The Ceasefire Is a Lie: Iranian Cyber Operations Are Running at Full Tempo While the World Looks Away

Anomali Threat Research

Published on

April 23, 2026

Table of Contents

Threat Assessment Level: ELEVATED — Trending Stable The U.S.-Iran kinetic ceasefire, brokered in early April, explicitly excludes cyber operations. Three independent sources confirm Iranian state-sponsored cyber campaigns continue unabated. U.S. intelligence agencies are urgently warning the private sector of active exploitation across critical infrastructure. If your organization operates in energy, defense, healthcare, government, or aviation — the ceasefire does not protect you. <h2>What Changed                              </h2> Nearly eight weeks into the U.S.-Israel-Iran conflict that began on 28 February 2026, the kinetic ceasefire has created a dangerous illusion of de-escalation. Here is what shifted in the past 72 hours: <ul> <li>Lufthansa confirmed it is cutting 20,000 short-haul flights through October as the Strait of Hormuz standoff doubles jet fuel prices. The EU has approximately six weeks of jet fuel reserves remaining, and is losing an estimated €500 million per day. This deepening economic damage increases Iran’s strategic leverage and decreases its incentive to de-escalate — including in cyberspace.</li> <li>Validated Cobalt Strike and SmartLoader command-and-control infrastructure was confirmed active on Iranian hosting providers, with confidence scores ranging from 75 to 99 across multiple independent sources. Iranian-hosted C2 infrastructure is not theoretical — it is communicating now.</li> <li>Vercel disclosed a supply chain breach traced to Context.ai, a third-party AI productivity tool. The attack chain — Lumma Stealer infection → OAuth token theft → cloud account pivot — is a textbook demonstration of the living-off-trusted-services technique that Iranian APTs have used against Microsoft 365 environments. While attributed to the ShinyHunters persona, the TTP is directly adoptable by state actors.</li> <li>CISA published 11 ICS advisories, including authentication bypass in Siemens SINEC NMS (the central management plane for Siemens OT networks), privilege escalation in Siemens RUGGEDCOM, and multiple vulnerabilities in SCALANCE industrial wireless. These expand the attack surface for groups like CyberAv3ngers that have historically targeted Siemens and Unitronics PLCs.</li> <li>UNC1549 (Imperial Kitten/TA455) resumed aerospace and Defense Industrial Base targeting on 22 April via fake GitHub resume lures, ending a period of relative quiet and directly elevating the DIB pre-positioning threat.</li> <li>UNC5866 (Emennet Pasargad) confirmed wiper deployment against Israeli targets on 19 April, demonstrating that destructive capability remains active and operational despite the kinetic ceasefire.</li> <li>Defense Industrial Base (DIB) pre-positioning has been silent for 30 consecutive days — the longest gap since tracking began. In the context of a ceasefire that excludes cyber, this silence is the single most alarming indicator in the current threat landscape. Dormant access is designed to be invisible until activation.</li> </ul> <h2>Conflict & Threat Timeline                    </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Cyber Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> U.S.-Israel-Iran kinetic conflict begins </td> <td> Iranian cyber operations surge across all tracked actor groups </td> </tr> <tr> <td> Jan–Mar 2026 </td> <td> Monthly wiper deployments against Israeli targets </td> <td> Destructive capability demonstrated; UNC5866 (Emennet Pasargad) confirmed </td> </tr> <tr> <td> Mar 2026 </td> <td> CyberAv3ngers confirmed using vendor tools to manipulate SCADA displays </td> <td> ICS/OT operational disruption and financial losses begin </td> </tr> <tr> <td> 3 Apr 2026 </td> <td> Forbes: “Cyber and Kinetic Warfare Are Now One Battlefield” </td> <td> Public acknowledgment of converged threat </td> </tr> <tr> <td> 8 Apr 2026 </td> <td> GovTech: U.S. agencies “urgently warning” of Iranian exploitation </td> <td> Federal government confirms active critical infrastructure compromise </td> </tr> <tr> <td> 13 Apr 2026 </td> <td> CPO Magazine: