Iran's Cyber War Enters a New Phase: State-directed Destruction, Synchronized Strikes, and the 24-Hour Reconstitution Problem

Anomali Threat Research

Published on

March 23, 2026

Table of Contents

<table> <tbody> <tr> <td> Threat Assessment Level: CRITICAL(Maintained from prior assessment. Justification: Three converging developments - USG formal attribution of Handala to the Iranian government, Iran's first confirmed synchronized kinetic-cyber-IO triad strike, and an explicit IRGC conditional threat against global technology centers - sustain the highest threat level. No evidence supports a downgrade.) </td> </tr> </tbody> </table> Twenty-two days into the US-Israel-Iran kinetic conflict that began with Operation Epic Fury on 28 February 2026, the cyber dimension of this war has crossed a threshold that every security leader needs to understand. Iran's cyber operations are no longer deniable, no longer improvised, and no longer limited to the immediate theater of conflict. They are state-directed, pre-planned, globally scoped, and accelerating. This week delivered three developments that, taken together, represent the most significant shift in the Iranian cyber threat since hostilities began: the US government officially attributed the Handala hacktivist group to Iran's Ministry of Intelligence and Security (MOIS), confirming what analysts long suspected - these are not independent activists but state-directed operators. Iran executed its first publicly confirmed synchronized missile, cyber, and information operation strike against Israel. And the Islamic Revolutionary Guard Corps (IRGC) issued an explicit conditional threat to strike "global tech centers" if Iranian power plants are targeted. If your organization touches US critical infrastructure, defense, healthcare, energy, financial services, or cloud technology - or if you operate in Israel, the EU, or the Gulf states - this is your threat environment now. <h2>What Changed This Week</h2> The period of 18-22 March 2026 produced a rapid sequence of escalatory events that fundamentally altered the operational picture. Handala: From "Hacktivist" to Confirmed State Weapon. On 19 March, the FBI seized two domains used by Handala (also tracked as UNC5203, Void Manticore, and Red Sandstorm) for its data leak operations following the devastating wiper attack on US medical device manufacturer Stryker - an attack that destroyed approximately 80,000 endpoints and exfiltrated 50 terabytes of data. On 20 March, the Department of Justice formally attributed Handala to the Iranian government - specifically to MOIS - for the first time, collapsing the "faketavist" model that had provided Iran plausible deniability. By 21 March - less than 24 hours after the FBI takedown - Handala had reconstituted its online presence on pre-staged infrastructure. The message was unmistakable: state resources mean state resilience. The Triad Strike. On 19 March, Iran launched a simultaneous missile strike, cyberattack, and disinformation campaign targeting Israel. This is the first publicly confirmed instance of Iran executing a synchronized kinetic-cyber-information operations triad in this conflict. The doctrine that analysts have been tracking since Day 1 is now operational reality, not theoretical planning. The IRGC Conditional Threat. On 22 March, the IRGC issued an explicit warning: "Global tech centers will be hit if Iran's power plants are attacked." This follows US and Israeli strikes that have already destroyed critical water supply networks and struck the South Pars gas field - the world's largest natural gas reserve. The trajectory of kinetic escalation (water → energy → potentially power) makes this conditional trigger increasingly plausible. "Global tech centers" could mean cloud data centers, semiconductor fabrication facilities, or internet exchange points. Ireland Spillover. Ireland's National Cyber Security Centre warned on 22 March that Iran-linked cyber activity poses a direct threat to Irish organizations, citing Stryker's Cork-based manufacturing and R&D operations as proof of concept. The Handala wiper attack on Stryker's US headquarters propagated to its Irish facilities - demonstrating that Iranian actors will follow US companies' global footprint. This is no longer a US-Israel problem. It is a transatlantic problem. Pre-Positioned Infrastructure Confirmed. SecurityWeek published analysis on 