Iran’s Cyber War Didn’t Stop With the Ceasefire — It Just Went Underground

Anomali Threat Research

Published on

April 8, 2026

Table of Contents

Threat Assessment Level: CRITICAL 39 days into the US-Israeli military campaign against Iran, a Pakistan-brokered ceasefire has paused the bombs. But if you run a SOC, protect critical infrastructure, or sit in a CISO chair — the ceasefire changes nothing for you. It makes things worse. On April 7, a joint advisory from the FBI, CISA, NSA, EPA, DOE, and Cyber National Mission Force confirmed what many feared: Iranian state-affiliated cyber actors are actively exploiting programmable logic controllers (PLCs) across U.S. critical infrastructure, causing confirmed operational disruption and financial loss. The advisory names the IRGC’s CyberAv3ngers as the responsible actor. Victims span government services, water and wastewater systems, and the energy sector. Meanwhile, Reuters reports that Russia is now providing Iran with satellite imagery and direct cyber support — a qualitative escalation that transforms Iran’s targeting from opportunistic to precision-guided. And a supply chain campaign exploiting the accidental leak of Anthropic’s Claude Code source is actively delivering infostealers to developer environments via GitHub. The ceasefire is not a stand-down signal. It is a phase transition — from disruption to espionage, from visible attacks to silent pre-positioning. The next two weeks are the most dangerous window since the conflict began on February 28. <h2>What Changed                       </h2> Threat level maintained at CRITICAL, consistent with the prior cycle (April 7). The ceasefire announcement does not reduce the cyber threat — historical precedent from the 2023 Israel-Hamas ceasefire and 2015 JCPOA negotiations shows Iranian cyber operations intensify during diplomatic pauses, shifting from disruptive attacks to espionage and pre-positioning for potential resumption of hostilities. Five developments drive today’s assessment: <ol> <li>CISA Advisory AA26-097a (April 7): Six U.S. agencies confirmed active Iranian exploitation of Rockwell Automation PLCs with real-world operational impact. New evidence shows targeting of Siemens S7 protocol (port 102) — a dramatic expansion of the threat surface to European and Middle Eastern energy infrastructure.</li> <li>Pakistan-Brokered Ceasefire (April 8): A two-week truce with negotiations in Islamabad creates exactly the conditions where dormant access activation and espionage collection peak. Cyber operations are not covered by kinetic ceasefire terms.</li> <li>Russia-Iran Cyber & ISR Cooperation (April 7): Reuters confirmed Russia is providing satellite imagery surveys of military facilities and cyber support to Iran — enabling precision targeting that was previously beyond Iran’s unilateral capability.</li> <li>Supply Chain Campaign via Claude Code Impersonation (active since at least February 2026): Threat actors exploited the accidental leak of Anthropic’s Claude Code source to seed GitHub with trojanized repositories delivering Vidar infostealer and GhostSocks proxy malware to developer environments — a direct supply chain risk to organizations whose developers use AI coding tools.</li> <li>Hacktivist Silence — 28 Days and Counting (since March 11): Handala’s last confirmed wiper operation was March 11. Twenty-eight consecutive days of silence during an active conflict is anomalous and assessed as a warning indicator, not reassurance — dormant access may be consolidating ahead of potential reactivation.</li> </ol> <h2>Conflict & Threat Timeline            </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Cyber Significance </th> </tr> </thead> <tbody> <tr> <td> Feb 28, 2026 </td> <td> US-Israeli military campaign against Iran begins </td> <td> Iranian cyber operations shift to wartime tempo </td> </tr> <tr> <td> Mar 3–23, 2026 </td> <td> Three-wave M365 password-spraying campaign against 300+ Israeli organizations </td> <td> Cyber-kinetic integration confirmed: municipal targets correlated with missile strike zones </td> </tr> <tr> <td> Mar 11, 2026 </td> <td> Handala hacktivist group conducts Stryker attack </td> <td> Last confirmed pro-Iran wiper operation (now 28 days silent) </td> </tr> <tr> <td> Mar 