Joint federal advisory on Iranian CI attacks </td> <td> Energy, water, and government sectors specifically named </td> </tr> <tr> <td> 14 Apr 2026 </td> <td> Global oil demand projections plunge amid Hormuz disruption </td> <td> Economic pressure intensifies Iran’s cyber leverage calculus </td> </tr> <tr> <td> 16 Apr 2026 </td> <td> Jet fuel shortage threatens European aviation </td> <td> Aviation/logistics sector enters crisis </td> </tr> <tr> <td> 18 Apr 2026 </td> <td> Forbes: “A Ceasefire That Ignores Cyber Is Not a Real Ceasefire” </td> <td> Ceasefire-cyber gap formally documented </td> </tr> <tr> <td> 19 Apr 2026 </td> <td> UNC5866 (Emennet Pasargad) last observed deploying wipers </td> <td> Destructive capability remains active </td> </tr> <tr> <td> 21 Apr 2026 </td> <td> MuddyWater registers fresh DinDoor/DinoDance C2, then goes silent </td> <td> Assessed as infrastructure rotation preceding activation </td> </tr> <tr> <td> 21 Apr 2026 </td> <td> EU eyes options as Iran conflict threatens fuel shortages </td> <td> Strategic economic pressure continues building </td> </tr> <tr> <td> 21 Apr 2026 </td> <td> CISA publishes 11 ICS advisories (Siemens SINEC NMS, RUGGEDCOM, SCALANCE) </td> <td> OT attack surface expands </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> IRGC gunboat fires on Liberian-flagged container ship in Strait of Hormuz </td> <td> Ceasefire functionally collapses kinetically </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> Censys confirms 5,219 exposed Rockwell Allen-Bradley PLCs (74.6% U.S.) </td> <td> ICS exposure quantified </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> UNC1549 (Imperial Kitten/TA455) resumes aerospace DIB targeting via GitHub lures </td> <td> DIB pre-positioning resumes </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> APT34, MuddyWater, Charming Kitten profiles updated in threat intelligence </td> <td> Actor infrastructure refreshed </td> </tr> <tr> <td> 23 Apr 2026 </td> <td> Lufthansa cuts 20,000 flights; EU has ~6 weeks of jet fuel </td> <td> Aviation crisis deepens </td> </tr> <tr> <td> 23 Apr 2026 </td> <td> Vercel OAuth supply chain breach disclosed (Context.ai → Lumma Stealer) </td> <td> OAuth weaponization TTP validated </td> </tr> <tr> <td> 23 Apr 2026 </td> <td> Validated Cobalt Strike and SmartLoader C2 confirmed on Iranian ASNs </td> <td> Active C2 infrastructure confirmed </td> </tr> </tbody> </table> <h2>Key Threat Analysis                          </h2> <h3>1. The Ceasefire-Cyber Gap: Iran’s Strategic Advantage</h3> Three independent sources — Forbes (18 April), CPO Magazine (13 April), and GovTech (8 April) — confirm with high confidence that the U.S.-Iran ceasefire explicitly excludes cyber operations. U.S. intelligence agencies are “urgently warning” the private sector of Iranian exploitation causing “disruptions across several U.S. critical infrastructure sectors.” This is not a reduction in threat. It is a shift in threat modality — from visible, destructive attacks to covert pre-positioning, intelligence collection, and below-threshold operations that maintain plausible deniability under ceasefire cover. Iran has maximum incentive to use cyber as strategic leverage while the kinetic ceasefire holds. <h3>2. Active Iranian C2 Infrastructure on Domestic ASNs</h3> Intelligence collection confirmed two Iran-geolocated command-and-control servers actively communicating: <table> <thead> <tr> <th> Indicator </th> <th> Hosting </th> <th> Malware </th> <th> Confidence </th> </tr> </thead> <tbody> <tr> <td> 188.121.123[.]185 </td> <td> Noyan Abr Arvan (ASN 202468), Tehran </td> <td> Cobalt Strike BEACON </td> <td> 75 (corroborated) </td> </tr> <tr> <td> 213.176.73[.]163 </td> <td> Serv.host (ASN 207957), Tehran </td> <td> SmartLoader </td> <td> 93 (2-of-3 validated) </td> </tr> </tbody> </table> Cobalt Strike on Iranian hosting is consistent with the documented state-criminal nexus where MOIS and IRGC contractors leverage commodity offensive tools alongside custom malware. <h3>3. The Tracked Actor Landscape</h3> The following Iranian state-sponsored groups remain active or are assessed to be pre-positioning: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Last Observed </th> <th> Current Assessment </th> </tr> </thead> <tbody> <tr> <td> MuddyWater (MOIS) </td> <td> Ministry of Intelligence and Security </td> <td> 21 Apr — fresh DinDoor/DinoDance C2 registered, then operational silence </td> <td> Infrastructure rotation preceding activation. 