Iran's Cyber War Machine Doesn't Do Ceasefires: What CISOs Need to Know Now

Anomali Threat Research

Published on

May 28, 2026

Table of Contents

Threat Assessment Level: HIGH <h2> Executive Summary </h2> Three months into the US-Israel military campaign against Iran (Operation Epic Fury, initiated 28 February 2026), the cyber domain has become Tehran's primary retaliation vector — and the nominal ceasefire has done nothing to slow it down. This week, we confirmed that IRGC-affiliated operators have moved from capability development to active exploitation of industrial control systems , Russian state infrastructure is co-located on Iranian networks alongside ransomware operators, and a 69-day intelligence gap on pre-positioned access in defense networks represents the single most dangerous blind spot in the current threat landscape. If your organization operates industrial control systems, edge VPN appliances, cloud identity infrastructure, or supports the defense industrial base — this report demands immediate action. <h2> What Changed </h2> <table> <thead> <tr> <th> Development </th> <th> Why It Matters </th> </tr> </thead> <tbody> <tr> <td> HYDRO KITTEN confirmed exploiting CVE-2021-22681 (Rockwell RSLogix 5000 PLC authentication bypass) </td> <td> IRGC-CEC has validated its ability to access industrial controllers without authentication — the same unit that destroyed compressors at a food production facility on 25 May 2026 </td> </tr> <tr> <td> ASN 213790 (Tehran) now hosts APT28 + Cactus ransomware + Iranian proxy relays simultaneously </td> <td> A single Iranian network block serves Russian state actors, ransomware criminals, and IRGC proxies — creating deliberate attribution confusion </td> </tr> <tr> <td> UNC5858 (Black Shadow) Rafael impersonation campaign confirmed active (last IOC: 27 May 2026) </td> <td> Iranian intelligence collection against Israeli defense sector is ongoing and current </td> </tr> <tr> <td> Six ABB ICS advisories published in a single day (AC500 PLCs, Zenon SCADA, Terra AC EV chargers) </td> <td> Expands the OT attack surface for actors already proven capable of ICS destruction </td> </tr> <tr> <td> OAuth device-code phishing technique documentation refreshed </td> <td> Iranian actors (APT42, MuddyWater) have demonstrated this MFA-bypass technique against Microsoft 365 environments </td> </tr> <tr> <td> Nimbus Manticore (UNC1549) conducted three MiniFast backdoor waves against US aviation (Feb–Apr 2026) </td> <td> IRGC-affiliated operators are actively targeting aviation and aerospace via SEO poisoning with AI-assisted malware development, broadening the threat beyond traditional defense targets </td> </tr> <tr> <td> Fox Kitten/Pioneer Kitten silent for 69 consecutive days </td> <td> Pre-positioned access in defense contractor networks is invisible until activation — and ceasefire collapse is the trigger condition </td> </tr> </tbody> </table> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> Operation Epic Fury initiated — US-Israel coordinated airstrikes on Iran </td> </tr> <tr> <td> Feb–Apr 2026 </td> <td> Nimbus Manticore (UNC1549) conducts three MiniFast backdoor waves against US aviation via SEO poisoning </td> </tr> <tr> <td> Late Feb 2026 </td> <td> HYDRO KITTEN exploits CVE-2021-22681 against Rockwell PLCs </td> </tr> <tr> <td> 18 Apr 2026 </td> <td> Forbes reports ceasefire brokered but explicitly excludes cyber operations </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> UK MI6 chief names Iran as top-3 cyber threat to the UK </td> </tr> <tr> <td> 6 May 2026 </td> <td> Dark Reading reports UAE facing 90,000–200,000 breach attempts per day </td> </tr> <tr> <td> 16 May 2026 </td> <td> MSN reports Iranian hackers targeting US fuel station monitoring systems </td> </tr> <tr> <td> 25 May 2026 </td> <td> IRGC operators destroy three compressors at food production facility via PLC manipulation — no malware used </td> </tr> <tr> <td> 26 May 2026 </td> <td> CISA publishes six ABB ICS advisories simultaneously </td> </tr> <tr> <td> 27 May 2026 </td> <td> ECB warns of Iran-war financial contagion; UNC5858 IOC activity confirmed; HYDRO KITTEN profile updated </td> </tr> <tr> <td> 28 May 2026 </td> <td> OAuth phishing bulletin refreshed; threat level elevated to HIGH </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. HYDRO KITTEN — IRGC's ICS Destruction Unit Goes Live </h3> Aliases: Cyber Av3ngers, BAUXITE, Soldiers of Solomon, Mr.Soul Affiliation: IRGC Cyber-Electronic Command (CEC), Shahid Kaveh sub-unit HYDRO KITTEN has confirmed exploitation of CVE-2021-22681 — a critical authentication bypass in Rockwell Automation RSLogix 5000 (versions 20–38) that grants unauthenticated access to Allen-Bradley PLCs. This is the same unit that, on 25 May 2026, destroyed physical equipment at a food production facility by manipulating PLC setpoints using only valid credentials — no malware deployed, no signatures to detect. Their exploitation portfolio now spans 20 CVEs across Fortinet, Palo Alto Networks, Ivanti, Citrix, and SonicWall — demonstrating a "spray and access" approach to edge devices that makes perimeter-only defense insufficient. Malware: IOControl (custom ICS implant), Crucio (ransomware/wiper), plus C++ and Golang wipers Key insight: The 25 May attack used no malware at all — only legitimate credentials and PLC commands. Traditional signature-based OT monitoring would have detected nothing. <h3> 2. Russian-Iranian Infrastructure Convergence on ASN 213790 </h3> Three high-confidence indicators on ASN 213790 ("Limited Network," Tehran) reveal an extraordinary convergence: <ul> <li> APT28 (Fancy Bear / Russian GRU) command-and-control infrastructure </li> <li> Cactus ransomware staging (typically targets healthcare and manufacturing) </li> <li> Iranian SOCKS4 proxy relays (previously tracked) </li> </ul> This convergence creates a deliberate attribution problem. If Iranian actors deploy Cactus ransomware against a hospital or factory, it will initially appear to be a criminal operation — not state-directed destruction. This mirrors the Fox Kitten playbook of handing off access to ransomware affiliates to obscure state involvement. <h3> 3. UNC5858 (Black Shadow) — Active Defense Sector Espionage </h3> UNC5858 continues impersonating Rafael Advanced Defense Systems (Israel's premier defense manufacturer) in spear-phishing campaigns delivering custom backdoors and data harvesters. IOC activity confirmed as recently as 27 May 2026 — this campaign is live and current. <h3> 4. OAuth Device-Code Phishing — MFA Is Not Enough </h3> Iranian actors including APT42 (Charming Kitten, IRGC-IO affiliated) and MuddyWater (MOIS affiliated) have demonstrated OAuth device-code phishing that: <ul> <li> Bypasses MFA entirely by stealing OAuth session tokens </li> <li> Requires no fake infrastructure — uses legitimate Microsoft client IDs </li> <li> Shows no consent dialogs to victims </li> <li> Provides near-indefinite access via refresh tokens </li> </ul> This eliminates traditional phishing indicators. There are no fake domains to block, no credential harvesting pages to detect. <h3> 5. MuddyWater — The Silence Before the Storm </h3> MuddyWater (MOIS-affiliated) has maintained operational silence since December 2025 — approaching six months. For a group that was previously one of Iran's most active cyber espionage operators, this duration of silence during an active military conflict is consistent with a wartime retooling cycle . When they resurface, expect TTPs specifically designed to bypass current detection signatures. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability (30 days) </th> <th> Key Trigger </th> </tr> </thead> <tbody> <tr> <td> HYDRO KITTEN conducts destructive OT attack against energy/manufacturing target </td> <td> ~35% </td> <td> Rockwell PLC exploitation confirmed; IOControl operational; food-plant precedent set </td> </tr> <tr> <td> Fox Kitten activates dormant DIB network access </td> <td> ~20% baseline; ~50% if ceasefire collapses </td> <td> 69-day silence consistent with pre-positioning; ceasefire fragility is the trigger </td> </tr> <tr> <td> OAuth-based cloud compromise against allied organization </td> <td> ~25% (14-day window) </td> <td> Technique mature; Iranian actors demonstrated capability; renewed bulletin attention suggests