2026 – present </td> <td> CyberAv3ngers begin exploiting internet-connected Rockwell PLCs </td> <td> Confirmed operational disruption in government, water, and energy sectors </td> </tr> <tr> <td> Late Mar 2026 </td> <td> Claude Code source map accidentally published to npm </td> <td> Threat actors seed GitHub with trojanized repositories within 24 hours </td> </tr> <tr> <td> Apr 2, 2026 </td> <td> CISA publishes 4 ICS advisories (Siemens SICAM, Yokogawa CENTUM VP, Mitsubishi GENESIS64, Hitachi Ellipse) </td> <td> Expanded ICS attack surface across energy and manufacturing </td> </tr> <tr> <td> Apr 6, 2026 </td> <td> Iran rejects ceasefire proposal; Trump’s Strait of Hormuz ultimatum set for Apr 8 </td> <td> Qilin ransomware BYOVD technique (disabling 300+ EDR products) assessed as transferable to MOIS actors </td> </tr> <tr> <td> Apr 7, 2026 </td> <td> CISA AA26-097a joint advisory published; Reuters confirms Russia-Iran cyber/ISR cooperation </td> <td> Highest-confidence confirmation of active Iranian PLC exploitation; Russian support enables precision targeting </td> </tr> <tr> <td> Apr 8, 2026 </td> <td> Pakistan-brokered 2-week ceasefire announced; Strait of Hormuz reopened </td> <td> Pre-positioning window opens — cyber operations shift below threshold </td> </tr> </tbody> </table> <h2>The PLC Campaign: Iran Is Inside Operational Technology Networks</h2> Advisory AA26-097a is not a theoretical warning. It documents confirmed compromises with operational impact. Actor: CyberAv3ngers (Shahid Kaveh Group), IRGC Cyber Electronic Command What they’re doing: Using overseas IP addresses with Rockwell Automation’s Studio 5000 Logix Designer software to establish accepted connections to internet-exposed PLCs. Once connected, they extract project files, manipulate HMI/SCADA displays, and deploy Dropbear SSH for persistent remote access. Targeted devices: Rockwell Automation CompactLogix and Micro850 PLCs — and critically, the advisory notes targeting of port 102 (Siemens S7 communication protocol), indicating capability expansion beyond Rockwell to the much larger global installed base of Siemens PLCs. Confirmed victim sectors: Government services, water and wastewater systems, energy Key infrastructure indicators: - IP addresses 46.245.77[.]154, 46.245.77[.]155, 46.245.77[.]156, 46.245.77[.]157 — ASN 43754, Asiatech Data Transmission, Tehran - Targeted ports: 44818 (EtherNet/IP), 2222 (alternate SSH), 102 (Siemens S7), 22 (SSH/Dropbear), 502 (Modbus) Why the Siemens S7 expansion matters: Until now, Iranian PLC exploitation was documented primarily against Unitronics and Rockwell devices. Siemens S7 PLCs are the backbone of European energy grids, Middle Eastern oil and gas operations, and global manufacturing. Iranian capability against S7 dramatically expands the threat surface — and echoes the Stuxnet-era targeting that was previously the domain of U.S. and Israeli operations. Four additional ICS advisories published in the same week compound the risk: <table> <thead> <tr> <th> Advisory </th> <th> Product </th> <th> Vulnerability </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> ICSA-26-097-01 </td> <td> Mitsubishi GENESIS64 / ICONICS Suite </td> <td> SQL Server credential disclosure </td> <td> Credential theft from ICS management platforms </td> </tr> <tr> <td> ICSA-26-092-01 </td> <td> Siemens SICAM 8 / A8000 </td> <td> Multiple denial-of-service </td> <td> Grid protection device disruption </td> </tr> <tr> <td> ICSA-26-092-02 </td> <td> Yokogawa CENTUM VP </td> <td> Authentication bypass (PROG user) </td> <td> Attacker gains engineering-level access to DCS </td> </tr> <tr> <td> ICSA-26-092-03 </td> <td> Hitachi Energy Ellipse </td> <td> Jasper Report vulnerability </td> <td> Enterprise asset management compromise </td> </tr> </tbody> </table> The Yokogawa CENTUM VP authentication bypass is particularly concerning. CENTUM VP is widely deployed in oil, gas, and chemical facilities. If CyberAv3ngers expand their targeting to Yokogawa — and the authentication bypass provides a trivially low-complexity path to engineering-level access — the consequences for process safety could be severe. <h2>The Ceasefire Paradox: Why the Next Two Weeks Are the Most Dangerous</h2> The ceasefire reduces the kinetic