55% probability of activation within 48–72 hours of continued escalation. </td> </tr> <tr> <td> APT34 / OilRig (MOIS) </td> <td> Ministry of Intelligence and Security </td> <td> 22 Apr — Anomali ThreatStream Next-Gen profile updated; cloud-service downloaders, T1102.002 </td> <td> Active. Refreshed TTPs include cloud-service downloaders and archive exfiltration (T1560.003). </td> </tr> <tr> <td> Charming Kitten / APT42 (IRGC-IO) </td> <td> IRGC Intelligence Organization </td> <td> 22 Apr — IOCs refreshed </td> <td> Active. Known M365 credential harvesting and OAuth abuse capabilities. </td> </tr> <tr> <td> CyberAv3ngers (IRGC-CEC) </td> <td> IRGC Cyber-Electronic Command </td> <td> Mar 2026 — confirmed SCADA manipulation </td> <td> Publicly quiet since ceasefire but confirmed using legitimate vendor tools against ICS/OT. </td> </tr> <tr> <td> UNC1549 / Imperial Kitten / TA455 (IRGC) </td> <td> IRGC contractor </td> <td> 22 Apr — resumed aerospace DIB targeting via fake GitHub resume lures </td> <td> Active. Directly relevant to DIB pre-positioning concerns. </td> </tr> <tr> <td> UNC5866 / Emennet Pasargad (IRGC contractor) </td> <td> IRGC-linked front company </td> <td> 19 Apr — wiper deployment against Israeli targets </td> <td> Active. Destructive capability confirmed. </td> </tr> <tr> <td> Homeland Justice / Karma / Handala </td> <td> MOIS (unified “Void Manticore” operation) </td> <td> Confirmed as single operation </td> <td> Hacktivist fronts for MOIS destructive operations. </td> </tr> </tbody> </table> <h3>4. ICS/OT Attack Surface Expansion: Siemens Advisories</h3> CISA’s 11 ICS advisories published on 21 April directly expand the attack surface for Iranian groups that have historically targeted industrial control systems. The most critical: <ul> <li>Siemens SINEC NMS Authentication Bypass (ICSA-26-111-03): SINEC NMS is the central management plane for Siemens OT networks. An authentication bypass here gives an attacker visibility and control over an entire Siemens OT estate. This is not a single-device vulnerability — it is a management-plane compromise. ATT&CK: T1190 — Exploit Public-Facing Application.</li> <li>Siemens RUGGEDCOM CROSSBOW SAM-P Privilege Escalation (ICSA-26-111-02): RUGGEDCOM provides OT remote access. Privilege escalation in this product enables lateral movement from IT into OT environments. ATT&CK: T1068 — Exploitation for Privilege Escalation.</li> <li>Siemens SCALANCE W-700 Multiple Vulnerabilities (ICSA-26-111-07): Industrial wireless infrastructure. Compromise enables adversary-in-the-middle positioning within OT networks.</li> <li>SenseLive X3050 Complete Device Takeover (ICSA-26-111-12): IoT/OT sensor with full takeover capability. ATT&CK: T0890 — Exploitation of Remote Services.</li> </ul> These advisories arrive in the context of 5,219 internet-exposed Rockwell Allen-Bradley PLCs confirmed by Censys on 22 April (74.6% U.S.-based) and CyberAv3ngers’ confirmed use of legitimate vendor tools to manipulate SCADA displays. <h3>5. OAuth Supply Chain Weaponization: The Vercel/Context.ai Breach</h3> The Vercel breach disclosed on 23 April is a case study in the OAuth supply chain attack pattern: Kill chain: Lumma Stealer infection on Context.ai employee (February 2026) → OAuth tokens harvested → attacker pivoted into Vercel’s corporate Google Workspace → enumerated and decrypted environment variables → ShinyHunters persona claims responsibility, attempts $2M data sale. Relevant ATT&CK techniques: - T1078.004 — Valid Accounts: Cloud Accounts - T1528 — Steal Application Access Token - T1550.001 — Use Alternate Authentication Material: Application Access Tokens - T1195.001 — Supply Chain Compromise: Software Dependencies and Development Tools - T1566.001 — Phishing: Spearphishing Attachment (Lumma Stealer vector) While ShinyHunters is a criminal actor — not Iranian — the TTP chain is identical to techniques Iranian APTs have demonstrated against Microsoft 365 