Iran’s Cyber War Machine Doesn’t Need the Internet to Attack You

Anomali Threat Research

Published on

April 6, 2026

Table of Contents

What 37 Days of Conflict Intelligence Reveals About Iranian Operations — and Why Your Defenses May Already Be Bypassed Threat Assessment Level: HIGH — ESCALATING Continuity note: This assessment maintains the HIGH — ESCALATING level from the prior cycle (2026-04-05). No change in threat level; new evidence reinforces the escalatory trajectory. <h2>Introduction                            </h2> Thirty-seven days into the US-Israeli military conflict with Iran, a single intelligence finding should reshape how every CISO thinks about Iranian cyber threats: HAYWIRE KITTEN — the IRGC-affiliated group also known as Emennet Pasargad and NEPTUNIUM — conducted offensive phishing operations through Iran’s own nationwide internet blackout. Let that sink in. Iran imposed a domestic internet blackout in early March 2026, and its offensive cyber units kept operating without interruption. If your incident response plans assume that kinetic strikes on Iranian infrastructure, sanctions on Iranian ISPs, or any form of network disruption will slow down Iranian cyber operations — those plans are wrong. Meanwhile, the ransomware ecosystem that Iranian intelligence services use as operational cover just gained the ability to kill over 300 endpoint detection and response (EDR) products. Three new ICS/OT vulnerabilities dropped for systems deployed across energy grids and petrochemical plants. And a critical gap in defense industrial base monitoring has gone 28 days without a single detection — during the most active phase of the conflict. This is not a theoretical threat landscape. This is the operational reality as of today. <h2>What Changed                       </h2> The past 48 hours produced five developments that shift the defensive calculus: <ol> <li>HAYWIRE KITTEN confirmed operating through Iran’s internet blackout — launching phishing campaigns via WhatsApp, Telegram, and X (formerly Twitter) targeting the Iranian diaspora and individuals involved in Iran-related activities abroad. This invalidates any assumption that domestic infrastructure disruption degrades Iranian offensive capability.</li> <li>Qilin ransomware operators deployed a Bring Your Own Vulnerable Driver (BYOVD) technique capable of disabling 300+ EDR products. Qilin is part of the documented MOIS-to-ransomware handoff ecosystem, meaning this EDR-killing capability is now potentially available to Iranian state actors operating under criminal cover.</li> <li>Three ICS/OT advisories published simultaneously — affecting Siemens SICAM A8000 (energy grid substations), Yokogawa CENTUM VP (oil/gas and petrochemical distributed control systems), and Hitachi Energy Ellipse (utility asset management). All three platforms are deployed in sectors directly targeted by Iranian proxy cyber operations.</li> <li>Defense industrial base monitoring has been silent for 28 consecutive days — the longest gap during the active conflict. This is either reassuring or deeply alarming, and the asymmetry of consequences demands proactive investigation.</li> <li>Critical unauthenticated RCE vulnerabilities published for Ivanti EPMM (CVE-2026-1281 and CVE-2026-1340, CVSS 9.8) — edge devices matching the preferred initial-access profile of Iranian APTs including MuddyWater and APT34. Emergency patching is required.</li> <li>DPRK supply chain actors expanding npm campaign to Axios (45M+ weekly downloads) — the same npm ecosystem used by Iranian actors for supply chain attacks, creating a compounding multi-nation-state risk for CI/CD pipelines.</li> </ol> <h2>Conflict & Threat Timeline               </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> US-Israeli military conflict with Iran begins </td> <td> Day 0 — kinetic and cyber operations commence </td> </tr> <tr> <td> Early Mar 2026 </td> <td> Iran imposes nationwide internet blackout </td> <td> Domestic internet severed; offensive cyber ops continue unaffected </td> </tr> <tr> <td> Early Mar 2026 </td> <td> HAYWIRE KITTEN launches WhatsApp/Telegram/X phishing campaign </td> <td> Confirmed operations through blackout — targets Iranian diaspora </td> </tr> <tr> <td> 01 Apr 2026 </td> <td> IRGC declares five US tech companies “legitimate targets” </td> <td> Nvidia, Apple, Google, Microsoft, Tesla