renewed attacker activity </td> </tr> <tr> <td> Cactus ransomware deployed as false-flag destructive operation from Iranian infrastructure </td> <td> ~15% </td> <td> Infrastructure co-location confirmed; Fox Kitten ransomware handoff precedent exists </td> </tr> <tr> <td> MuddyWater resurfaces with novel TTPs </td> <td> ~30% (30-day window) </td> <td> Six-month retooling cycle approaching historical pattern for resurgence </td> </tr> <tr> <td> Pro-Iran hacktivists target European financial institutions </td> <td> ~25% </td> <td> ECB's 27 May public warning signals awareness of expanding targeting </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> What to Monitor </th> <th> Detection Logic </th> </tr> </thead> <tbody> <tr> <td> T1190 (Exploit Public-Facing Application) </td> <td> VPN concentrators (Cisco ASA/FTD, Fortinet, Ivanti), PLCs exposed to network </td> <td> Alert on authentication bypass attempts against Rockwell RSLogix; monitor CVE-2021-22681 and CVE-2025-20362 exploitation patterns </td> </tr> <tr> <td> T1078 (Valid Accounts) </td> <td> PLC access logs, OT historian authentication </td> <td> Baseline legitimate PLC programming sessions; alert on off-hours access or access from non-engineering workstations </td> </tr> <tr> <td> T1528 (Steal Application Access Token) </td> <td> Azure AD/Entra ID sign-in logs </td> <td> Detect device-code authentication flows from unexpected geolocations, particularly Iran-origin IP ranges </td> </tr> <tr> <td> T1550.001 (Application Access Token reuse) </td> <td> Microsoft 365 audit logs </td> <td> Alert on OAuth token usage from IPs/locations inconsistent with the original authentication </td> </tr> <tr> <td> T1059 (Command and Scripting Interpreter) </td> <td> Network traffic to ASN 213790 </td> <td> Block and alert on any communication with 185.93.89[.]43, 192.253.248[.]52, 192.253.248[.]55 </td> </tr> <tr> <td> T1071 (Application Layer Protocol) </td> <td> Outbound traffic on non-standard ports </td> <td> Monitor for C2 beaconing patterns to Iranian ASN ranges </td> </tr> <tr> <td> T0890 (ICS: Exploitation for Evasion) </td> <td> OT network segmentation boundaries </td> <td> Alert on any IT-to-OT lateral movement; validate PLC firmware integrity </td> </tr> <tr> <td> T1566.002 (Spearphishing Link) </td> <td> Email gateway logs </td> <td> Flag emails impersonating defense contractors (Rafael, Elbit, IAI) with embedded links </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ol> <li> Fox Kitten Dormant Access Hunt: Search VPN concentrator logs (Cisco ASA, Fortinet, Ivanti) for: web shells with >30-day access gaps, scheduled tasks that execute infrequently, Rclone configurations pointing to Wasabi/S3 storage, and VPN sessions from previously unseen source IPs authenticating with valid credentials. </li> <li> PLC Manipulation Without Malware: Review OT historian logs for setpoint changes outside maintenance windows. Correlate PLC programming sessions with authorized change tickets. Any unscheduled PLC logic modification is a critical alert. </li> <li> OAuth Token Abuse: Query Entra ID for device-code authentication grants where the requesting IP geolocates to Iran, Russia, or known proxy infrastructure. Look for refresh token usage patterns that span multiple geographic locations within short timeframes. </li> <li> Ransomware-as-Cover: Monitor for Cactus ransomware indicators in environments where the initial access vector traces to Iranian infrastructure (ASN 213790 ranges). Any ransomware deployment preceded by access from these IPs should be treated as a potential state-directed destructive operation, not a criminal incident. </li> </ol> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> The ECB's 27 May warning on Iran-war financial contagion signals expanding hacktivist targeting toward European financial institutions. Pro-Iran groups (Handala, Cyber Toufan) have previously conducted DDoS and data-leak operations against financial targets. <ul> <li> Priority: Validate DDoS mitigation capacity against volumetric attacks; review OAuth/API token security for trading platforms and payment systems </li> <li> Monitor: Telegram channels for hacktivist