environments. The commoditization of OAuth token theft via third-party AI productivity tools means any organization granting OAuth access to tools like Context.ai, and similar AI integrations, is exposed to this exact attack pattern. This is a TTP warning, not just an incident report. <h2>Predictive Analysis: What Comes Next</h2> Based on the convergence of kinetic escalation (IRGC gunboat attack on 22 April), economic pressure (jet fuel crisis deepening), ceasefire-cyber gap (confirmed by three independent sources), and observed actor behavior, we assess the following probabilities over the next 7 days: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Iranian cyber operations continue at current tempo — focused on intelligence collection and pre-positioning rather than destructive attacks </td> <td> 70% </td> <td> Ceasefire incentivizes below-threshold operations; all tracked actor groups show infrastructure maintenance activity </td> </tr> <tr> <td> A hacktivist front (CyberAv3ngers, Homeland Justice, or proxy) breaks public silence with a demonstrative attack on Western infrastructure </td> <td> 40% </td> <td> 15+ days of hacktivist silence during active conflict is anomalous; ceasefire collapse increases pressure to demonstrate capability </td> </tr> <tr> <td> Dormant access in a DIB contractor network is activated for data exfiltration, triggered by ceasefire negotiation developments </td> <td> 25% </td> <td> PIR-007 has been silent for 30 days — the longest gap since tracking began; UNC1549 resumed DIB targeting on 22 April </td> </tr> <tr> <td> MuddyWater activates fresh DinDoor/DinoDance C2 infrastructure for a new campaign </td> <td> 55% </td> <td> Infrastructure registered 21 April then went silent — classic rotation-before-activation pattern </td> </tr> <tr> <td> Wiper deployment against Western or Israeli critical infrastructure </td> <td> 15–20% </td> <td> Wipers were deployed monthly Jan–Mar; ceasefire may be suppressing destructive ops, but ceasefire collapse changes calculus rapidly </td> </tr> <tr> <td> Iranian actors adopt the Vercel/Context.ai OAuth supply chain TTP against Western cloud environments </td> <td> 30% </td> <td> TTP is directly analogous to known Iranian M365 operations; commoditization lowers adoption barrier </td> </tr> </tbody> </table> Critical variable: If the kinetic ceasefire formally collapses — which the 22 April IRGC gunboat incident suggests is already underway — the probability of destructive cyber operations (wipers, ICS manipulation) increases significantly. The wiper probability jumps from 15–20% to an estimated 40–45% within 48–72 hours of confirmed ceasefire collapse. <h2>SOC Operational Guidance               </h2> <h3>Detection Engineering Priorities</h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> ID </th> <th> Detection Guidance </th> </tr> </thead> <tbody> <tr> <td> Application Layer Protocol </td> <td> T1071 / T1071.001 </td> <td> Monitor for HTTPS beacons to Iranian ASN ranges (AS202468, AS207957, AS206208, AS213790). Alert on periodic callback patterns consistent with Cobalt Strike default profiles. </td> </tr> <tr> <td> Non-Standard Port </td> <td> T1571 </td> <td> Flag outbound connections to non-standard ports (especially 8443, 8080, 4443) destined for Iranian IP space. </td> </tr> <tr> <td> Encrypted Channel </td> <td> T1573 </td> <td> Inspect TLS certificate metadata on outbound connections — look for self-signed certificates or certificates with Iranian registrant data. JA3/JA4 fingerprinting for known Cobalt Strike profiles. </td> </tr> <tr> <td> Steal Application Access Token </td> <td> T1528 </td> <td> Monitor OAuth consent grant events in M365 (Unified Audit Log: Consent to application) and Google Workspace Admin logs. Alert on new OAuth grants to unrecognized applications, especially those requesting Mail.Read, Files.ReadWrite, or Directory.Read.All scopes. </td> </tr> <tr> <td> Valid Accounts: Cloud Accounts </td> <td> T1078.004 </td> <td> Detect impossible travel or anomalous sign-in patterns for cloud accounts. Monitor for service principal authentication from unexpected IP ranges. </td> </tr> <tr> <td> Supply Chain Compromise </td> <td> T1195.001 </td> <td> Audit CI/CD pipeline