Iran’s Cyber War Machine Isn’t Slowing Down — Six Weeks in, Critical Infrastructure Is Under Active Attack

Anomali Threat Research

Published on

April 9, 2026

Table of Contents

Threat Assessment Level: CRITICAL The Iran-U.S./Israel military conflict is now in its sixth week. Kinetic strikes have hit targets across a dozen countries, the Strait of Hormuz is effectively choked, oil is above $100 a barrel — and Iran’s cyber operations are accelerating, not retreating. A fragile Pakistan-brokered ceasefire announced on April 8 has produced zero observable reduction in cyber tempo. On April 7, a joint FBI/CISA/NSA/EPA/DOE advisory — AA26-097a — confirmed what many feared: Iran’s Revolutionary Guard Cyber Electronic Command (IRGC-CEC) is actively exploiting programmable logic controllers across U.S. critical infrastructure right now. Russia is feeding Iran satellite imagery and cyber support to sharpen its targeting. And the IRGC has publicly named Nvidia, Apple, Google, Microsoft, and Tesla as “legitimate targets.” If you run critical infrastructure, operate in the energy sector, depend on industrial control systems, or have any footprint in the Middle East — this is your threat environment today. Here’s what you need to know and what to do about it. <h2>What Changed                           </h2> The past 72 hours have produced developments that materially alter the risk calculus for every CISO with OT exposure or Middle Eastern operations: <ol> <li> CISA AA26-097a: Confirmed Active PLC Exploitation (April 7) The CyberAv3ngers — an IRGC Cyber Electronic Command unit also known as the Shahid Kaveh Group — are confirmed to be exploiting internet-facing Rockwell Automation CompactLogix and Micro850 PLCs. What started as water/wastewater targeting in late 2023 has expanded to energy, government services, and municipal systems as of March 2026. The actors are using Studio 5000 Logix Designer to modify PLC project files and HMI displays, causing real-world operational disruption. They’re persisting via Dropbear SSH on port 22. Eight FBI-attributed C2 IP addresses were published. Siemens S7 (port 102) targeting has also been identified, expanding the threat surface globally.</li> <li> Russia-Iran Cyber Axis Confirmed (April 7) Reuters, citing Ukrainian intelligence, reported that Russian satellites have conducted dozens of detailed imagery surveys of military facilities and critical sites across the Middle East to help Iran strike U.S. and allied targets. Cyber support is also being provided. This is a qualitative escalation — if Russian infrastructure is being shared with Iranian operators, detection rules based on known Iranian C2 will miss operations conducted from Russian-provided infrastructure.</li> <li> IRGC Names Western Tech Giants as Targets (April 1) Iran’s Revolutionary Guard publicly warned that Nvidia, Apple, Google, Microsoft, and Tesla — companies with Middle East operations — will be considered “legitimate targets.” This follows drone strikes on three AWS data centers in the UAE. The message is clear: cloud and technology infrastructure in the conflict zone is in the crosshairs.</li> <li> Nasir Security Energy Sector Supply Chain Operations Confirmed (April 9) The domain nasir[.]cc has been confirmed malicious at HIGH confidence. Pro-Iranian group Nasir Security is conducting active spear-phishing and supply chain compromise operations against Middle Eastern energy organizations, with Saudi Arabia specifically named as a target.</li> <li> Four ICS Advisories Expand Attack Surface (April 2–7) CISA published advisories covering Yokogawa CENTUM VP (authentication bypass), Siemens SICAM 8 (denial-of-service), Mitsubishi GENESIS64 (credential disclosure), and Hitachi Energy Ellipse — all products deployed in the energy and industrial sectors that CyberAv3ngers are actively targeting.