threat. It increases the cyber threat. Iranian cyber doctrine, observed across multiple conflicts, follows a consistent pattern during diplomatic pauses: <ol> <li>Consolidate access gained during the kinetic phase</li> <li>Shift from disruption to espionage — collect battle damage assessment data, monitor adversary communications, harvest credentials from negotiation participants</li> <li>Pre-position for resumption — if negotiations fail, dormant access in critical infrastructure can be activated within hours</li> <li>Conduct below-threshold operations — cyber operations are not kinetic strikes and do not violate ceasefire terms</li> </ol> The specific combination of active PLC exploitation, a ceasefire window, and Russian ISR support creates a convergent threat picture: Iranian actors may use the two-week pause to consolidate OT access while Russian satellite data helps prioritize targets for potential resumption. The 28-day silence on Defense Industrial Base pre-positioning is the most dangerous indicator in this assessment. For 28 consecutive days during an active military conflict, no dormant access activation has been detected in DIB contractor networks. This is either genuinely good news — or it means the access exists and we haven’t found it yet. During a ceasefire window, the latter interpretation demands action. <h2>Russia-Iran Nexus: From Hacktivists to Integrated Operations</h2> The Russia-Iran cyber relationship has matured beyond hacktivist coordination. Reuters, citing Ukrainian intelligence, reports that Russian satellites have conducted dozens of detailed imagery surveys of military facilities and critical sites across the Middle East to help Iran strike U.S. targets — accompanied by direct cyber support. This represents a qualitative escalation. The cooperation now appears to include an integrated pipeline: Russian ISR provides targeting data → Iranian cyber operators use it for precision pre-positioning → potential activation against specific high-value infrastructure. While this reporting currently rests on a single source (Ukrainian intelligence, which has motivation to highlight Russia-Iran cooperation), the claim is consistent with observed patterns of Russian-Iranian hacktivist swarm coordination earlier in the conflict. Confidence is assessed as moderate, pending independent corroboration. <h2>Supply Chain Alert: Claude Code Impersonation Delivering Infostealers</h2> A separate but operationally significant campaign is exploiting the accidental leak of Anthropic’s Claude Code source. When Anthropic shipped a full source map (512,000 lines of TypeScript) in the @anthropic-ai/claude-code npm package v2.1.88, threat actors moved within 24 hours to seed GitHub with fake “leaked Claude Code” repositories. The attack chain: - Trojanized 7z archives delivered via GitHub Releases - Rust-compiled loaders (ClaudeCode_x64.exe, TradeAI.exe variants) - Payload: Vidar infostealer (browser credential theft) + GhostSocks SOCKS5 proxy malware - Campaign active since at least February 2026 with rotating AI and trading tool lures This campaign targets developer environments — the same environments that build and deploy the software running your infrastructure. A compromised developer workstation is a supply chain entry point. <h2>Named Threat Actors: Who Is Operating</h2> The following Iranian-affiliated actors are assessed as active or recently updated in the context of this conflict: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Primary Activity </th> <th> Status </th> </tr> </thead> <tbody> <tr> <td> CyberAv3ngers (Shahid Kaveh Group) </td> <td> IRGC-CEC </td> <td> PLC exploitation, ICS disruption </td> <td> Confirmed active — CISA AA26-097a </td> </tr> <tr> <td> Gray Sandstorm </td> <td> IRGC-affiliated </td> <td> Critical infrastructure targeting </td> <td> Active </td> </tr> <tr> <td> Peach Sandstorm </td> <td> IRGC-affiliated </td> <td> Credential harvesting, espionage </td> <td> Active </td> </tr> <tr> <td> APT42 (CALANQUE) </td> <td> IRGC-IO </td> <td> Credential harvesting, nuclear sector espionage </td> <td> Profile updated Apr 8 — no new campaign reporting (assessed collection gap) </td> </tr> <tr> <td> MuddyWater (TEMP.Zagros) </td> <td> MOIS </td> <td> Multi-sector espionage (24 