dependencies. Monitor for unexpected changes to environment variables, secrets, or deployment configurations. </td> </tr> <tr> <td> Exploit Public-Facing Application </td> <td> T1190 </td> <td> Prioritize monitoring of Siemens SINEC NMS, RUGGEDCOM, and SCALANCE management interfaces for authentication anomalies. </td> </tr> <tr> <td> Ingress Tool Transfer </td> <td> T1105 </td> <td> Monitor for large file downloads from Iranian IP ranges or newly registered domains. Alert on PowerShell Invoke-WebRequest or certutil downloading executables. </td> </tr> <tr> <td> Command and Scripting Interpreter: PowerShell </td> <td> T1059.001 </td> <td> Enhanced logging (ScriptBlock, Module, Transcription) for PowerShell. Alert on encoded commands, AMSI bypass attempts, and Cobalt Strike PowerShell stagers. </td> </tr> <tr> <td> Web Service: Bidirectional Communication </td> <td> T1102.002 </td> <td> Monitor for C2 communications tunneled through legitimate cloud services (OneDrive, Google Drive, Dropbox). APT34 has refreshed this TTP as of 22 April. </td> </tr> <tr> <td> Archive Collected Data </td> <td> T1560.003 </td> <td> Detect unusual archive creation (7z, RAR, ZIP) on sensitive file shares, especially when followed by outbound transfer. APT34 TTP refresh includes this technique. </td> </tr> </tbody> </table> <h3>Hunting Hypotheses</h3> Hunt 1 — Dormant Account Reactivation (PIR-007 / DIB Pre-positioning) - Hypothesis: Iranian actors pre-positioned dormant access in DIB/aerospace contractor networks during Jan–Mar 2026 and will reactivate during ceasefire negotiations. - Data sources: Active Directory authentication logs, VPN logs, RDP/SSH session logs, GitHub audit logs. - Query logic: Identify accounts that were active Jan–Mar 2026, went dormant (no authentication events for 30+ days), and have reactivated in the past 7 days. Cross-reference with accounts that have access to aerospace, defense, or engineering repositories. - Escalation criteria: Any dormant account reactivation from a non-corporate IP range, especially if followed by repository cloning or file access to sensitive directories. Hunt 2 — OAuth Token Abuse (Vercel/Context.ai TTP) - Hypothesis: Attackers are using compromised OAuth tokens from third-party AI productivity tools to access corporate Google Workspace or M365 environments. - Data sources: Google Workspace Admin audit logs, M365 Unified Audit Log, Entra ID sign-in logs. - Query logic: Enumerate all OAuth applications with consent grants in the past 90 days. Flag any application with client_id matching known compromised values. Flag any application requesting broad scopes (Mail.ReadWrite, Files.ReadWrite.All) that was not approved through IT governance. - Escalation criteria: Any OAuth application accessing mailbox or file data outside of business hours, or any application with consent granted by a single user that accesses multiple users’ data. Hunt 3 — Cobalt Strike on Iranian Infrastructure - Hypothesis: Cobalt Strike BEACON callbacks are occurring to Iranian-hosted C2 servers using HTTPS on standard or non-standard ports. - Data sources: Proxy logs, DNS logs, EDR telemetry, NetFlow. - Query logic: Filter outbound HTTPS connections to ASN 202468 (Noyan Abr Arvan), ASN 207957 (Serv.host), ASN 206208, ASN 213790. Apply JA3 fingerprint matching for known Cobalt Strike profiles. Look for periodic beacon intervals (60s ± jitter). - Escalation criteria: Any endpoint with repeated outbound connections to these ASNs, especially if the endpoint is in a sensitive network segment. Hunt 4 — ICS/OT Management Plane Reconnaissance - Hypothesis: Attackers are probing Siemens SINEC NMS instances for the authentication bypass vulnerability (ICSA-26-111-03). - Data sources: OT network monitoring, SINEC NMS access logs, firewall logs for OT DMZ. - Query logic: Monitor for unauthenticated API calls to SINEC NMS management endpoints. Alert on any access to SINEC NMS from non-whitelisted IP addresses. Monitor for enumeration patterns (sequential device queries). - Escalation criteria: Any unauthenticated successful access to SINEC NMS, or any access from IT network segments that should not have OT management access. <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services</h3> The Strait of Hormuz disruption is creating cascading economic effects — oil price volatility, currency fluctuations, and supply chain financing stress. Iranian actors have historically targeted financial institutions for both espionage and destructive purposes (the 2012–2013 Operation Ababil DDoS campaign against U.S. banks was IRGC-directed). <ul> <li>Priority: Audit all OAuth integrations with fintech and AI productivity tools. The Vercel/Context.ai breach pattern (T1528, T1078.004) is directly applicable to financial services cloud environments.