</li> </ol> <h2>Conflict & Threat Timeline                </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> Feb 28, 2026 </td> <td> Iran-U.S./Israel military conflict begins </td> <td> Kinetic and cyber operations launch simultaneously </td> </tr> <tr> <td> Mar 11, 2026 </td> <td> Handala hacktivist group’s last confirmed wiper operation </td> <td> 29 days of anomalous silence since — assessed as dormant access consolidation </td> </tr> <tr> <td> Mar 2026 </td> <td> CyberAv3ngers expand PLC targeting to energy and municipalities </td> <td> Scope expansion beyond water/wastewater confirmed by CISA </td> </tr> <tr> <td> Apr 1, 2026 </td> <td> IRGC publicly names Nvidia, Apple, Google, Microsoft, Tesla as targets </td> <td> Strategic warning indicator for tech sector targeting </td> </tr> <tr> <td> Apr 2–7, 2026 </td> <td> Four ICS advisories: Yokogawa CENTUM VP, Siemens SICAM 8, Mitsubishi GENESIS64, Hitachi Energy Ellipse </td> <td> Expanding ICS vulnerability surface during active exploitation campaign </td> </tr> <tr> <td> Apr 7, 2026 </td> <td> CISA/FBI/NSA Advisory AA26-097a published </td> <td> Confirms active IRGC exploitation of Rockwell PLCs across U.S. critical infrastructure </td> </tr> <tr> <td> Apr 7, 2026 </td> <td> Reuters: Russia providing Iran satellite imagery and cyber support </td> <td> Russia-Iran cyber axis confirmed — qualitative escalation </td> </tr> <tr> <td> Apr 8, 2026 </td> <td> Pakistan-brokered two-week ceasefire announced </td> <td> Cyber tempo shows no reduction; ceasefire assessed as non-binding on cyber operations </td> </tr> <tr> <td> Apr 9, 2026 </td> <td> Nasir Security energy supply chain operations confirmed (HIGH confidence) </td> <td> Pro-Iranian group targeting Middle East energy sector via spear-phishing and supply chain compromise </td> </tr> </tbody> </table> <h2>Key Threat Analysis                     </h2> <h3>CyberAv3ngers / Shahid Kaveh Group (IRGC-CEC) — Active PLC Exploitation</h3> This is the most operationally significant threat in the current cycle. The CyberAv3ngers are not a theoretical risk — they are inside PLCs today. CISA AA26-097a documents: <ul> <li>Targets: Rockwell Automation CompactLogix and Micro850 PLCs across energy, water/wastewater, government, and municipal sectors</li> <li>Technique: Exploitation of internet-accessible devices (T0883), modification of PLC project files via Studio 5000 Logix Designer, HMI display manipulation (T1565)</li> <li>Persistence: Dropbear SSH deployed on port 22 (T1219)</li> <li>Expansion: Siemens S7 targeting on port 102 and Modbus/TCP on port 502 now confirmed</li> <li>Ports of interest: 44818 (EtherNet/IP), 2222 (EtherNet/IP Explicit Messaging), 102 (ISO-TSAP/Siemens S7), 502 (Modbus/TCP), 22 (SSH)</li> </ul> This is not a one-off. The actor has systematically expanded from water systems to energy to municipalities over the past five months. Every organization with internet-facing PLCs is in the blast radius. <h3>The Full Iranian APT Roster — Who’s Active, Who’s Silent</h3> The broader Iranian cyber apparatus remains fully mobilized. Attribution-confirmed actors include: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Status </th> <th> Primary Concern </th> </tr> </thead> <tbody> <tr> <td> CyberAv3ngers / Shahid Kaveh Group </td> <td> IRGC-CEC </td> <td> Active — confirmed exploitation </td> <td> PLC/ICS attacks on critical infrastructure </td> </tr> <tr> <td> APT42 / Charming Kitten </td> <td> IRGC-IO </td> <td> Silent — retooling suspected </td> <td> Credential harvesting, nuclear espionage (TAMECAT/POWERPUG) </td> </tr> <tr> <td> MuddyWater / TEMP.Zagros </td> <td> MOIS </td> <td> Active </td> <td> Edge device exploitation, initial access operations </td> </tr> <tr> <td> APT34 / OilRig </td> <td> MOIS </td> <td> Active </td> <td> Energy sector espionage, supply chain compromise </td> </tr> <tr> <td> Gray Sandstorm / Peach Sandstorm </td> <td> IRGC </td> <td> Active </td> <td> Defense industrial base targeting </td> </tr> <tr> <td> HAYWIRE KITTEN / Emennet Pasargad </td> <td> IRGC </td> <td> Active </td> <td> Information operations, hack-and-leak </td> </tr> <tr> <td> UNC5858 / Black Shadow </td> <td> MOIS </td> <td> Active </td> <td> Destructive operations, data theft </td> </tr> <tr> <td> Fox Kitten / Lemon Sandstorm </td> <td> MOIS </td> <td> Silent — 29+ days </td> <td> Ransomware-as-a-service handoffs (Pay2Key, Qilin) </td> </tr> <tr> <td> UNC1860 / Scarred Manticore </td> <td> MOIS </td> <td> Silent — anomalous </td> <td> Telecom/government espionage across 12 countries </td> </tr> <tr> <td> Handala / UNC5203 </td> <td> IRGC-affiliated hacktivist </td> <td> Silent — 29 days </td> <td> Wiper operations against Israel </td> </tr> <tr> <td> Nasir Security </td> <td> Pro-Iranian </td> <td> Active — HIGH confidence </td> <td> Energy sector supply chain, BEC, spear-phishing </td> </tr> </tbody> </table> The