19 March confirming that Iranian hackers built strike-ready cyber infrastructure - command-and-control servers, credential harvesting platforms, and wiper deployment mechanisms - months before Operation Epic Fury began. Current operations are executing pre-planned playbooks, not improvised responses. MuddyWater Deploys AI-Assisted Malware. Unit 42 reported on 18 March that MOIS-affiliated MuddyWater has deployed four new AI-assisted malware families - BlackBeard, LampoRAT, Nuso, and UDPGangster - targeting Gulf diplomatic and energy organizations. AI-assisted development accelerates iteration cycles and produces more evasive payloads, raising the bar for detection. Cyber Av3ngers Go Silent. The IRGC-CEC-affiliated Cyber Av3ngers - known for ICS/OT attacks including the 2023 Pennsylvania water authority incident - have been operationally silent for 22+ consecutive days during the most intense period of the conflict. This anomalous absence, coinciding with seven new Schneider Electric ICS advisories from CISA, is assessed as the highest-priority absence signal in the current threat landscape. MOIS-Cybercrime Convergence Confirmed. Reporting from Dark Reading (12 March) confirmed that MOIS-affiliated actors are actively colluding with ransomware and malware-as-a-service operators, blurring the line between state espionage and criminal extortion and complicating attribution for defenders. Critical Vulnerabilities Under Active Exploitation. CVE-2026-1340 (Ivanti EPMM RCE, CVSS 9.8) and CVE-2026-20963 (SharePoint RCE, CVSS 8.8) are confirmed actively exploited. The Storm-2561 SEO poisoning campaign is distributing fake VPN installers via GitHub to harvest enterprise credentials. Immediate patching is required. <h2>Conflict & Threat Timeline</h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> Operation Epic Fury / Roaring Lion begins </td> <td> US-Israel kinetic operations against Iran commence; cyber conflict activates </td> </tr> <tr> <td> ~1 Mar 2026 </td> <td> Cyber Av3ngers (IRGC-CEC-affiliated) last confirmed activity </td> <td> ICS/OT-focused group goes silent - now 22+ consecutive days </td> </tr> <tr> <td> 5 Mar 2026 </td> <td> GMI reports 2,000-3,000 cyber attacks per minute </td> <td> Establishes scale of cyber conflict </td> </tr> <tr> <td> ~8 Mar 2026 </td> <td> Reported IDF strike on IRGC cyber headquarters </td> <td> Possible cause of Cyber Av3ngers operational disruption </td> </tr> <tr> <td> 10 Mar 2026 </td> <td> Nextgov reports Russian-linked groups joining Iran's cyber front </td> <td> Cross-state cyber alliance forming; impact assessed as "murky" </td> </tr> <tr> <td> 12 Mar 2026 </td> <td> Microsoft publishes Storm-2561 SEO poisoning campaign </td> <td> Fake VPN installers (Fortinet, Ivanti, Cisco) distributing Hyrax credential stealer </td> </tr> <tr> <td> 12 Mar 2026 </td> <td> Dark Reading reports MOIS-cybercrime convergence </td> <td> Iranian state actors colluding with ransomware and malware-as-a-service operators </td> </tr> <tr> <td> 16 Mar 2026 </td> <td> Akamai reports 245% increase in cybercrime since conflict began </td> <td> Quantifies the operational noise environment </td> </tr> <tr> <td> 18 Mar 2026 </td> <td> Unit 42 publishes MuddyWater AI-assisted malware findings </td> <td> Four new families: BlackBeard, LampoRAT, Nuso, UDPGangster targeting Gulf diplomatic/energy </td> </tr> <tr> <td> 18 Mar 2026 </td> <td> US/Israeli strikes hit South Pars gas field </td> <td> Escalation of kinetic targeting to energy infrastructure </td> </tr> <tr> <td> 19 Mar 2026 </td> <td> Iran executes synchronized missile + cyber + IO triad strike </td> <td> First confirmed kinetic-cyber-IO synchronization in this conflict </td> </tr> <tr> <td> 19 Mar 2026 </td> <td> FBI seizes two Handala domains </td> <td> Disruption attempt against MOIS-directed leak operations </td> </tr> <tr> <td> 19 Mar 2026 </td> <td> SecurityWeek confirms pre-positioned Iranian cyber infrastructure </td> <td> Current ops are pre-planned, not improvised </td> </tr> <tr> <td> 19 Mar 2026 </td> <td> CISA adds CVE-2026-20963 (SharePoint RCE) to KEV </td> <td> Active exploitation confirmed </td> </tr> <tr> <td> 19 Mar 2026 </td> <td> CISA releases 7 ICS advisories (Schneider, Mitsubishi, others) </td> <td> Schneider Modicon/EcoStruxure advisories relevant to Iranian ICS targeting history </td> </tr> <tr> <td> 20 Mar 2026 </td> <td> DOJ formally attributes