affiliated cyber units have breached Veeder-Root ATG fuel-level monitoring systems at U.S. gas stations. These are the same systems targeted in 2023 (referenced in CISA AA23-335A), but the current campaign operates under wartime conditions with demonstrated willingness to cause physical disruption. Techniques employed: <ul> <li> Exploitation of internet-exposed ATG serial-over-IP interfaces ( T1190 ) </li> <li> Fuel level data manipulation ( T1565.001 ) </li> <li> Potential for denial-of-service to fuel distribution networks ( T1498 ) </li> </ul> CVE-2026-1340 (CVSS 9.8) — confirmed actively exploited by Iranian actors against Veeder-Root ATG systems, added to CISA Known Exploited Vulnerabilities catalog. Why this matters: Fuel monitoring disruption at scale can trigger supply chain panic, complicate military logistics, and demonstrate capability against civilian infrastructure — all core Iranian asymmetric doctrine objectives. <h3> 2. Russia-Iran Infrastructure Axis — APT28 on ASN 213790 </h3> GRU Unit 26165 (APT28/Fancy Bear) continues operating scanning and C2 infrastructure from ASN 213790 ("Limited Network," Tehran). Five new IPs were activated May 14–17, bringing total tracked infrastructure on this ASN to 8+ addresses. The same ASN also hosts Cactus ransomware infrastructure — an anomaly suggesting either shared hosting or deliberate criminal-state convergence. Actors confirmed on ASN 213790: <ul> <li> APT28 (Russian GRU) </li> <li> Cactus ransomware group </li> <li> Adjacent ASN 44208 hosts Transparent Tribe (Pakistani APT) with ObliqueRAT </li> </ul> This multi-national convergence on Iranian hosting is not coincidental. It provides mutual deniability, complicates Western attribution, and demonstrates the operational depth of the Moscow-Tehran cyber partnership. <h3> 3. Defense-Sector Espionage — UNC5858 (Black Shadow) </h3> This MOIS-linked actor impersonates Rafael Advanced Defense Systems in spear-phishing campaigns targeting defense-sector personnel. The campaign uses: <ul> <li> Spear-phishing with malicious URLs ( T1566.002 ) </li> <li> Masquerading as legitimate defense company communications ( T1036.005 ) </li> <li> Data collection and exfiltration over C2 ( T1005 , T1041 ) </li> </ul> Active since September 2024, with IOC infrastructure refreshed as recently as May 18, 2026. Targets include Israeli and allied defense organizations. <h3> 4. Hacktivist-State Convergence — UNC5855 (AnonymousForJustice) </h3> UNC5855 claims breaches of Israeli Ministry of Defense, Ministry of Justice, and nuclear organizations while deploying ICYALARM Android malware via smishing campaigns. Despite the "hacktivist" label, this actor operates with state-level IOC management cadence — infrastructure refreshed on the same timeline as confirmed state APTs. The operational distinction between Iranian "hacktivists" and state intelligence services no longer exists. They share infrastructure, tasking, and operational tempo. <h3> 5. Named Threat Actors — Active Attribution Summary </h3> <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Current Activity </th> <th> Primary Target </th> </tr> </thead> <tbody> <tr> <td> APT28 / Fancy Bear </td> <td> GRU Unit 26165 (Russia) </td> <td> Infrastructure refresh on Iranian ASN </td> <td> Commercial scanning </td> </tr> <tr> <td> CyberAv3ngers / Shahid Kaveh Group </td> <td> IRGC-CEC </td> <td> Fuel ATG exploitation </td> <td> U.S. energy infrastructure </td> </tr> <tr> <td> Ababil of Minab </td> <td> IRGC-affiliated </td> <td> U.S. transit/fuel OT targeting </td> <td> Civilian infrastructure </td> </tr> <tr> <td> UNC5858 / Black Shadow </td> <td> MOIS-linked </td> <td> Rafael impersonation espionage </td> <td> Defense industrial base </td> </tr> <tr> <td> UNC5855 / AnonymousForJustice </td> <td> Iranian state-hacktivist </td> <td> Israeli government data theft, Android malware </td> <td> Israeli government/military </td> </tr> <tr> <td> Handala / Void Manticore / BANISHED KITTEN </td> <td> IRGC-affiliated </td> <td> Quiet since March 11 (assessed preparing follow-on) </td> <td> Healthcare/enterprise IT </td> </tr> <tr> <td> MuddyWater / TEMP.Zagros </td> <td> MOIS </td> <td> Quiet 4+ weeks (assessed retooling) </td> <td> Cloud/identity (M365, OAuth) </td> </tr> <tr> <td> APT42 </td> <td> IRGC-IO </td> <td> Active </td> <td> Credential harvesting, surveillance </td> </tr> </tbody> </table> <h3> 6. ICS/OT Vulnerability Exposure </h3> CISA published six ICS advisories on May 14, 2026, directly relevant to organizations in this threat environment: <ul> <li> Siemens SIMATIC CN 4100 — Multiple vulnerabilities affecting availability, integrity, and confidentiality </li> <li> Ruggedcom ROX (pre-v2.17.1) — Input validation flaws in Scheduler and feature key installation </li> <li> Universal Robots Polyscope 5 — Authentication bypass with code execution </li> </ul> Additionally, CVE-2026-0966 (libssh, CVSS 8.2) — denial-of-service vulnerability affecting SSH implementations across Linux infrastructure. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> MuddyWater resurfaces with retooled OAuth phishing </td> <td> 60% </td> <td> 7–14 days </td> <td> 4+ weeks of silence during active conflict indicates retooling, not cessation </td> </tr> <tr> <td> CyberAv3ngers publicly claims fuel ATG breaches </td> <td> 70% </td> <td> 48 hours </td> <td> Historical pattern: state operation → delayed hacktivist claim for IO amplification </td> </tr> <tr> <td> Additional ICS/OT targeting (water or power) </td> <td> 50% </td> <td> 7 days </td> <td> Confirmed fuel-sector success + available Siemens/Ruggedcom vulnerabilities </td> </tr> <tr> <td> Dormant DIB contractor access activated </td> <td> 40% </td> <td> 7–14 days </td> <td> 30-day quiet period during active conflict matches pre-activation pattern (CISA AA22-320A precedent) </td> </tr> <tr> <td> Handala/Void Manticore follow-on destructive attack </td> <td> 35% </td> <td> 14–30 days </td> <td> 69 days since 200K endpoint destruction; no claims since = preparation phase </td> </tr> <tr> <td> Ransomware-as-cover destructive operation (Cactus or similar) </td> <td> 30% </td> <td> 30 days </td> <td> Criminal infrastructure co-located on state ASN; precedent: DEV-0842 using ransomware to mask wipers </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Immediate Detection Priorities </h3> Hunt Hypothesis 1: APT28 Scanning from Iranian ASN <ul> <li> ATT&CK: T1595.002 (Vulnerability Scanning), T1071 (Application Layer Protocol), T1571 (Non-Standard Port) </li> <li> Detection: Alert on any inbound or outbound connections to ASN 213790 (Limited Network, Tehran). Cross-reference with the IOCs below. Hunt in firewall, proxy, and DNS logs for the past 30 days. </li> <li> Query logic: dst_asn:213790 OR src_ip IN [192.253.248[.]52, 192.253.248[.]55, 172.94.9[.]170, 172.94.9[.]171, 185.93.89[.]147] </li> </ul> Hunt Hypothesis 2: Veeder-Root ATG Exposure <ul> <li> ATT&CK: T1190 (Exploit Public-Facing Application), T1565.001 (Stored Data Manipulation) </li> <li> Detection: Identify any Veeder-Root ATG systems with internet-facing serial-over-IP interfaces. Monitor for anomalous fuel-level readings or unauthorized configuration changes. Scan for port 10001 (default ATG port) exposure. </li> <li> Query logic: Network scan for TCP/10001 on OT segments; alert on any external IP communicating with ATG controllers. </li> </ul> Hunt Hypothesis 3: Rafael Impersonation Phishing (UNC5858) <ul> <li> ATT&CK: T1566.002 (Spearphishing Link), T1036.005 (Masquerading) </li> <li> Detection: Email gateway rules for subjects/sender domains referencing "Rafael," "Rafael Advanced Defense," or variations. Monitor for malicious URLs in emails purporting to be from defense contractors. </li> <li> Query logic: email_subject:*rafael* OR email_from:*rafael* NOT sender_domain:rafael.co.il </li> </ul> Hunt Hypothesis 4: OAuth Device-Code Phishing (MuddyWater) <ul> <li> ATT&CK: T1528 (Steal Application Access Token), T1550.001 (Use Alternate Authentication Material) </li> <li> Detection: Monitor Azure AD/Entra ID sign-in logs for device code authentication flows from unexpected geographies. Alert on bulk device code requests or codes redeemed from IP ranges outside corporate geography. </li> <li> Query logic: SignInLogs | where AuthenticationProtocol == "deviceCode" | where Location !in (approved_countries) </li> </ul> Hunt Hypothesis 5: DIB Pre-Positioning (Pioneer Kitten / UNC757) <ul> <li> ATT&CK: T1133 (External Remote Services), T1567.002 (Exfiltration to Cloud Storage) </li> <li> Detection: Hunt for Rclone or Wasabi S3 bucket connections from VPN concentrators. Check for dormant web shells on internet-facing appliances. Audit Ivanti EPMM and Cisco ASA/FTD for unauthorized configuration changes. </li> <li> Query logic: process_name:rclone* OR dns_query:*wasabi* OR dns_query:*s3.wasabisys.com* </li> </ul> <h3> IOC Blocking Table </h3> <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Attribution </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 192.253.248[.]52 </td> <td> APT28 / ASN 213790 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]55 </td> <td> APT28 / ASN 213790 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 172.94.9[.]170 </td> <td> APT28 / ASN 213790 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 172.94.9[.]171 </td> <td> APT28 / ASN 213790 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]147 </td> <td> APT28 / ASN 213790 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]43 </td> <td> Cactus ransomware / ASN 213790 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 176.46.152[.]46 </td> <td> Transparent Tribe / ObliqueRAT / ASN 44208 </td> <td> Block at perimeter </td> </tr> <tr> <td> IPv4 </td> <td> 46.30.189[.]66 </td> <td> Iran-nexus infrastructure </td> <td> Monitor/block </td> </tr> <tr> <td> IPv4 </td> <td> 148.251.232[.]252 </td> <td> Iran-nexus infrastructure </td> <td> Monitor/block </td> </tr> <tr> <td> IPv4 </td> <td> 206.214.220[.]79 </td> <td> Iran-nexus infrastructure </td> <td> Monitor/block </td> </tr> <tr> <td> IPv4 </td> <td> 64.20.51[.]22 </td> <td> Iran-nexus infrastructure </td> <td> Monitor/block </td> </tr> </tbody> </table> Additional IOCs (file hashes, domains) available via Anomali ThreatStream. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Primary threat: Ransomware-as-cover destructive operations. Cactus ransomware infrastructure co-located on Iranian state ASN suggests potential for financially-motivated attacks that mask state-directed destruction. Actions: <ul> <li> Validate offline backup integrity for core banking systems — assume ransomware deployment may be a wiper in disguise </li> <li> Review SWIFT/payment system segmentation from general corporate networks </li> <li> Monitor for anomalous bulk encryption events that could indicate wiper activity masquerading as ransomware </li> <li> Ensure incident response playbooks differentiate between ransomware-for-profit and ransomware-as-cover scenarios </li> </ul> <h3> Energy </h3> Primary threat: ICS/OT targeting of fuel monitoring, power generation, and pipeline SCADA systems. This is the sector under active confirmed attack. Actions: <ul> <li> Immediately audit all Veeder-Root ATG systems for internet exposure (CVE-2026-1340, CVSS 9.8) </li> <li> Patch Siemens SIMATIC CN 4100 and upgrade Ruggedcom ROX to v2.17.1+ </li> <li> Implement network segmentation between IT and OT with unidirectional gateways where possible </li> <li> Deploy passive OT network monitoring (e.g., Claroty, Dragos, Nozomi) to detect anomalous serial-over-IP traffic </li> <li> Brief plant operators on manual override procedures in case of fuel-level data manipulation </li> </ul> <h3> Healthcare </h3> Primary threat: Destructive attacks via enterprise management tools. Handala/Void Manticore's March 11 destruction of 200,000+ Stryker Corporation endpoints via weaponized Microsoft Intune demonstrates this vector is proven and repeatable. Actions: <ul> <li> Audit Microsoft Intune/SCCM/MDM administrative access — enforce MFA and conditional access on all management plane accounts </li> <li> Implement canary policies in MDM that alert on mass device configuration changes </li> <li> Segment medical device networks from enterprise IT management infrastructure </li> <li> Ensure clinical systems can operate in degraded mode if enterprise IT is destroyed </li> <li> Review and restrict who can push scripts or configurations to endpoints via management tools </li> </ul> <h3> Government </h3> Primary threat: Espionage and pre-positioning for destructive operations. UNC5855 claims Israeli government ministry breaches; MuddyWater targets government M365 tenants via OAuth phishing; PIR-007 (dormant access in government/DIB networks) is the highest-consequence blind spot. Actions: <ul> <li> Enforce phishing-resistant MFA (FIDO2/hardware keys) for all privileged accounts — OAuth device-code phishing bypasses SMS/app-based MFA </li> <li> Audit Azure AD/Entra ID for dormant service principals and OAuth app registrations with excessive permissions </li> <li> Hunt for indicators of Pioneer Kitten (UNC757) in VPN infrastructure — focus on Ivanti, Cisco ASA/FTD </li> <li> Review data loss prevention policies for bulk data staging ( T1074 ) and exfiltration to cloud storage ( T1567.002 ) </li> <li> Brief cleared personnel on Rafael impersonation phishing campaigns (UNC5858) </li> </ul> <h3> Aviation / Logistics </h3> Primary threat: Supply chain disruption and VSAT communications compromise. NORMA Cyber VSAT attack demonstrates satellite communications targeting. Aviation logistics are critical to military sustainment during active conflict. Actions: <ul> <li> Audit VSAT terminal firmware versions and patch status — ensure management interfaces are not internet-exposed </li> <li> Review supply chain management system