countries) </td> <td> Profile updated Apr 6 — no operational reporting (possible below-threshold ops) </td> </tr> <tr> <td> APT34 (OilRig) </td> <td> MOIS </td> <td> Espionage, infrastructure pre-positioning </td> <td> Active </td> </tr> <tr> <td> HAYWIRE KITTEN (Emennet Pasargad / NEPTUNIUM) </td> <td> IRGC-linked </td> <td> IO operations, hack-and-leak </td> <td> Active </td> </tr> <tr> <td> UNC5858 (Black Shadow) </td> <td> MOIS-linked </td> <td> Defense sector impersonation (Rafael Defense lures) </td> <td> Last IOC Apr 6 </td> </tr> <tr> <td> UNC5855 </td> <td> Pro-Iran hacktivist </td> <td> DDoS, claims, IO </td> <td> Last IOC Apr 6 </td> </tr> <tr> <td> Handala </td> <td> Pro-Iran hacktivist </td> <td> Wiper operations </td> <td> Silent 28 days — last confirmed op Mar 11 </td> </tr> <tr> <td> Cyber Toufan </td> <td> Pro-Iran hacktivist </td> <td> Wiper operations, data leaks </td> <td> Silent — monitoring </td> </tr> </tbody> </table> Notable absence: APT42’s silence on nuclear sector espionage during a ceasefire that includes nuclear enrichment as a negotiation point is anomalous. This actor should be at peak collection tempo against nuclear researchers and officials involved in negotiations. The absence likely indicates a collection gap, not inactivity. <h2>Predictive Analysis: What Comes Next</h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Indicators to Watch </th> </tr> </thead> <tbody> <tr> <td> Iranian cyber operations shift from disruption to espionage/pre-positioning during ceasefire </td> <td> 70% </td> <td> Next 7–14 days </td> <td> Increased APT42 credential harvesting against negotiation participants and nuclear researchers </td> </tr> <tr> <td> CyberAv3ngers expand PLC targeting to Siemens S7 and Yokogawa CENTUM VP </td> <td> 60% </td> <td> Next 7–14 days </td> <td> Port 102 scanning from Iranian IP ranges; exploitation attempts against CENTUM VP auth bypass </td> </tr> <tr> <td> Hacktivist wiper operations resume within 48 hours if Islamabad negotiations collapse </td> <td> 50% </td> <td> Conditional on negotiation failure </td> <td> Handala/Cyber Toufan Telegram channel activity; new wiper samples; DDoS precursor attacks </td> </tr> <tr> <td> Dormant access activation in DIB contractor networks during ceasefire window </td> <td> 40% </td> <td> Next 14 days </td> <td> Valid account usage anomalies (T1078); web shell activity (T1505.003); Rclone/cloud exfiltration staging (T1567.002) </td> </tr> <tr> <td> Russia-Iran integrated cyber-ISR pipeline used for precision infrastructure targeting </td> <td> 35% </td> <td> Next 30 days </td> <td> Corroborating reports from non-Ukrainian sources; infrastructure overlap between Russian and Iranian C2 </td> </tr> <tr> <td> Qilin BYOVD EDR-killing technique adopted by MOIS-affiliated ransomware operators </td> <td> 30% </td> <td> Next 30 days </td> <td> MOIS-linked actors deploying vulnerable drivers; EDR telemetry gaps in target environments </td> </tr> </tbody> </table> <h2>SOC Operational Guidance                 </h2> <h3>Immediate Detection Priorities</h3> <ol> <li> OT/ICS Network Monitoring</li> </ol> <ul> <li>Hunt hypothesis: CyberAv3ngers are using Studio 5000 Logix Designer from overseas IPs to connect to internet-exposed Rockwell PLCs. Any inbound connection on port 44818 (EtherNet/IP) from a non-whitelisted IP — especially from Iranian ASNs — is a high-fidelity indicator.</li> <li>Detection rules: Alert on inbound traffic to ports 44818, 2222, 102, 22, and 502 from external IP addresses on OT network segments. Prioritize connections originating from ASN 43754 (Asiatech, Tehran).</li> <li>ATT&CK techniques: T1190 (Exploit Public-Facing Application), T0890 (Exploitation of Remote Services), T0816 (Device Restart/Shutdown), T0826 (Loss of Availability)</li> <li>Dropbear SSH indicator: Any instance of Dropbear SSH on an OT endpoint is anomalous. Dropbear is a lightweight SSH server not used in standard enterprise deployments — its presence on any ICS/SCADA host should be treated as a potential indicator of compromise. Hunt for Dropbear binaries and SSH connections on port 2222.