Handala to Iranian government (MOIS) </td> <td> "Faketavist" model collapses; state direction confirmed </td> </tr> <tr> <td> 20 Mar 2026 </td> <td> CISA adds 5 new entries to Known Exploited Vulnerabilities catalog </td> <td> Expanding active exploitation landscape </td> </tr> <tr> <td> 21 Mar 2026 </td> <td> Handala reconstitutes on new infrastructure (~24 hours post-seizure) </td> <td> Demonstrates state-backed resilience and pre-staged fallback infrastructure </td> </tr> <tr> <td> 22 Mar 2026 </td> <td> IRGC threatens "global tech centers" if power plants attacked </td> <td> New conditional escalation trigger; names cloud/tech infrastructure as targets </td> </tr> <tr> <td> 22 Mar 2026 </td> <td> US/Israeli strikes destroy critical water supply networks </td> <td> Further kinetic escalation increases retaliatory calculus </td> </tr> <tr> <td> 22 Mar 2026 </td> <td> Ireland NCSC warns of Iran spillover to EU organizations </td> <td> Geographic expansion of cyber conflict effects to Western Europe </td> </tr> </tbody> </table> <h2>Key Threat Analysis                     </h2> <h3>The Handala Problem: State-Directed Destruction with Built-In Resilience</h3> Handala - now officially attributed to Iran's MOIS and tracked under multiple designations including UNC5203 (Mandiant), Void Manticore (Check Point), and Red Sandstorm (Microsoft) - represents the most operationally active destructive threat in this conflict. The Stryker attack demonstrated capabilities across the full kill chain: initial access, lateral movement, mass data exfiltration (50TB), and wiper deployment across approximately 80,000 endpoints. The 24-hour reconstitution after FBI domain seizure is the detail that should concern CISOs most. It means Handala maintains pre-staged fallback infrastructure - domains, hosting, and communication channels ready to activate when primary infrastructure is disrupted. This is not the behavior of an independent hacktivist collective. This is state-resourced operational planning with redundancy built in. The Stryker attack also demonstrated geographic reach: effects propagated from US headquarters to Cork, Ireland, prompting Ireland's NCSC to issue a national warning. Any organization with a global footprint should assume that a compromise of one facility can cascade internationally. Key TTPs: Data Destruction (T1485), Data Encrypted for Impact (T1486), Exfiltration Over Web Service (T1567.002), Acquire Infrastructure: Domains (T1583.001), External Defacement (T1491.002) <h3>MuddyWater's AI-Assisted Evolution</h3> MuddyWater (also tracked as TEMP.Zagros, Mercury, Seedworm, and Static Kitten), an MOIS-affiliated espionage group, was the subject of a Unit 42 report on 18 March revealing deployment of four AI-assisted malware families: BlackBeard, LampoRAT, Nuso, and UDPGangster. These tools are targeting Gulf diplomatic and energy organizations. The use of AI-assisted development suggests faster iteration cycles and potentially more evasive payloads. MuddyWater's ThreatStream profile was updated as recently as 22 March, indicating ongoing operational activity. <h3>The Cyber Av3ngers Silence: The Loudest Signal in the Conflict</h3> The IRGC-CEC-affiliated group Cyber Av3ngers (also tracked as HYDRO KITTEN) - known for targeting industrial control systems, including the November 2023 attack on Unitronics PLCs at a Pennsylvania water authority - has been silent for 22+ consecutive days during the most intense period of the conflict. This is the highest-priority absence signal in the current threat landscape. Three explanations are possible, and none of them are reassuring: <ol> <li>Capability degradation from the reported ~8 March IDF strike on IRGC cyber headquarters - their operational capacity may be temporarily diminished.</li> <li>Operational security tightening before a major ICS/OT operation - silence before the storm.</li> <li>Pivot to supporting state APT operations rather than conducting independent hacktivist-style attacks - their capabilities may be folded into more sophisticated campaigns.