targeting announcements; anomalous API authentication patterns </li> <li> Key risk: Data exfiltration disguised as ransomware (Pay2Key precedent) </li> </ul> <h3> Energy </h3> HYDRO KITTEN's confirmed Rockwell PLC exploitation and the ABB ICS advisory cluster directly threaten energy sector OT environments. Iranian operators have previously targeted fuel monitoring systems (ATGs) and gas station infrastructure. <ul> <li> Priority: Audit all Rockwell RSLogix 5000 v20–38 installations; patch ABB AC500 V2 and Zenon SCADA per CISA advisories; validate OT network segmentation </li> <li> Monitor: PLC programming sessions outside maintenance windows; IT-to-OT lateral movement; fuel monitoring system (ATG) access logs </li> <li> Key risk: Physical destruction via PLC manipulation without malware — signature-based detection is blind to this technique </li> </ul> <h3> Healthcare </h3> Cactus ransomware's presence on Iranian APT infrastructure (ASN 213790) specifically targets healthcare. The Eppendorf BioFlo 320 bioreactor advisory expands pharmaceutical OT attack surface. <ul> <li> Priority: Validate ransomware resilience (offline backups, segmentation); assess bioreactor and lab equipment network exposure </li> <li> Monitor: Any network communication to ASN 213790 IP ranges; ransomware precursor activity (Rclone, credential dumping) </li> <li> Key risk: Ransomware deployed as destructive wiper disguised as criminal activity — do not assume ransomware incidents are financially motivated </li> </ul> <h3> Government & Defense </h3> UNC5858's active Rafael impersonation campaign and the 69-day Fox Kitten silence represent the highest-risk combination for defense organizations. Pre-positioned access in DIB networks awaits a trigger event. <ul> <li> Priority: Proactive threat hunt for dormant web shells and VPN backdoors; brief personnel on defense-contractor impersonation phishing; validate classified network air gaps </li> <li> Monitor: VPN authentication anomalies; email from defense contractor domains with embedded links; data exfiltration to cloud storage (Wasabi, S3, Mega) </li> <li> Key risk: Dormant access activation during ceasefire collapse — response time will be measured in hours, not days </li> </ul> <h3> Aviation & Logistics </h3> Nimbus Manticore (UNC1549) conducted three MiniFast backdoor waves against US aviation and aerospace between February and April 2026 using SEO poisoning with AI-assisted malware development. UNC3890 (Imperial Kitten) targets Israeli logistics and shipping. <ul> <li> Priority: Audit web browsing controls for SEO poisoning resilience; validate endpoint detection for MiniFast backdoor indicators; review supply chain partner access </li> <li> Monitor: Unusual browser-delivered payloads from SEO-poisoned search results; C2 beaconing from aviation-sector endpoints </li> <li> Key risk: AI-assisted malware development accelerates variant creation, reducing detection signature effectiveness </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Block IPs 185.93.89[.]43, 192.253.248[.]52, 192.253.248[.]55 at perimeter firewalls — confirmed multi-actor APT infrastructure </td> <td> SOC / Network Ops </td> </tr> <tr> <td> Audit all Rockwell Automation RSLogix 5000 installations (versions 20–38) and apply authentication hardening per vendor advisory for CVE-2021-22681 </td> <td> ICS/OT Security </td> </tr> <tr> <td> Verify OT network segmentation prevents any IT-network-originated access to PLCs — HYDRO KITTEN has demonstrated credential-only attacks that bypass all signature detection </td> <td> ICS/OT Security </td> </tr> <tr> <td> Brief executive leadership: threat level elevated to HIGH; ceasefire does not apply to cyber operations; authorize proactive threat hunting budget </td> <td> CISO </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Implement detection for OAuth device-code phishing: monitor Entra ID for anomalous device-code authentication flows from unexpected geolocations, particularly Iran-origin IPs </td> <td> SOC / Identity Team </td> </tr> <tr> <td> Patch ABB AC500 V2 PLCs and Zenon SCADA systems per CISA advisories ICSA-26-146-02 and ICSA-26-146-03 </td> <td> ICS/OT