silence is the signal. APT42, Fox Kitten, UNC1860, and Handala have all gone quiet during an active military conflict. Historical Iranian doctrine shows that operational pauses — especially during ceasefire discussions — correlate with retooling, infrastructure rotation, and pre-positioning for the next escalation phase. Do not mistake quiet for safe. <h3>ICS Vulnerability Expansion</h3> Four ICS advisories published between April 2–7 expand the attack surface that CyberAv3ngers and similar actors can exploit: <table> <thead> <tr> <th> Advisory </th> <th> Product </th> <th> Vulnerability </th> <th> Risk </th> </tr> </thead> <tbody> <tr> <td> ICSA-26-092-02 </td> <td> Yokogawa CENTUM VP </td> <td> Authentication bypass — login as PROG user </td> <td> HIGH — directly exploitable by actors expanding ICS targeting </td> </tr> <tr> <td> ICSA-26-092-01 </td> <td> Siemens SICAM 8 / A8000 </td> <td> Multiple denial-of-service vulnerabilities </td> <td> MODERATE — DoS against power grid protection devices </td> </tr> <tr> <td> ICSA-26-097-01 </td> <td> Mitsubishi GENESIS64 / ICONICS </td> <td> SQL Server credential disclosure </td> <td> MODERATE — local attacker, credential theft </td> </tr> <tr> <td> ICSA-26-092-03 </td> <td> Hitachi Energy Ellipse </td> <td> Jasper Report vulnerability </td> <td> LOW-MODERATE </td> </tr> </tbody> </table> The Yokogawa CENTUM VP authentication bypass is particularly concerning. CENTUM VP is widely deployed in petrochemical and energy facilities — exactly the sectors CyberAv3ngers are expanding into. <h3>Malware Arsenal in Play</h3> The Iranian cyber arsenal deployed or available in this conflict includes: <ul> <li>IOCONTROL — Purpose-built ICS malware for PLC manipulation</li> <li>ROTORWIPE, SEAWRECK, COOLWIPE, CHILLWIPE, CADDYWIPER — Wiper variants for destructive operations</li> <li>Meteor — Wiper used in Iranian railway attacks</li> <li>ZeroCleare — Disk wiper targeting energy sector</li> <li>BOULDSPY — Android surveillance malware for domestic repression and field intelligence</li> <li>BELLACIAO / SHELLAFEL — APT42 web shell and backdoor families</li> <li>Trojan.WinLNK.ZDI-CAN-25373 / Trojan.Multi.Powenot — Newly observed LNK-based trojan family</li> </ul> <h2>Predictive Analysis                         </h2> Based on the current intelligence picture, actor behavior patterns, and conflict dynamics: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Additional CyberAv3ngers PLC exploitation detected in energy sector </td> <td> 75% (HIGH) </td> <td> 72 hours </td> <td> Defenders implementing AA26-097a IOCs will discover existing compromises </td> </tr> <tr> <td> APT42 resurfaces with rotated infrastructure and new campaign </td> <td> 50% (MODERATE) </td> <td> 7–14 days </td> <td> Operational silence during active conflict indicates retooling, not cessation </td> </tr> <tr> <td> Wiper deployment against Israeli or Gulf state targets </td> <td> 45% (MODERATE) </td> <td> 7 days </td> <td> Likely if ceasefire talks collapse; Handala’s 29-day silence suggests pre-positioned access </td> </tr> <tr> <td> Kinetic strike on additional cloud infrastructure (Google/Microsoft Azure Gulf regions) </td> <td> 30% (LOW-MODERATE) </td> <td> 14 days </td> <td> Follows AWS UAE precedent; IRGC has named these companies as targets </td> </tr> <tr> <td> Fox Kitten ransomware-as-a-service handoff to criminal operators </td> <td> 35% (MODERATE) </td> <td> 14–30 days </td> <td> Historical pattern of MOIS-to-RaaS handoffs; silence may indicate active handoff preparation </td> </tr> <tr> <td> Dormant DIB contractor access activation </td> <td> 40% (MODERATE) </td> <td> 30 days </td> <td> 29-day intelligence gap on defense industrial base pre-positioning is the highest-consequence blind spot </td> </tr> </tbody> </table> <h2>SOC Operational Guidance                   </h2> <h3>Immediate Detection Priorities</h3> <ol> <li> OT/ICS Network Monitoring - Hunt hypothesis: CyberAv3ngers have compromised internet-facing PLCs in your environment and deployed Dropbear SSH for persistence. - Detection: Alert on any SSH service (port 22) appearing on hosts in OT network segments that do not have authorized SSH services. Monitor ports 44818, 2222, 102, 502 for anomalous inbound traffic to OT segments. - ATT&CK: T0883 (Internet Accessible Device), T1219 (Remote Access Software), T1046 (Network Service Discovery), T0890 (Exploitation of Remote Services) - Action: If Dropbear SSH is found on any OT endpoint, treat as confirmed compromise. Isolate immediately. Preserve PLC project files for forensic comparison against known-good baselines.