</li> </ol> Given the IRGC's explicit threat against "global tech centers" and the seven new ICS advisories CISA released on 19 March (including multiple Schneider Electric Modicon and EcoStruxure vulnerabilities), the possibility of a coordinated ICS/OT attack timed to a kinetic escalation event cannot be dismissed. <h3>The MOIS-Cybercrime Convergence</h3> Reporting from Dark Reading (12 March) and The Register (10 March) confirms that MOIS-affiliated actors are actively colluding with ransomware and malware-as-a-service operators. This convergence blurs the line between state espionage and criminal extortion, creating a dual-threat model: the same intrusion may serve both intelligence collection and financial objectives. For defenders, this means that what initially appears to be a routine ransomware incident may in fact be a state-directed operation - and vice versa. <h3>Critical Vulnerabilities Under Active Exploitation</h3> Two vulnerabilities demand immediate attention: <ul> <li>CVE-2026-1340 - Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution, CVSS 9.8. A single threat actor is responsible for 83% of exploitation activity against this vulnerability. Given Iranian actors' documented preference for targeting VPN and edge devices (Fox Kitten/Lemon Sandstorm, APT34/OilRig), this vulnerability is squarely in the Iranian targeting envelope.</li> <li>CVE-2026-20963 - Microsoft SharePoint Remote Code Execution, CVSS 8.8. Added to CISA's Known Exploited Vulnerabilities catalog on 19 March with confirmed active exploitation.</li> </ul> Additionally, the Storm-2561 campaign (reported by Microsoft on 12 March) is using SEO poisoning to distribute fake VPN client installers impersonating Fortinet, Ivanti, and Cisco products via GitHub repositories. The campaign deploys Hyrax malware, which steals enterprise VPN credentials - providing initial access for follow-on operations. <h3>Russian Amplification: An Uncertain but Watched Variable</h3> Nextgov reported on 10 March that Russian-linked collectives have appeared on Iran's cyber front, though analysts offered mixed assessments of their actual impact. Twelve days later, no significant follow-up reporting has emerged. However, one data point warrants attention: a ThreatStream-tracked IP address (172.94.9[.]245) carries both APT28 (Russian) attribution tags and is associated with Iranian operational infrastructure. This could indicate infrastructure sharing between Russian and Iranian actors, misattribution, or proxy usage. It remains under investigation but underscores the potential for cross-state cyber cooperation. <h2>Predictive Analysis: What Comes Next</h2> Based on the trajectory of the conflict, confirmed capabilities, and stated intentions, the following assessments cover the next 7-14 days: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Handala or affiliated MOIS group conducts another destructive operation against a US or allied organization </td> <td> 70-75% </td> <td> 24-hour reconstitution demonstrates unbroken operational tempo; state backing confirmed; target-rich environment of US critical infrastructure and DIB </td> </tr> <tr> <td> CISA adds additional KEV entries related to Iranian exploitation of edge devices </td> <td> 70% </td> <td> CVE-2026-1340 exploitation is intensifying; Storm-2561 campaign actively harvesting VPN credentials; Iranian actors historically chain edge device exploits </td> </tr> <tr> <td> Cyber Av3ngers break silence with an ICS/OT-focused operation </td> <td> 45-50% </td> <td> Extended silence during peak escalation is anomalous; IRGC has explicitly threatened infrastructure retaliation; 7 new ICS advisories provide fresh attack surface </td> </tr> <tr> <td> Retaliatory cyber strikes on cloud/hosting infrastructure following kinetic escalation to Iranian power plants </td> <td> 35-40% </td> <td> IRGC has stated this as explicit doctrine; kinetic targeting trajectory is escalating (water → gas → potentially power); pre-positioned infrastructure confirmed </td> </tr> <tr> <td> Iranian actors target EU-based subsidiaries of US companies as softer entry points </td> <td> 55-60% </td> <td> Ireland spillover from Stryker demonstrates the model; EU subsidiaries may have weaker security postures than US headquarters; MOIS has demonstrated willingness to follow global footprints </td> </tr> <tr> <td> MuddyWater AI-assisted malware families appear in campaigns beyond Gulf targets </td> <td> 40-45% </td> <td> BlackBeard, LampoRAT, Nuso, and UDPGangster are newly deployed; AI-assisted development enables rapid retargeting; MuddyWater historically expands targeting during escalation periods </td> </tr> </tbody> </table> <h2>SOC Operational Guidance                </h2> <h3>What to Monitor</h3> Network