</li> <li>ATT&CK techniques: T1021.004 (Remote Services: SSH), T1219 (Remote Access Software)</li> </ul> <ol start="2"> <li> Dormant Access Hunting (Ceasefire Window)</li> </ol> <ul> <li>Hunt hypothesis: Iranian actors pre-positioned persistent access in DIB contractor networks during the kinetic phase and will activate it during the ceasefire for espionage or battle damage assessment collection.</li> <li>Detection focus: Anomalous valid account usage (T1078) — especially service accounts or VPN credentials used outside normal patterns. Web shell activity on internet-facing servers (T1505.003). Cloud exfiltration staging via Rclone, Wasabi, or similar tools (T1567.002). Scheduled task or registry run key modifications (T1053, T1547.001) that may indicate activation of dormant persistence.</li> <li>Timeframe: The two-week ceasefire window is the critical hunting period.</li> </ul> <ol start="3"> <li> Credential Harvesting Detection</li> </ol> <ul> <li>Hunt hypothesis: APT42 will intensify credential harvesting against personnel involved in nuclear negotiations, defense policy, and diplomatic communications.</li> <li>Detection focus: Phishing emails with credential harvesting links (T1566.001), OAuth consent phishing (T1550.001), anomalous Entra ID sign-in patterns from atypical geolocations, MFA fatigue attacks.</li> <li>ATT&CK techniques: T1566.001 (Spearphishing Attachment), T1078 (Valid Accounts), T1550.001 (Application Access Token)</li> </ul> <ol start="4"> <li> Supply Chain / Developer Environment Monitoring</li> </ol> <ul> <li>Hunt hypothesis: Developers downloading AI tools from unofficial GitHub repositories may execute trojanized loaders delivering Vidar and GhostSocks.</li> <li>Detection focus: Execution of ClaudeCode_x64.exe or TradeAI.exe on any endpoint. PowerShell execution chains (T1059.001) following archive extraction. Windows Defender being disabled (T1562.001). Outbound SOCKS5 proxy connections (T1090.003) from developer workstations. Browser credential store access by non-browser processes (T1555).</li> <li>ATT&CK techniques: T1195.001 (Supply Chain Compromise), T1204.002 (User Execution: Malicious File), T1059.001 (PowerShell), T1562.001 (Disable or Modify Tools)</li> </ul> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Primary threat: Iranian state actors have historically targeted financial institutions for both espionage and disruptive attacks (DDoS campaigns against U.S. banks, 2012–2013). During the ceasefire, expect credential harvesting campaigns against financial sector personnel involved in sanctions enforcement or Iranian asset freezes. Actions: - Audit Entra ID / M365 conditional access policies — enforce location-based restrictions and block legacy authentication protocols that bypass MFA - Review SWIFT and interbank messaging system access controls for anomalous service account usage - Monitor for DDoS precursor reconnaissance (port scanning, CDN probing) as a potential retaliatory vector if negotiations fail - Ensure fraud detection systems flag transactions involving sanctioned Iranian entities and newly designated intermediaries <h3>Energy</h3> Primary threat: This sector is under confirmed active attack. CISA AA26-097a documents CyberAv3ngers exploiting Rockwell PLCs in energy facilities. The Siemens S7 (port 102) expansion and Yokogawa CENTUM VP authentication bypass (ICSA-26-092-02) compound the risk. The CSIS analysis explicitly warns of Iranian cyber threats to U.S. energy infrastructure. Actions: - Emergency: Audit all internet-facing PLCs (Rockwell CompactLogix, Micro850, Siemens S7, Yokogawa CENTUM VP). Disconnect any that do not require external connectivity. Set Rockwell PLC mode switches to RUN to prevent remote program modification. - Implement network monitoring on ports 44818, 102, 502, 2222, and 22 at OT/IT boundary — any external-originating traffic to these ports is a critical alert - Review Yokogawa CENTUM VP deployments for the PROG user authentication bypass — restrict network access to engineering stations immediately - Audit Siemens SICAM 8/A8000 deployments for DoS vulnerabilities (ICSA-26-092-01) — these are grid protection devices whose disruption could have cascading effects - Coordinate with sector ISAC on Iranian OT targeting indicators <h3>Healthcare</h3> Primary threat: Healthcare organizations face dual risk — ransomware from criminal-state hybrid actors (MOIS-affiliated groups have historically