Security </td> </tr> <tr> <td> Conduct proactive threat hunt for Fox Kitten/Pioneer Kitten indicators: dormant web shells in VPN appliances, scheduled tasks with >30-day execution gaps, Rclone configurations, Wasabi/S3 exfiltration staging </td> <td> SOC / Threat Hunting </td> </tr> <tr> <td> Review and restrict OAuth application consent permissions in Microsoft 365/Entra ID — remove unnecessary delegated permissions, require admin consent for high-privilege scopes </td> <td> Identity / Cloud Security </td> </tr> <tr> <td> Validate Cisco ASA/FTD patching status for CVE-2025-20362 (CISA KEV listed) </td> <td> IT Ops / Network Security </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> Commission red team exercise simulating HYDRO KITTEN attack chain: edge device exploitation → lateral movement → PLC access → IOControl deployment → physical process disruption. Validate detection at each kill chain stage </td> <td> CISO / Red Team </td> </tr> <tr> <td> Develop and exercise an incident response playbook specifically for "credential-only OT attacks" — scenarios where no malware is present but PLC logic has been modified </td> <td> IR Team / OT Security </td> </tr> <tr> <td> Assess ransomware readiness assuming state-directed destructive intent (not financial motivation) — validate that recovery procedures work when the attacker's goal is maximum damage, not payment </td> <td> IR Team / Business Continuity </td> </tr> <tr> <td> Establish continuous monitoring of ASN 213790 IP ranges (/24 blocks) as hostile infrastructure — consider blocking entire ranges rather than individual IPs </td> <td> Network Security </td> </tr> <tr> <td> Update all threat briefing templates to explicitly state: "Ceasefire does not apply to cyber domain" — ensure no organizational assumption of reduced threat during diplomatic pauses </td> <td> CTI / CISO </td> </tr> </tbody> </table> <h2> IOC Blocking Table </h2> The following indicators are confirmed associated with Iranian-nexus and Russian state APT infrastructure on ASN 213790. Block at perimeter and monitor for any historical connections. <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Attribution </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 185.93.89[.]43 </td> <td> Cactus ransomware / ASN 213790 </td> <td> High (96) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]52 </td> <td> APT28 (Fancy Bear) / ASN 213790 </td> <td> High (90) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]55 </td> <td> APT28 (Fancy Bear) / ASN 213790 </td> <td> High (90) </td> </tr> </tbody> </table> Additional IOCs for HYDRO KITTEN (IOControl C2), UNC5858 (Rafael impersonation infrastructure), and Fox Kitten (dormant access indicators) are available through Anomali ThreatStream Next-Gen and partner feeds under TLP:AMBER restrictions. <h2> The Bottom Line </h2> The Iranian cyber threat ecosystem is operating at full capacity despite the ceasefire. Three facts should drive your decision-making today: <ol> <li> IRGC operators have demonstrated they can destroy physical equipment using only valid credentials and PLC commands. No malware. No signatures. No traditional detection. If your OT security strategy relies on detecting malicious software, it is already defeated. </li> <li> Russian state and ransomware criminal infrastructure is co-located on Iranian networks by design. When the next "ransomware" attack hits your healthcare system or manufacturing plant from these IP ranges, assume state direction until proven otherwise. </li> <li> Sixty-nine days of silence from Fox Kitten is not good news — it's a countdown. Pre-positioned access is invisible by definition. The only way to find it is to hunt for it. The ceasefire is fragile. The trigger conditions are set. The question is not if dormant access will be activated, but when — and whether you'll have found it first. </li> </ol> The ceasefire does not apply to cyber. Act accordingly. Published 2026-05-28 by the Anomali CTI Desk. For IOC feeds, detection content, and TLP:AMBER indicators referenced in this report, contact your Anomali ThreatStream Next-Gen representative.

FEATURED RESOURCES

May 28, 2026

Anomali Cyber Watch