access controls — Iranian actors target logistics data for battle damage assessment </li> <li> Monitor for anomalous GPS/ADS-B data that could indicate spoofing or surveillance </li> <li> Ensure cargo manifest and flight planning systems are segmented from public-facing booking platforms </li> <li> Brief operations staff on social engineering attempts referencing military logistics contracts </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block all 11 IPv4 IOCs listed above at perimeter firewalls and proxy </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Hunt for any historical connections to ASN 213790 (Limited Network, Tehran) in the past 30 days of firewall/proxy logs </td> </tr> <tr> <td> IMMEDIATE </td> <td> ICS/OT </td> <td> Verify all Veeder-Root ATG systems are isolated from internet; disable serial-over-IP if not operationally required (CVE-2026-1340) </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Deploy email detection rules for Rafael Advanced Defense Systems impersonation in subjects, sender names, and attachment filenames </td> </tr> <tr> <td> IMMEDIATE </td> <td> Identity </td> <td> Audit Azure AD sign-in logs for device-code authentication flows from non-corporate geographies (MuddyWater OAuth phishing) </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Patch Siemens SIMATIC CN 4100 per ICSA-26-134-10; upgrade Ruggedcom ROX to v2.17.1+ per ICSA-26-134-16 </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Patch CVE-2026-0966 (libssh, CVSS 8.2) across all Linux SSH infrastructure per RHSA-2026:18160 </td> </tr> <tr> <td> 7-DAY </td> <td> Threat Hunt </td> <td> Conduct proactive hunt for Pioneer Kitten (UNC757) in DIB contractor VPN logs — Rclone, Wasabi S3 exfil, dormant web shells on Ivanti/Cisco appliances </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Implement detection for bulk MDM/Intune policy pushes outside change windows (Handala/Void Manticore TTP) </td> </tr> <tr> <td> 7-DAY </td> <td> Identity </td> <td> Revoke and re-audit all OAuth app registrations in Azure AD with Mail.Read, Files.ReadWrite.All, or Directory.ReadWrite.All permissions </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission external red team assessment simulating Iranian APT initial access vectors: OAuth device-code phishing, VPN exploitation, ATG serial-over-IP </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Establish or validate out-of-band communication plan for executive team in case of destructive attack on M365/enterprise IT (Handala precedent) </td> </tr> <tr> <td> 30-DAY </td> <td> IR </td> <td> Tabletop exercise: "Ransomware-as-cover wiper" scenario — practice differentiating Cactus-style ransomware from state-directed destructive operation </td> </tr> <tr> <td> 30-DAY </td> <td> IT Ops </td> <td> Implement network-level blocking of entire ASN 213790 and ASN 44208 if no legitimate business traffic exists to these ranges </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Assess organizational exposure to Pakistan-Iran cyber cooperation expansion (Transparent Tribe on Iranian infrastructure) and brief allied intelligence-sharing partners </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> Eighty days into the U.S.-Iran conflict, the cyber dimension is no longer a sideshow — it is an active front. Iran has confirmed its willingness and capability to strike U.S. civilian energy infrastructure. Russia is providing the hosting. The hacktivists are the state. And the longest silence in the intelligence picture — 30+ days without visibility into defense industrial base pre-positioning — is not reassurance. It is the gap that should keep you awake. The ceasefire does not cover cyber. Act accordingly. Three questions every CISO should answer today: <ul> <li> Can Iranian actors reach your fuel monitoring, water treatment, or power systems from the internet right now? If you don't know, assume yes. </li> </ul> <ul> <li> Would you detect a dormant web shell on your VPN concentrator that was placed 6 months ago and activated tomorrow? If your threat hunt program hasn't looked, the answer is no. </li> </ul> <ul> <li> If your MDM platform was weaponized tonight to wipe every managed endpoint, could your organization continue operating? Handala proved this is not hypothetical. </li> </ul> The time between pre-positioning and destruction is measured in hours. The time to prepare is now. Published 2026-05-19 | Anomali CTI Desk | TLP:GREEN IOCs for the campaigns discussed in this report are available through Anomali ThreatStream and partner feeds.

FEATURED RESOURCES

May 19, 2026

Anomali Cyber Watch