handed off access to ransomware operators) and hacktivist disruption from pro-Iran groups seeking high-visibility targets. The Qilin ransomware BYOVD technique (disabling 300+ EDR products) is assessed as potentially transferable to MOIS-affiliated operators. Actions: - Validate EDR deployment coverage and ensure anti-tamper protections are enabled — the Qilin BYOVD technique specifically targets EDR products via vulnerable driver loading - Audit backup infrastructure for exposure to the ALPHV/UNC4466 pattern of targeting weak Veeam installations for initial access - Segment medical device networks (many run embedded PLCs) from enterprise IT — the CyberAv3ngers PLC exploitation TTPs could apply to connected medical devices - Ensure incident response plans include clinical operations continuity procedures — not just IT recovery <h3>Government</h3> Primary threat: Government agencies are confirmed victims in the CISA PLC advisory. Beyond OT exploitation, government personnel involved in Iran policy, negotiations, or military operations are high-value targets for APT42 credential harvesting and APT34 espionage. The ceasefire creates a surge in diplomatic communications that Iranian intelligence will aggressively target. Actions: - Implement enhanced monitoring of VPN and remote access systems for anomalous authentication patterns — dormant access activation will likely manifest as valid credential usage from unusual locations or times - Brief all personnel involved in Iran negotiations or policy on APT42 spearphishing TTPs — credential harvesting pages impersonating legitimate services are the primary vector - Audit web-facing applications for web shells (T1505.003) — a common Iranian persistence mechanism - Review and restrict access to classified and sensitive compartmented information systems during the ceasefire window — espionage collection will intensify <h3>Aviation & Logistics</h3> Primary threat: The Strait of Hormuz reopening under Iranian armed forces coordination creates a complex threat environment for aviation and maritime logistics. Iranian actors have targeted aerospace companies with fake resume lures on GitHub (UNC5858 impersonating Rafael Defense). Supply chain compromise via developer tools (Claude Code campaign) is directly relevant to aerospace software development pipelines. Actions: - Audit GitHub-based developer workflows for unauthorized repository access, especially repositories with large archive downloads from newly created accounts - Review supply chain security for aerospace components — Iranian espionage against DIB contractors (PIR-007 has been quiet for 28 days, which is itself a warning) - Monitor for fake job posting and resume lures targeting aerospace engineers — this is a confirmed Iranian TTP for initial access - Ensure maritime and aviation operational technology systems are segmented and monitored with the same urgency as energy sector OT <h2>Prioritized Defense Recommendations</h2> <h3>Immediate (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> OT Security </td> <td> Disconnect all Rockwell Automation CompactLogix and Micro850 PLCs from public-facing networks. Set physical mode switches to RUN position to prevent remote program modification. This is per CISA AA26-097a guidance. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Deploy network detection rules for inbound traffic on ports 44818 (EtherNet/IP), 2222, 102 (Siemens S7), 22 (SSH), and 502 (Modbus) from non-whitelisted external IPs. Alert on any overseas-originating connections to OT network segments. </td> </tr> <tr> <td> IMMEDIATE </td> <td> OT Security </td> <td> Audit all endpoints in OT environments for Dropbear SSH installations. Dropbear is not standard enterprise SSH — any instance on an ICS/SCADA host is a potential indicator of compromise requiring immediate investigation. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block all mirantezari[.]website and mirantezexo[.]website domains at DNS resolver and web proxy. Add to SIEM for historical DNS lookup correlation. </td> </tr> </tbody> </table> <h3>7-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> SOC / Threat Hunt </td> <td> Conduct proactive threat hunt for dormant access indicators in DIB contractor networks. Focus on: valid account usage anomalies (T1078), web shell persistence on internet-facing servers (T1505.003), and cloud exfiltration staging via Rclone or Wasabi (T1567.002). The 2-week ceasefire window is the critical hunting period. </td> </tr> <tr> <td> 7-DAY </td> <td> DevOps </td> <td> Audit all Docker Engine deployments using AuthZ plugins (OPA, Prisma Cloud) for authorization bypass exposure. Review vendor advisories and apply available patches. Verify that container orchestration platforms enforce authentication on all management interfaces. </td> </tr> <tr> <td> 7-DAY </td> <td> OT Security </td> <td> Review all Yokogawa CENTUM VP deployments for the authentication bypass vulnerability (ICSA-26-092-02). Restrict network access to CENTUM VP engineering stations and audit PROG user account activity for unauthorized access. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Security </td> <td> Restrict installation of AI developer tools (Claude Code, Cursor, Copilot) to official distribution channels only. Block GitHub Releases downloads from newly created repositories with large archive files at the web proxy. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Increase monitoring sensitivity for APT42 credential harvesting indicators — phishing emails targeting personnel with Iran policy or nuclear research equities, OAuth consent phishing, and anomalous Entra ID sign-ins from atypical geolocations. </td> </tr> </tbody> </table> <h3>30-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission a red team assessment of ICS/OT network segmentation. Specifically test whether an attacker with internet access can reach Rockwell, Siemens, or Yokogawa PLCs from the enterprise network. The CISA advisory confirms this is the active attack path. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Establish or strengthen bilateral intelligence sharing with allied-nation CERTs on Iranian OT targeting. The Siemens S7 (port 102) expansion indicates European infrastructure is also at risk — this is a shared problem requiring coordinated defense. </td> </tr> <tr> <td> 30-DAY </td> <td> Executive / IR </td> <td> Update incident response plans to include OT-specific scenarios: PLC manipulation, HMI display falsification, and Dropbear SSH-based persistent access. Tabletop exercise the scenario of a ceasefire breakdown triggering simultaneous activation of dormant access across multiple sectors. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Review and update cyber insurance coverage in light of confirmed state-sponsored attacks on critical infrastructure. Ensure war exclusion clauses are understood and that coverage explicitly addresses state-affiliated cyber operations during armed conflict. </td> </tr> <tr> <td> 30-DAY </td> <td> Executive </td> <td> Brief the board on the ceasefire paradox: the pause in kinetic operations increases cyber risk. Ensure executive leadership understands that the next two weeks require heightened — not reduced — cybersecurity posture and investment. </td> </tr> </tbody> </table> <h2>The Bottom Line                      </h2> The ceasefire stopped the missiles. It did not stop the intrusions. CISA has confirmed that Iranian state actors are inside U.S. critical infrastructure — exploiting PLCs, causing operational disruption, and expanding their capabilities to new device families. Russia is providing satellite imagery and cyber support that transforms Iran’s targeting from opportunistic to surgical. And the two-week diplomatic window that begins today is, by every historical precedent, the period when pre-positioning operations peak. The 28-day silence on Defense Industrial Base pre-positioning is not reassuring. It is the loudest quiet signal in this assessment. Dormant access that activates during a ceasefire — when defenses relax and attention shifts to diplomacy — is the highest-consequence, lowest-detection scenario on the board. Do not mistake a ceasefire for a stand-down. Disconnect your exposed PLCs. Hunt for dormant access. Harden your developer environments. Brief your executives. The next two weeks will determine whether Iranian cyber operators consolidated their positions — or whether defenders found them first. The clock is running.

FEATURED RESOURCES

April 8, 2026

Anomali Cyber Watch