Telemetry: <ul> <li>Outbound connections to Iranian ASNs (AS42337/Respina Networks, AS25184/AFRANET, AS202468/ArvanCloud, AS58224/Telecom Esfahan) - these hosted confirmed C2 infrastructure in this collection cycle</li> <li>Cobalt Strike beacon traffic on port 443, particularly to 188.121.123[.]185 (ArvanCloud, Tehran) - T1071.001 (Application Layer Protocol: Web Protocols)</li> <li>AsyncRAT C2 communications to 91.231.222[.]220 (Go Host, Tehran) - T1095 (Non-Application Layer Protocol)</li> <li>DNS queries for newly registered domains containing "handala," "banished," or known Handala-associated keywords - T1583.001 (Acquire Infrastructure: Domains)</li> <li>Anomalous VPN client downloads from GitHub repositories - Storm-2561 indicator - T1189 (Drive-by Compromise), T1608.004 (Stage Capabilities: Drive-By Target)</li> </ul> Identity & Access: <ul> <li>OAuth consent grant anomalies in Microsoft Entra ID / Azure AD - look for third-party applications requesting Mail.Read, Files.ReadWrite.All, or Directory.Read.All permissions without business justification - T1550.001 (Use Alternate Authentication Material: Application Access Token)</li> <li>Bulk credential harvesting indicators: high-volume failed authentication attempts followed by successful logins from new geolocations, particularly Middle Eastern IP ranges - T1110 (Brute Force)</li> <li>Spearphishing campaigns using war-themed lures (Iran conflict news, casualty reports, policy briefings) - T1566.002 (Phishing: Spearphishing Link)</li> </ul> Endpoint: <ul> <li>Wiper indicators: mass file deletion or encryption events, MBR/VBR modification, volume shadow copy deletion (vssadmin delete shadows) - T1485 (Data Destruction), T1490 (Inhibit System Recovery)</li> <li>Execution of unknown binaries from %TEMP% or %APPDATA% directories with network callbacks to the IOCs listed below - T1204.002 (User Execution: Malicious File)</li> <li>PowerShell or cmd.exe spawning from Office applications (MuddyWater's historical initial access pattern) - T1059.001 (Command and Scripting Interpreter: PowerShell)</li> </ul> ICS/OT (Critical for Energy, Water, Manufacturing): <ul> <li>Anomalous PLC programming or firmware updates on Schneider Electric Modicon M241/M251/M258/M262 controllers - T0839 (Module Firmware) (ICS ATT&CK)</li> <li>Unexpected connections to EcoStruxure engineering workstations from IT network segments - T0886 (Remote Services) (ICS ATT&CK)</li> <li>Unitronics PLC default credential usage (Cyber Av3ngers' known TTP from 2023 water utility attacks) - T0812 (Default Credentials) (ICS ATT&CK)</li> </ul> <h3>Hunting Hypotheses</h3> <ol> <li>Hypothesis: Pre-positioned Iranian access exists in our environment via compromised edge devices. Hunt for: Ivanti EPMM instances with indicators of CVE-2026-1340 exploitation; Fortinet/Cisco VPN appliances with unauthorized configuration changes; web shells in DMZ-facing systems. Timeframe: Look back 90 days (pre-conflict staging window).</li> <li>Hypothesis: Storm-2561 fake VPN installers have been downloaded by employees. Hunt for: Hyrax malware artifacts; VPN client binaries downloaded from GitHub rather than vendor portals; DNS queries to domains associated with SEO-poisoned search results for "Fortinet VPN download" or "Ivanti VPN client."</li> <li>Hypothesis: Handala-style wiper pre-positioning is underway. Hunt for: Lateral movement patterns consistent with domain-wide access acquisition (DCSync, NTDS.dit extraction); staging of destructive tools in administrative shares; scheduled tasks or GPO modifications that could trigger simultaneous execution across endpoints. T1003.006 (OS Credential Dumping: DCSync), T1053.005 (Scheduled Task/Job)</li> <li>Hypothesis: OAuth consent phishing has granted unauthorized application access. Hunt for: Entra ID audit logs showing consent grants to unfamiliar applications in the past 30 days; applications with delegated permissions exceeding their stated purpose; service principals created by non-admin users.