</li> <li> LNK-Based Initial Access - Hunt hypothesis: Trojan.WinLNK.ZDI-CAN-25373 is being delivered via phishing or watering hole attacks using malicious .lnk files. - Detection: Alert on .lnk file execution that spawns PowerShell (T1059.001) or makes outbound HTTP connections to DGA-pattern domains. - ATT&CK: T1204.002 (User Execution: Malicious File), T1059.001 (PowerShell), T1071.001 (Web Protocols C2), T1568.002 (Domain Generation Algorithms)</li> <li> Energy Sector Supply Chain / BEC - Hunt hypothesis: Nasir Security is conducting impersonation and spear-phishing campaigns against energy sector organizations, potentially using compromised vendor email accounts. - Detection: Monitor for emails originating from or referencing nasir[.]cc. Alert on OAuth consent grant requests from unfamiliar applications (T1550.001). Review recent BEC attempts targeting energy sector procurement or vendor management. - ATT&CK: T1566 (Phishing), T1195 (Supply Chain Compromise), T1656 (Impersonation), T1530 (Data from Cloud Storage)</li> <li> Credential Harvesting and OAuth Abuse - Hunt hypothesis: APT42 and affiliated actors are exploiting OAuth authorization flows to gain persistent access to Microsoft 365 and Google Workspace environments. - Detection: Audit OAuth application consent grants in Entra ID / Google Workspace admin console. Alert on applications requesting Mail.Read, Files.ReadWrite.All, or User.Read scopes from unrecognized publishers. Monitor for illicit consent grant attacks. - ATT&CK: T1550.001 (Application Access Token), T1528 (Steal Application Access Token)</li> <li> Wiper Pre-Positioning Indicators - Hunt hypothesis: Handala or affiliated actors have pre-positioned wiper malware (ROTORWIPE, SEAWRECK, COOLWIPE, CHILLWIPE, CADDYWIPER variants) that will activate if ceasefire collapses. - Detection: Monitor for mass file enumeration (T1083), volume shadow copy deletion (vssadmin delete shadows), and MBR/partition table access from non-system processes. Baseline critical system integrity hashes now. - ATT&CK: T1485 (Data Destruction), T1490 (Inhibit System Recovery), T1561 (Disk Wipe)</li> </ol> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> The financial sector faces elevated risk from two vectors: (1) Iranian BEC and impersonation campaigns (Nasir Security’s T1656 tradecraft) targeting transaction authorization workflows, and (2) cascading disruption from energy sector attacks that could impact trading platforms and settlement systems dependent on stable power and communications. <ul> <li>Immediate: Review wire transfer and payment authorization controls for social engineering resilience. Implement out-of-band verification for any vendor payment change requests, especially from Middle Eastern counterparties.</li> <li>7-Day: Audit OAuth application consent grants across Microsoft 365 and Google Workspace. Revoke any unrecognized third-party application permissions. APT42’s credential harvesting operations historically target financial sector email for intelligence collection.</li> <li>30-Day: Stress-test business continuity plans against a scenario where Gulf-region cloud infrastructure (AWS, Azure) becomes unavailable due to kinetic strikes. Ensure trading and settlement systems have geographic failover outside the conflict zone.</li> </ul> <h3>Energy</h3> Energy is the primary target sector in this conflict. CyberAv3ngers are confirmed active against energy PLCs. Nasir Security is conducting supply chain operations against Middle Eastern energy companies. The Strait of Hormuz chokepoint means any disruption to energy infrastructure has immediate global price impact. <ul> <li>Immediate: Audit every internet-facing PLC — Rockwell CompactLogix, Micro850, Siemens S7, and Yokogawa CENTUM VP. Disconnect any with direct internet exposure. Verify physical mode switches are in “run” position. Check for unauthorized SSH services on OT endpoints.</li> <li>7-Day: Patch Yokogawa CENTUM VP authentication bypass (ICSA-26-092-02) — this vulnerability allows login as the PROG user and is directly exploitable by actors with CyberAv3ngers’ capability. Audit Siemens SICAM 8 deployments for DoS exposure.