explicitly named </td> </tr> <tr> <td> 02 Apr 2026 </td> <td> CISA publishes three ICS advisories (Siemens, Yokogawa, Hitachi) </td> <td> Expands OT attack surface for Iranian proxy operations </td> </tr> <tr> <td> 03 Apr 2026 </td> <td> F-15E shot down over southern Iran </td> <td> First US aircraft combat loss since 2003; 48-hour rescue operation </td> </tr> <tr> <td> 04 Apr 2026 </td> <td> UNC1549/Imperial Kitten profile updated — no new campaign data </td> <td> Anomalous silence from aerospace/energy-targeting actor </td> </tr> <tr> <td> 05 Apr 2026 </td> <td> 36 malicious npm packages targeting Redis/PostgreSQL discovered </td> <td> Supply chain attack surface expanding across nation-state actors </td> </tr> <tr> <td> 05 Apr 2026 </td> <td> Trump ultimatum pressure on Iran over Strait of Hormuz blockade </td> <td> Escalatory diplomatic pressure increases cyber retaliation risk </td> </tr> <tr> <td> 06 Apr 2026 </td> <td> Qilin ransomware BYOVD EDR-kill capability reported </td> <td> 300+ EDR products vulnerable; capability available to MOIS-RaaS ecosystem </td> </tr> </tbody> </table> <h2>Key Threat Analysis                          </h2> <h3>1. Iranian Offensive Cyber Operations Are Infrastructure-Independent</h3> Actor: HAYWIRE KITTEN (aliases: Emennet Pasargad, NEPTUNIUM, Holy Souls, Black Magic, Sangkancil, Generous Thief, Atlas Group, Deus, Al-Toufan, Hackers of Savior) Affiliation: IRGC — linked to Emennet Pasargad front company; EU-sanctioned The confirmation that HAYWIRE KITTEN operated through Iran’s nationwide internet blackout is the single most strategically significant finding of this cycle. The group used WhatsApp, Telegram, and X to deliver phishing lures to individuals involved in Iran-related activities living abroad — a classic intelligence collection operation using social media platforms as both delivery mechanism and command-and-control channel. This has three implications for defenders: <ul> <li>Scenario planning must assume continuous Iranian cyber capability. Any playbook that models reduced threat tempo during infrastructure disruption, ceasefire negotiations, or sanctions enforcement is now empirically invalidated.</li> <li>Social media platforms are the C2 channel. HAYWIRE KITTEN’s use of Telegram for bidirectional communication (ATT&CK T1102.002) means that blocking traditional C2 infrastructure at the network perimeter is insufficient. Detection must extend to anomalous social media API activity on corporate devices.</li> <li>The diaspora targeting will expand. Organizations employing individuals with connections to Iran, the broader Middle East conflict, or defense/intelligence communities should expect targeted social engineering via personal messaging platforms.</li> </ul> The group’s known tooling includes Deus ransomware, Rpivot, WezAgent, and LoreamIpsumBackdoor, with historical exploitation of CVE-2021-36260 (Hikvision) and CVE-2021-33044 (Dahua) for IoT camera compromise. <h3>2. The MOIS-Ransomware Pipeline Now Kills Your EDR</h3> Actors: MOIS-affiliated groups (MuddyWater/TEMP.Zagros, OilRig/APT34, UNC1860) leveraging Qilin and Warlock ransomware-as-a-service Technique: BYOVD (Bring Your Own Vulnerable Driver) — ATT&CK T1068, T1562.001, T1574.001 Qilin and Warlock ransomware operators are now deploying a BYOVD technique that disables over 300 EDR products by loading a malicious DLL (msimg32.dll) via DLL sideloading. This was independently confirmed by both Cisco Talos and Trend Micro. Why this matters for the Iran conflict: Iranian intelligence services — specifically MOIS — have a documented pattern of handing off access to criminal ransomware operators. This provides plausible deniability while achieving destructive objectives. With Qilin now capable of neutralizing endpoint detection before deploying ransomware, the combined state-criminal threat becomes significantly harder to detect and contain. The defensive implication is stark: Organizations that rely solely on EDR as their primary detection layer are now vulnerable to a technique that is confirmed in the wild and available to state-sponsored operators through the ransomware-as-a-service ecosystem. <h3>3. ICS/OT Attack Surface Expanding at the Worst Possible Time</h3> Advisories: - ICSA-26-092-01: Siemens SICAM A8000 — denial of service vulnerabilities in energy grid substation equipment - ICSA-26-092-02: Yokogawa CENTUM VP — authentication bypass allowing attacker to login as PROG user and modify permissions in oil/gas distributed control systems - ICSA-26-092-03: Hitachi Energy Ellipse — Jasper Report vulnerability in utility enterprise asset management Threat actor of concern: Cyber Av3ngers (aliases: HYDRO KITTEN, IRGC Cyber Electronic Command) Cyber Av3ngers have demonstrated both willingness and capability to target ICS/OT environments, including Unitronics PLCs and water treatment systems. The simultaneous publication of three advisories affecting platforms deployed across energy, oil/gas, and utility sectors creates a predictable exploitation window. Historical patterns show 7–21 days from ICS advisory publication to weaponized exploitation by Iranian-affiliated actors. The Yokogawa CENTUM VP vulnerability is particularly concerning — a PROG user login bypass in a distributed control system used in petrochemical and power generation facilities could enable an attacker to manipulate process controls (ATT&CK T0890, T0826). <h3>4. Critical Vulnerabilities Requiring Immediate Attention</h3> CVE-2026-1281 and CVE-2026-1340 — Ivanti Endpoint Manager Mobile (EPMM) - CVSS: 9.8 (Critical) - Impact: Unauthenticated remote code execution - Status: Patches available; no confirmed exploitation yet, but Ivanti edge devices are a historically preferred target for Iranian APTs (per documented APT34 and MuddyWater tradecraft) CVE-2026-20127 — Cisco SD-WAN - Enriched this cycle; affects edge networking infrastructure commonly deployed in enterprise and government environments Iranian threat actors — particularly MuddyWater and APT34 — have a well-documented preference for exploiting internet-facing edge devices and VPN appliances as initial access vectors. Any unpatched Ivanti EPMM instance exposed to the internet should be treated as a critical risk. <h3>5. Supply Chain Convergence: When North Korea and Iran Target the Same Ecosystem</h3> A parallel but intersecting threat: DPRK actors are expanding their Node.js supply chain campaign to target maintainers of widely-used npm packages, including Axios (45M+ weekly downloads). While this is a North Korean operation, it directly threatens the same npm ecosystem that Iranian actors have used for supply chain attacks. The convergence creates a compounding risk: a single compromised npm package could serve multiple nation-state threat actor ecosystems simultaneously. Organizations with CI/CD pipelines pulling from npm should treat this as a shared attack surface across threat actors. <h2>The 28-Day Silence That Should Keep You Up at Night</h2> One finding in this cycle isn’t a detection — it’s an absence. Monitoring for Iranian pre-positioning in defense industrial base (DIB) contractor networks has produced zero findings for 28 consecutive days, the longest gap since the conflict began. During the most active phase of a military conflict where Iran has every incentive to pre-position destructive capabilities in adversary supply chains, complete silence is not reassuring — it’s ambiguous. The possibilities are: <ul> <li>Best case: No activity is occurring.</li> <li>Worst case: Pre-positioned access has been established and is dormant, evading passive detection.</li> <li>Middle case: Collection gaps in DIB-specific threat feeds are creating a blind spot.</li> </ul> The asymmetry of consequences — a missed detection in DIB networks could compromise weapons systems, logistics, or classified programs — demands proactive hunting rather than continued passive monitoring. <h2>Predictive Analysis: What Comes Next</h2> Based on the current intelligence picture, actor behavior patterns, and conflict dynamics at Day 37: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> HAYWIRE KITTEN phishing yields follow-on intrusions against diaspora-connected organizations </td> <td> 70% </td> <td> 7–14 days </td> <td> Confirmed active phishing campaign; intelligence collection typically precedes operational intrusion </td> </tr> <tr> <td> Cyber Av3ngers or affiliates attempt exploitation of Yokogawa CENTUM VP or Siemens SICAM </td> <td> 60% </td> <td> 14 days </td> <td> Historical 7–21 day advisory-to-exploitation pattern; platforms match actor targeting profile </td> </tr> <tr> <td> Qilin BYOVD EDR-kill technique appears in an Iran-attributed intrusion </td> <td> 50% </td> <td> 30 days </td> <td> MOIS-RaaS convergence documented; capability now confirmed in the wild </td> </tr> <tr> <td> UNC1549/Imperial Kitten breaks silence with campaign against Gulf state energy or aerospace </td> <td> 40% </td> <td> 14–21 days </td> <td> Actor profile updated but no new campaigns; anomalous silence for an actor with this targeting profile during active conflict </td> </tr> <tr> <td> Iranian actors exploit CVE-2026-1281 or CVE-2026-1340 (Ivanti EPMM) against government targets </td> <td> 55% </td> <td> 7–14 days </td> <td> CVSS 9.8, unauthenticated RCE, edge device — matches Iranian APT preferred access vector </td> </tr> </tbody> </table> <h2>SOC Operational Guidance                   </h2> <h3>What to Monitor</h3> <table> <thead> <tr> <th> Focus Area </th> <th> ATT&CK Techniques </th> <th> Detection Logic </th> </tr> </thead> <tbody> <tr> <td> Iranian C2 communications </td> <td> T1071.001 (Web Protocols), T1571 (Non-Standard Port) </td> <td> Alert on any traffic to ASN 43754 (Asiatech) and ASN 213790 (Limited Network, Tehran). Block IOCs listed below at perimeter. </td> </tr> <tr> <td> Social media C2 channels </td> <td> T1102.002 (Bidirectional Communication) </td> <td> Monitor for anomalous Telegram Bot API calls, WhatsApp Web sessions, and X/Twitter API activity from corporate endpoints — especially from users with Iran-related roles. </td> </tr> <tr> <td> DLL sideloading / BYOVD </td> <td> T1574.001 (DLL Search Order Hijacking), T1562.001 (Disable or Modify Tools), T1068 (Exploitation for Privilege Escalation) </td> <td> Alert on msimg32.dll loaded from any path outside %SystemRoot%\System32. Monitor for EDR agent crashes or service stops across multiple endpoints simultaneously. </td> </tr> <tr> <td> Spearphishing via messaging platforms </td> <td> T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), T1585.001 (Social Media Accounts) </td> <td> Flag inbound links from unknown Telegram bots to MDM-enrolled devices. Correlate with HR data for personnel in Iran-adjacent roles. </td> </tr> <tr> <td> ICS/OT exploitation attempts </td> <td> T0890 (Exploitation for Evasion), T0816 (Device Restart/Shutdown), T0826 (Loss of Availability) </td> <td> Monitor Yokogawa CENTUM VP for unauthorized PROG user logins. Alert on Siemens SICAM A8000 unexpected restarts. Baseline Hitachi Ellipse Jasper Report access patterns. </td> </tr> <tr> <td> Edge device exploitation </td> <td> T1190 (Exploit Public-Facing Application) </td> <td> Prioritize log review for Ivanti EPMM, Cisco SD-WAN, and Fortinet appliances. Hunt for webshell artifacts and anomalous admin sessions. </td> </tr> </tbody> </table> <h3>Hunting Hypotheses</h3> <ol> <li>Hypothesis: HAYWIRE KITTEN has already compromised accounts via social media phishing. Hunt for: new OAuth app registrations in Microsoft 365/Entra ID from unfamiliar publishers; Telegram Desktop or WhatsApp Desktop installed on corporate endpoints without MDM approval; email forwarding rules created in the past 30 days pointing to external addresses.</li> <li>Hypothesis: Qilin BYOVD loader has been staged in the environment. Hunt for: msimg32.dll in user-writable directories (%TEMP%, %APPDATA%, Downloads); recently loaded kernel drivers not on your approved driver allowlist; EDR telemetry gaps — endpoints that stopped reporting within the last 7 days.</li> <li>Hypothesis: Iranian pre-positioned access exists in development infrastructure. Hunt for: dormant SSH keys or PATs in GitHub Enterprise created >30 days ago with no recent activity; Rclone or Wasabi S3 client installations on developer workstations; anomalous access to Windchill PLM repositories outside business hours.</li> <li>Hypothesis: ICS/OT reconnaissance is underway against energy sector assets. Hunt for: Shodan/Censys-style scanning patterns against Yokogawa and Siemens management interfaces; MAVLink protocol traffic on unexpected network segments (relevant to PX4 autopilot vulnerability ICSA-26-090-02); unauthorized PROG user authentication attempts on CENTUM VP systems.</li> </ol> <h3>Defensive Gaps to Close</h3> <ul> <li>EDR is no longer sufficient as a standalone detection layer. The Qilin BYOVD capability means you need defense-in-depth: network detection (NDR), kernel-level integrity monitoring, and driver allowlisting (Windows Defender Application Control / WDAC) as complementary layers.