</li> </ol> <h3>IOC Blocking Table</h3> The following indicators were collected from validated intelligence feeds during this cycle. Block at perimeter firewalls, add to SIEM correlation rules, and use for retroactive log searches. <table> <thead> <tr> <th> IOC </th> <th> Type </th> <th> Context </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> 188.121.123[.]185 </td> <td> IPv4 </td> <td> Cobalt Strike beacon C2, ArvanCloud Tehran (ASN 202468) </td> <td> 85 </td> </tr> <tr> <td> 91.231.222[.]220 </td> <td> IPv4 </td> <td> AsyncRAT C2, Go Host Tehran (ASN 208191) - corroborated by Recorded Future, ThreatFox, DHS AIS </td> <td> 98 </td> </tr> <tr> <td> 172.94.9[.]245 </td> <td> IPv4 </td> <td> APT infrastructure (ASN 213790), tagged T1190/T1005/T1071/T1571 </td> <td> 98 </td> </tr> <tr> <td> 5.160.228[.]186 </td> <td> IPv4 </td> <td> Rampant Kitten / TeleSpy malware, Respina Networks Tehran (ASN 42337) </td> <td> 77 </td> </tr> <tr> <td> 62.60.130[.]247 </td> <td> IPv4 </td> <td> APT proxy infrastructure, Cipher Operations Belgrade (ASN 215930), targeting manufacturing </td> <td> 80 </td> </tr> <tr> <td> 78.109.194[.]114 </td> <td> IPv4 </td> <td> Operation Cleaver legacy infrastructure, AFRANET Tehran (ASN 25184) </td> <td> 90 </td> </tr> <tr> <td> 185.165.29[.]25 </td> <td> IPv4 </td> <td> LokiBot distribution, Bushehr ISP </td> <td> 85 </td> </tr> <tr> <td> 37.255.75[.]204 </td> <td> IPv4 </td> <td> C2/Malware tagged, Telecom Esfahan (ASN 58224) </td> <td> 70 </td> </tr> <tr> <td> 185.161.208[.]123 </td> <td> IPv4 </td> <td> Iranian threat infrastructure </td> <td> - </td> </tr> <tr> <td> 2.176.206[.]42 </td> <td> IPv4 </td> <td> Iranian threat infrastructure </td> <td> - </td> </tr> </tbody> </table> Additional IOCs (file hashes, domains, URLs) associated with the campaigns discussed in this report are available through Anomali ThreatStream and partner feeds. <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> US banks are explicitly on the target list. American Banker reported that the Iran war has brought the "cyber frontline to US banks," and Virginia Business documented targeted Iranian cyber activity against the US financial sector. Iranian actors - particularly Fox Kitten (Lemon Sandstorm) and APT34 (OilRig) - have historically targeted financial institutions for both espionage and destructive purposes. <ul> <li>Priority 1: Audit all SWIFT and interbank messaging system access controls. Iranian actors targeted SWIFT infrastructure during Operation Cleaver (2012-2014) and the capability has matured since.</li> <li>Priority 2: Harden customer-facing web applications against credential harvesting. APT42's TAMECAT/POWERPUG phishing kit campaign (updated 19 March in ThreatStream) is actively harvesting credentials from high-value targets.</li> <li>Priority 3: Review third-party fintech integrations for OAuth consent anomalies - the ConsentFix technique is designed to exploit trust relationships with financial SaaS platforms.</li> <li>Priority 4: Ensure DDoS mitigation is active and tested. The synchronized triad strike model (19 March) suggests DDoS may be used as a diversionary component of more destructive operations.</li> </ul> <h3>Energy</h3> The energy sector faces the most acute ICS/OT risk in this conflict. Cyber Av3ngers' historical targeting of Unitronics PLCs, the IRGC's explicit threat against power infrastructure, and seven new Schneider Electric ICS advisories create a convergent threat picture. <ul> <li>Priority 1: Immediately patch Schneider Electric Modicon M241/M251/M258/M262 and EcoStruxure Automation Expert, PME, and EPO per CISA ICS advisories ICSA-26-078-01 through ICSA-26-078-04.</li> <li>Priority 2: Verify network segmentation between IT and OT environments. Iranian actors have demonstrated the ability to pivot from IT compromise to OT access.</li> <li>Priority 3: Audit all remote access to OT environments - disable default credentials on all PLCs, particularly Unitronics devices. Implement multi-factor authentication for all engineering workstation access.</li> <li>Priority 4: Establish or increase frequency of manual process monitoring. If digital controls are compromised, operators must be able to detect anomalies through physical observation.</li> </ul> <h3>Healthcare</h3> The Stryker attack (attributed to Handala, MOIS-directed) demonstrated that healthcare and medical device manufacturers are priority targets. The attack destroyed 80,000 endpoints and exfiltrated 50TB of data from a company whose products are embedded in hospitals worldwide. <ul> <li>Priority 1: Inventory all network-connected medical devices and assess exposure to supply chain compromise from manufacturers under active Iranian targeting.</li> <li>Priority 2: Segment medical device networks from administrative IT networks. Wiper propagation from corporate systems to clinical environments is the nightmare scenario.