</li> <li>30-Day: Implement network segmentation between IT and OT with unidirectional gateways where feasible. Deploy OT-specific network monitoring (e.g., Claroty, Dragos, Nozomi) if not already in place. Establish PLC project file baselines for forensic comparison.</li> </ul> <h3>Healthcare</h3> Healthcare faces collateral risk from ICS/OT attacks on building management systems (HVAC, power) and direct risk from Iranian espionage operations targeting pharmaceutical and biomedical research. Hospital systems running Rockwell or Siemens controllers for facility management are in the CyberAv3ngers’ expanding target scope. <ul> <li>Immediate: Inventory all building automation and medical device controllers. Identify any Rockwell, Siemens, or Yokogawa systems with network connectivity. Ensure medical device networks are segmented from enterprise IT.</li> <li>7-Day: Review backup and recovery procedures for electronic health records and clinical systems against wiper scenarios. Iranian wiper malware (ROTORWIPE, CADDYWIPER) does not discriminate by sector once deployed.</li> <li>30-Day: Conduct tabletop exercise simulating simultaneous ransomware/wiper attack and power grid disruption. Healthcare’s dependency on stable power makes it a secondary casualty of energy sector attacks.</li> </ul> <h3>Government</h3> Government agencies — particularly those involved in defense, diplomacy, intelligence, and critical infrastructure regulation — are primary targets for Iranian state APTs. APT42 targets government officials for credential harvesting. MuddyWater and APT34 conduct long-term espionage operations. The 29-day silence on defense industrial base pre-positioning is a critical blind spot. <ul> <li>Immediate: Enforce phishing-resistant MFA (FIDO2/hardware keys) on all accounts with access to classified or sensitive systems. APT42’s primary initial access vector is credential theft via phishing.</li> <li>7-Day: Conduct proactive hunt for dormant service accounts reactivating, especially accounts associated with defense contractors or cleared personnel. Look for Rclone/Wasabi exfiltration patterns and GitHub-based staging.</li> <li>30-Day: Review all contractor and vendor access for personnel with connections to Iran, Iraq, Lebanon, Yemen, or other conflict-zone countries. Implement trigger-based re-vetting for high-access roles. The human risk vector is accelerating during this conflict.</li> </ul> <h3>Aviation / Logistics</h3> Aviation and logistics organizations face risk from both cyber disruption and kinetic-cyber convergence. The Strait of Hormuz chokepoint has already disrupted global shipping. Iranian targeting of logistics and transportation infrastructure supports military objectives by degrading adversary supply chains. <ul> <li>Immediate: Review all operational technology in air traffic management, baggage handling, and cargo tracking systems for Rockwell/Siemens PLC exposure. Ensure flight operations networks are air-gapped from corporate IT.</li> <li>7-Day: Audit supply chain management platforms for unauthorized access. Iranian supply chain compromise (T1195) operations could target logistics software to map military supply movements.</li> <li>30-Day: Assess geographic concentration risk. If logistics operations depend on Gulf-region cloud infrastructure or communications links that transit the conflict zone, develop contingency routing. The AWS UAE drone strikes demonstrate that cloud infrastructure is a kinetic target.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>Immediate (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block nasir[.]cc and all *.mirantezari[.]website subdomains at DNS sinkhole, proxy, and endpoint detection layers. Alert on any historical DNS resolution to these domains in the past 90 days. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Ingest the full CISA AA26-097a indicator set. Monitor ports 44818, 2222, 102, 502, and 22 for anomalous inbound traffic to any OT network segment. </td> </tr> <tr> <td> IMMEDIATE </td> <td> IT Ops / OT </td> <td> Audit all internet-facing Rockwell Automation PLCs (CompactLogix, Micro850). Verify physical mode switches are in “run” position. Disconnect any PLC with direct internet exposure and mediate access through a secure gateway with MFA. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Deploy detection rule for unauthorized SSH services on OT endpoints — alert on any SSH service (port 22) appearing on hosts in OT segments without authorized SSH. Dropbear SSH deployment is a confirmed CyberAv3ngers persistence mechanism. </td> </tr> </tbody> </table> <h3>7-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> OT Security </td> <td> Patch Yokogawa CENTUM VP (ICSA-26-092-02) authentication bypass. Audit Siemens SICAM 8 deployments for DoS vulnerability exposure. These products are in the expanding CyberAv3ngers target scope. </td> </tr> <tr> <td> 7-DAY </td> <td> Identity / Cloud Security </td> <td> Audit all OAuth application consent grants in Microsoft 365 Entra ID and Google Workspace. Revoke permissions for unrecognized applications. Deploy alerting on new consent grants requesting mail, file, or user scopes. </td> </tr> <tr> <td> 7-DAY </td> <td> HR / Security </td> <td> Brief personnel security on accelerated human risk vectors during the Iran conflict. Review contractor and vendor vetting for personnel with connections to conflict-zone countries. Implement trigger-based re-vetting for high-access roles. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Create detection for LNK files spawning PowerShell with outbound HTTP connections to DGA-pattern domains. Monitor for Trojan.WinLNK.ZDI-CAN-25373 and Trojan.Multi.Powenot signatures. </td> </tr> </tbody> </table> <h3>30-Day Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission proactive threat hunt for dormant defense industrial base access. Hunt for: dormant service accounts reactivating, Rclone/Wasabi exfiltration patterns, GitHub-based staging, web shells on engineering/PLM systems. This is the highest-consequence blind spot — 29 days of silence during active conflict. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Evaluate Russian-Iranian cyber cooperation implications for your threat model. If your infrastructure uses Russian-origin software or is exposed to Russian satellite imagery collection, assess whether your defensive posture accounts for combined Russian-Iranian targeting. Add Russian APT infrastructure watchlists (APT44/Sandworm, APT28) to cross-reference against Iranian campaign IOCs. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO / Legal </td> <td> Review cyber insurance coverage against state-sponsored attack exclusions. The confirmed IRGC attribution in AA26-097a may trigger war exclusion clauses. Engage legal counsel proactively. </td> </tr> <tr> <td> 30-DAY </td> <td> IR / Executive </td> <td> Conduct tabletop exercise simulating simultaneous wiper deployment and cloud infrastructure loss in the Gulf region. Test executive decision-making under a scenario where ceasefire collapses and Iranian cyber operations escalate to destructive attacks within 24 hours. </td> </tr> </tbody> </table> <h2>Bottom Line                                </h2> The Pakistan-brokered ceasefire announced on April 8 should provide no comfort to defenders. The intelligence is unambiguous: cyber operations tempo has not decreased. CISA AA26-097a documents Iranian PLC exploitation activity through March 2026 — well into the period of ceasefire discussions. Iranian doctrine historically treats diplomatic pauses as opportunities for espionage intensification, infrastructure rotation, and pre-positioning for the next escalation phase. The actors who have gone silent — APT42, Fox Kitten, UNC1860, Handala — are not standing down. They are retooling. The 29-day silence on defense industrial base pre-positioning is not an absence of threat; it is likely an indicator of successfully concealed access. Six weeks into this conflict, the Iranian cyber apparatus has demonstrated it can exploit critical infrastructure PLCs, conduct energy sector supply chain operations, deploy wiper malware at scale, and leverage Russian satellite and cyber support for targeting. The IRGC has publicly named the world’s largest technology companies as legitimate targets and backed that rhetoric with drone strikes on cloud data centers. The question is not whether the next escalation will come. It is whether your organization will detect it when it does. Act now. Audit your OT. Hunt for dormant access. Block the indicators. Brief your executives. The ceasefire clock is ticking — and cyber doesn’t observe ceasefires.

FEATURED RESOURCES

April 9, 2026

Anomali Cyber Watch