</li> <li>Priority: Monitor SWIFT and interbank messaging systems for anomalous transaction patterns. Iranian sanctions evasion operations may intensify as economic pressure mounts.</li> <li>Priority: Review DDoS mitigation capacity. A hacktivist front breaking silence (40% probability) is most likely to target financial sector websites for maximum visibility.</li> </ul> <h3>Energy</h3> Energy is the highest-risk sector in the current threat landscape. CyberAv3ngers have confirmed ICS/OT manipulation capability. The Strait of Hormuz standoff directly targets energy supply chains. U.S. federal agencies have specifically named energy in their urgent warnings. <ul> <li>Priority — CRITICAL: Patch Siemens SINEC NMS authentication bypass (ICSA-26-111-03) immediately. This is the OT management plane — compromise here means full visibility into your Siemens OT estate.</li> <li>Priority: Conduct Censys/Shodan audit of all internet-exposed ICS/OT devices, specifically Rockwell Allen-Bradley PLCs, Unitronics Vision/Samba, and Siemens S7 controllers. 5,219 exposed Rockwell PLCs were confirmed on 22 April — verify none are yours.</li> <li>Priority: Validate that OT network segmentation prevents lateral movement from IT to OT. RUGGEDCOM CROSSBOW privilege escalation (ICSA-26-111-02) enables exactly this pivot.</li> <li>Priority: Ensure SCADA display integrity monitoring is in place. CyberAv3ngers have been confirmed manipulating SCADA displays using legitimate vendor tools — this bypasses traditional malware detection.</li> </ul> <h3>Healthcare</h3> Healthcare infrastructure is a documented Iranian target, particularly during escalation periods. MuddyWater and APT34 have both targeted healthcare organizations for data theft and pre-positioning. The sector’s reliance on legacy systems and complex supply chains creates exposure. <ul> <li>Priority: Audit all third-party vendor OAuth access to EHR systems and cloud-hosted medical platforms. The Vercel breach TTP applies to any healthcare SaaS integration.</li> <li>Priority: Monitor for Cobalt Strike beacon activity (T1071.001, T1573) — the validated Iranian-hosted C2 infrastructure could be used against healthcare networks.</li> <li>Priority: Review and restrict PowerShell execution policies on clinical workstations (T1059.001). Cobalt Strike and MuddyWater’s POWERSTATS both leverage PowerShell for initial execution.</li> <li>Priority: Ensure offline backup integrity for critical systems. If wiper deployment probability increases (currently 15–20%, rising to 40–45% on ceasefire collapse), healthcare is a high-impact target.</li> </ul> <h3>Government</h3> U.S. government entities are explicitly named in the federal agency warnings (CPO Magazine, 13 April; GovTech, 8 April). Iranian espionage operations against government decision-makers intensify during active negotiations. <ul> <li>Priority: Monitor for Charming Kitten (APT42) credential harvesting campaigns targeting government email accounts. This group specializes in spearphishing government officials during geopolitical crises.</li> <li>Priority: Audit all M365 and Google Workspace OAuth grants. Government cloud environments are high-value targets for the OAuth supply chain TTP.</li> <li>Priority: Review VPN and remote access logs for connections from Iranian ASN ranges. MuddyWater’s DinDoor/DinoDance C2 infrastructure was refreshed on 21 April — activation is assessed at 55% probability.</li> <li>Priority: Ensure classified and sensitive networks have no connectivity to internet-facing systems with unpatched Siemens or Cisco vulnerabilities.