</li> <li>Priority 3: Ensure offline backup and recovery procedures are tested for clinical systems. Handala's wiper attacks are designed to maximize operational disruption - recovery time is the critical metric.</li> <li>Priority 4: Brief clinical staff on phishing campaigns using war-themed lures. Healthcare workers are high-value targets for credential harvesting.</li> </ul> <h3>Government (Federal, State, Local)</h3> Government agencies are targets for both espionage (APT42/CALANQUE, MuddyWater) and destructive operations (Handala). The FBI's Handala domain seizure and DOJ attribution demonstrate that USG is actively engaged, but government networks remain in the crosshairs. <ul> <li>Priority 1: Enforce CISA's KEV patching mandates - CVE-2026-1340 (Ivanti EPMM, CVSS 9.8) and CVE-2026-20963 (SharePoint RCE, CVSS 8.8) are confirmed actively exploited.</li> <li>Priority 2: Audit all .gov and .mil domains for indicators of Iranian reconnaissance (T1594 - Search Victim-Owned Websites). Iranian actors conducted pre-conflict reconnaissance months in advance.</li> <li>Priority 3: Review and restrict OAuth application consent policies in Microsoft 365 / Entra ID environments. Government tenants are high-value targets for ConsentFix-style attacks.</li> <li>Priority 4: Coordinate with CISA and sector-specific ISACs for real-time threat sharing. The 24-hour Handala reconstitution demonstrates that threat intelligence sharing speed is a critical defensive advantage.</li> </ul> <h3>Aviation & Logistics</h3> Iranian actors have historically targeted aviation and transportation (Operation Cleaver included airline targeting). The conflict's disruption of global shipping routes and airspace creates both physical and cyber risk to this sector. <ul> <li>Priority 1: Audit all internet-facing booking, cargo management, and flight operations systems for indicators of compromise. Focus on edge devices (VPN, remote access) as initial access vectors.</li> <li>Priority 2: Review supply chain dependencies on manufacturers or service providers operating in conflict-affected regions. The Stryker/Ireland model demonstrates cascading effects through global supply chains.</li> <li>Priority 3: Harden operational technology in air traffic management and ground handling systems. Ensure these systems are segmented from corporate IT networks.</li> <li>Priority 4: Monitor for fake resume and job application lures - ThreatStream tracks an active Iranian campaign using fake resume lures on GitHub to distribute malware targeting aerospace organizations.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>Immediate (Within 24 Hours)</h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Block all 10 Iranian C2/APT IP addresses listed in the IOC table above at perimeter firewalls, proxy, and EDR. Add to SIEM correlation rules for retroactive and real-time alerting. </td> <td> SOC </td> </tr> <tr> <td> Patch CVE-2026-1340 (Ivanti EPMM RCE, CVSS 9.8) on all Ivanti Endpoint Manager Mobile instances. A single actor is responsible for 83% of exploitation. </td> <td> IT Ops / Vulnerability Management </td> </tr> <tr> <td> Patch CVE-2026-20963 (SharePoint RCE, CVSS 8.8) - added to CISA KEV on 19 March with confirmed active exploitation. </td> <td> IT Ops / Vulnerability Management </td> </tr> <tr> <td> Monitor for Handala's reconstituted leak site domains. FBI seizure was 19 March; new domains were operational by 21 March. Watch for new .onion and clearnet domains claiming Handala affiliation. </td> <td> SOC / Threat Intelligence </td> </tr> <tr> <td> Validate that wiper incident response playbooks are current and accessible. Ensure offline backups are verified and air-gapped. The next Handala-style attack could come within days. </td> <td> IR Team / IT Ops </td> </tr> <tr> <td> Brief executive leadership on the IRGC conditional threat against "global tech centers" and the confirmed synchronized kinetic-cyber-IO strike doctrine. Decision-makers need to understand that cyber incidents may coincide with kinetic events. </td> <td> CISO </td> </tr> </tbody> </table> <h3>7-Day Actions</h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Apply Schneider Electric patches for Modicon M241/M251/M258/M262, EcoStruxure Automation Expert, EcoStruxure PME, and EcoStruxure EPO per CISA ICS advisories ICSA-26-078-01 through