</li> <li>Social media-based C2 bypasses traditional network monitoring. If your SOC only monitors DNS and HTTP/S traffic, Telegram and WhatsApp C2 channels will evade detection. Extend monitoring to application-layer telemetry on endpoints.</li> <li>ICS/OT environments need advisory-driven patching cycles. The 7–21 day window between ICS advisory publication and weaponized exploitation is your patching window. Treat it as a countdown.</li> </ul> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> Iranian cyber operations increasingly use ransomware-as-a-service (Qilin, Pay2Key) as cover for destructive attacks against financial institutions. The BYOVD EDR-kill capability makes this more dangerous. <ul> <li>Priority: Implement driver allowlisting (WDAC) on critical financial transaction servers to prevent BYOVD attacks. Audit SWIFT and core banking system access for dormant service accounts. Monitor for DLL sideloading patterns (msimg32.dll) on trading floor endpoints.</li> <li>Threat actor focus: MuddyWater (MOIS/TEMP.Zagros), MOIS-RaaS operators using Qilin</li> </ul> <h3>Energy</h3> The three simultaneous ICS advisories (Siemens SICAM, Yokogawa CENTUM VP, Hitachi Energy Ellipse) directly affect energy sector control systems. Cyber Av3ngers have demonstrated ICS targeting capability and intent. <ul> <li>Priority: Immediately audit Yokogawa CENTUM VP PROG user access controls. Verify Siemens SICAM A8000 firmware versions and apply patches per ICSA-26-092-01. Segment Hitachi Ellipse Jasper Report interfaces from internet-facing networks. Conduct tabletop exercise for ICS compromise scenario within 14 days.</li> <li>Threat actor focus: Cyber Av3ngers (HYDRO KITTEN / IRGC-CEC), UNC1860</li> </ul> <h3>Healthcare</h3> Healthcare organizations are collateral targets in ransomware campaigns and may be specifically targeted for intelligence value (military medical records, personnel health data for diaspora targeting). <ul> <li>Priority: Ensure EDR agents are monitored for unexpected service stops (BYOVD indicator). Patch Ivanti EPMM instances used for mobile device management of clinical staff — CVE-2026-1281 and CVE-2026-1340 are unauthenticated RCE at CVSS 9.8. Review Telegram and WhatsApp usage policies for staff with dual-use personal/corporate devices.</li> <li>Threat actor focus: Qilin RaaS operators, HAYWIRE KITTEN (social engineering vector)</li> </ul> <h3>Government</h3> Government networks are the primary target of the CISA -flagged Asiatech infrastructure. The Iranian C2 IPs identified this cycle are assessed with high confidence to be targeting government entities. <ul> <li>Priority: Audit Entra ID / Azure AD for anomalous OAuth application consents and new service principals. Hunt for Rclone, Wasabi, or other cloud exfiltration tools. Review VPN and edge device logs (Ivanti, Cisco SD-WAN, Fortinet) for exploitation indicators.</li> <li>Threat actor focus: APT34 (OilRig), APT42 (Charming Kitten / IRGC-IO), MuddyWater (MOIS)</li> </ul> <h3>Aviation / Logistics</h3> UNC1549 (Imperial Kitten / Smoke Sandstorm / TA455) specifically targets aerospace and defense sectors in the US, Saudi Arabia, and UAE. Their anomalous silence during active conflict is concerning, not reassuring. The PX4 Autopilot MAVLink vulnerability (ICSA-26-090-02) introduces a new drone firmware attack surface. <ul> <li>Priority: Proactively hunt for UNC1549 indicators in aerospace supply chain networks — focus on Azure and DigitalOcean infrastructure. Audit drone fleet management systems for MAVLink interface exposure. Review GitHub and CI/CD pipelines for npm supply chain compromise indicators (Axios and related packages).</li> <li>Threat actor focus: UNC1549 (Imperial Kitten), DPRK supply chain actors (npm ecosystem convergence)</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Deploy Sigma/YARA detection for msimg32.dll loaded from non-standard paths (outside %SystemRoot%\System32). Alert on simultaneous EDR agent service stops across multiple endpoints — this is the signature of BYOVD deployment. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Implement detection for Telegram Bot API and WhatsApp Web connections from corporate/MDM-enrolled devices, particularly for users in roles related to Iran, Middle East policy, defense, or intelligence. </td> </tr> <tr> <td> IMMEDIATE </td> <td> IT Ops </td> <td> Verify no Ivanti EPMM instances are internet-exposed without WAF protection. Begin emergency patching for CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8, unauthenticated RCE). </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Complete Ivanti EPMM patching across all instances. Validate Cisco SD-WAN configurations against CVE-2026-20127. </td> </tr> <tr> <td> 7-DAY </td> <td> OT Security </td> <td> Audit Yokogawa CENTUM VP for unauthorized PROG user access per ICSA-26-092-02. Verify Siemens SICAM A8000 firmware versions against ICSA-26-092-01. Restrict Hitachi Energy Ellipse Jasper Report to internal-only access per ICSA-26-092-03. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Implement WhatsApp/Telegram/X phishing detection for personnel in Iran-adjacent roles. Create correlation rules for new OAuth app registrations + email forwarding rule creation within 24-hour windows. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Security </td> <td> Deploy Windows Defender Application Control (WDAC) driver allowlisting on critical servers to mitigate BYOVD attacks. Prioritize domain controllers, financial transaction servers, and backup infrastructure. </td> </tr> <tr> <td> 7-DAY </td> <td> Executive / IR </td> <td> Conduct tabletop exercise: “Iranian wiper deployment via ransomware cover” scenario. Test IR playbook for simultaneous EDR failure + ransomware detonation. Validate offline backup restoration procedures. </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission proactive threat hunt for dormant Iranian pre-positioned access in DIB contractor networks. Focus areas: GitHub Enterprise repos, Windchill PLM instances, CI/CD pipelines, and Rclone/Wasabi exfiltration patterns. The 28-day detection gap during active conflict is the highest-consequence blind spot. </td> </tr> <tr> <td> 30-DAY </td> <td> DevOps </td> <td> Audit all npm dependencies for packages targeted by DPRK supply chain campaign (Axios and related). Pin critical packages to commit SHAs. Implement npm provenance verification across all CI/CD pipelines. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Evaluate network detection and response (NDR) deployment to complement EDR — the BYOVD EDR-kill capability means endpoint detection alone is no longer sufficient as a primary detection strategy. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Review and update Iran conflict cyber incident response plan. Ensure it accounts for: (a) operations continuing through infrastructure disruption, (b) ransomware used as cover for state-directed destruction, (c) social media platforms as C2 channels, and (d) ICS/OT targeting with compressed advisory-to-exploitation timelines. </td> </tr> <tr> <td> 30-DAY </td> <td> Legal / Executive </td> <td> Review cyber insurance coverage for state-sponsored attacks conducted through criminal ransomware infrastructure. The MOIS-RaaS convergence blurs the line between “act of war” exclusions and criminal cybercrime coverage. </td> </tr> </tbody> </table> <h2>Bottom Line                                </h2> Five weeks into this conflict, the intelligence picture is clear on what assumptions no longer hold: ❌ “Iranian cyber operations will slow down if their internet is disrupted.” Disproven. HAYWIRE KITTEN operated through a nationwide blackout. ❌ “EDR will catch the ransomware.” Challenged. Qilin’s BYOVD technique kills 300+ EDR products before the payload ever executes. ❌ “We’d see pre-positioning activity in our logs.” Unverified. 28 days of silence in DIB networks during active conflict is not evidence of absence — it may be absence of evidence. ❌ “ICS/OT attacks require sophisticated, custom tooling.” Outdated. Three new advisories in a single day provide off-the-shelf exploitation paths for systems deployed across energy, oil/gas, and utilities. ❌ “Nation-state threats and criminal ransomware are separate problems.” Obsolete. The MOIS-to-Qilin pipeline means you face state targeting precision with criminal evasion capability. The organizations that will weather this conflict are the ones acting on intelligence today — not waiting for the breach notification tomorrow. Block the IOCs. Hunt for the pre-positioning. Patch the edge devices. And above all, stop assuming that any single layer of defense is enough when your adversary has already figured out how to bypass it.

FEATURED RESOURCES

April 6, 2026

Anomali Cyber Watch