ICSA-26-078-08. </td> <td> OT Security / Engineering </td> </tr> <tr> <td> Deploy detection rules for Storm-2561 SEO poisoning campaign: fake VPN installers impersonating Fortinet, Ivanti, and Cisco distributed via GitHub repositories; Hyrax malware steals enterprise VPN credentials. </td> <td> SOC / Detection Engineering </td> </tr> <tr> <td> Audit all OAuth consent grants in Microsoft Entra ID / Azure AD. Revoke suspicious third-party application permissions, particularly those requesting Mail.Read, Files.ReadWrite.All, or Directory.Read.All. </td> <td> Identity & Access Management </td> </tr> <tr> <td> Conduct a 90-day retrospective threat hunt for indicators of pre-positioned Iranian access: web shells on DMZ systems, unauthorized VPN appliance configuration changes, anomalous service principal creation in cloud tenants. </td> <td> Threat Hunting / SOC </td> </tr> <tr> <td> Test DDoS mitigation capabilities under load. The synchronized triad strike model means DDoS may be used as a diversion during destructive operations. </td> <td> Network Operations / SOC </td> </tr> </tbody> </table> <h3>30-Day Actions</h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Commission a threat assessment of EU subsidiary exposure. The Ireland spillover from the Stryker attack demonstrates that Iranian actors follow US companies' global footprint. Map all EU-based operations and assess their security posture relative to headquarters. </td> <td> CISO / Risk Management </td> </tr> <tr> <td> Develop a contingency plan for IRGC-threatened "global tech center" attacks. If kinetic escalation reaches Iranian power infrastructure, retaliatory cyber strikes on cloud and hosting providers are explicitly threatened. Ensure business continuity plans account for multi-region cloud outages. </td> <td> CISO / Business Continuity </td> </tr> <tr> <td> Review and update incident response playbooks to account for combined kinetic-cyber events. The 19 March triad strike means that cyber incidents may occur simultaneously with physical security events, requiring coordinated response across security domains. </td> <td> CISO / IR Team / Physical Security </td> </tr> <tr> <td> Evaluate network segmentation between IT and OT environments. Commission a penetration test specifically targeting the IT-to-OT pivot path that Iranian actors have demonstrated in previous campaigns. </td> <td> OT Security / Red Team </td> </tr> <tr> <td> Assess intelligence collection coverage for Iranian threat actors. Ensure feeds cover MuddyWater's new AI-assisted malware families (BlackBeard, LampoRAT, Nuso, UDPGangster) and Handala's reconstituted infrastructure. </td> <td> Threat Intelligence </td> </tr> </tbody> </table> <h2>The Bottom Line                               </h2> Twenty-two days into this conflict, three realities define the cyber threat environment: First, the masks are off. The US government's formal attribution of Handala to Iran's MOIS ends the era of plausible deniability for Iranian "hacktivist" operations. These are state-directed destructive cyber attacks, resourced with pre-staged infrastructure that can reconstitute faster than law enforcement can disrupt it. Plan accordingly. Second, the doctrine is proven. Iran's synchronized kinetic-cyber-IO triad strike on 19 March validated the operational concept that analysts have tracked since the conflict began. Cyber attacks will accompany kinetic operations. Your incident response plans must account for this - a cyber incident during a period of kinetic escalation is not coincidence, it is doctrine. Third, the targeting is expanding. From US critical infrastructure to Irish manufacturing facilities, from Gulf diplomatic missions to the explicitly threatened "global tech centers" - the aperture of Iranian cyber targeting is widening with each week of conflict. The 245% increase in cybercrime since hostilities began is not background noise. It is the operating environment. The Cyber Av3ngers' 22-day silence remains the single most concerning signal in this conflict. When an IRGC-CEC-affiliated ICS/OT group goes quiet during the most intense period of kinetic escalation, the responsible assumption is preparation - not retirement. Hunt as if Iranian actors are already in your environment. The pre-positioned infrastructure confirmed this week suggests that for some organizations, they are.

FEATURED RESOURCES

March 23, 2026

Anomali Cyber Watch