</li> </ul> <h3>Aviation & Logistics</h3> The aviation sector is in active crisis. Lufthansa cutting 20,000 flights is a direct consequence of the Strait of Hormuz standoff. Iranian actors have strategic incentive to amplify aviation disruption through cyber means — either through direct attacks on airline IT systems or through supply chain disruption of fuel logistics and air traffic management. <ul> <li>Priority: Monitor for UNC1549 (Imperial Kitten/TA455) targeting via fake GitHub resume lures — this group resumed aerospace DIB targeting on 22 April using exactly this technique.</li> <li>Priority: Audit all GitHub repositories accessible to aerospace/aviation employees. Look for recently cloned repositories with resume or job-application themes.</li> <li>Priority: Review fuel logistics and supply chain management systems for anomalous access patterns. Disruption of fuel distribution IT systems would compound the physical shortage.</li> <li>Priority: Ensure air traffic management and flight operations systems are segmented from corporate IT networks. Any disruption to these systems during the fuel crisis would have cascading safety implications.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> IT Ops / OT </td> <td> Patch Siemens SINEC NMS authentication bypass (ICSA-26-111-03). This is the OT network management plane — an authentication bypass gives an attacker full visibility and control over the entire Siemens OT estate. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Enable enhanced PowerShell logging (ScriptBlock, Module, Transcription) on all endpoints if not already active. Both Cobalt Strike and MuddyWater’s POWERSTATS rely on PowerShell execution (T1059.001). </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Execute Hunt 1 (Dormant Account Reactivation): Audit all accounts in DIB/aerospace contractor networks that were active Jan–Mar 2026 and went dormant. Flag any reactivation from non-corporate IP ranges. This addresses the 30-day silence on DIB pre-positioning — the highest-risk intelligence gap. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops / Identity </td> <td> Conduct comprehensive OAuth application audit across Google Workspace and M365 Entra ID. Revoke any application with overly broad permissions (Mail.ReadWrite, Files.ReadWrite.All) that was not approved through IT governance. Enforce least-privilege OAuth scopes for all AI productivity tools. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops / OT </td> <td> Patch Siemens RUGGEDCOM CROSSBOW SAM-P privilege escalation (ICSA-26-111-02) and SCALANCE W-700 vulnerabilities (ICSA-26-111-07). Both are OT remote access and industrial wireless infrastructure. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Implement JA3/JA4 fingerprint detection for known Cobalt Strike beacon profiles on all outbound HTTPS traffic. Alert on matches to Iranian ASN ranges (AS202468, AS207957, AS206208, AS213790). </td> </tr> <tr> <td> 7-DAY </td> <td> DevOps </td> <td> Audit CI/CD pipelines for third-party dependency risks. Pin all GitHub Actions to commit SHAs. Review environment variable access controls and secrets management. The Vercel breach exploited environment variable decryption after OAuth pivot. </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission a formal assessment of ceasefire-era Iranian pre-positioning risk. Model dormant-to-active transition scenarios for DIB contractor networks and ICS/OT environments. Include tabletop exercise for wiper deployment response. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO / Legal </td> <td> Review and update incident response plans for destructive cyber attack scenarios (wiper deployment, ICS manipulation). Ensure plans account for the converged cyber-kinetic threat environment where physical supply chain disruption compounds cyber impact. </td> </tr> <tr> <td> 30-DAY </td> <td> IT Ops / OT </td> <td> Conduct Censys/Shodan audit of all internet-exposed ICS/OT devices. Verify no Rockwell Allen-Bradley PLCs, Unitronics controllers, or Siemens S7 devices are directly internet-accessible. Remediate any findings immediately. </td> </tr> <tr> <td> 30-DAY </td> <td> SOC / IT Ops </td> <td> Deploy Google Workspace OAuth audit log monitoring as a standing collection source. This addresses the collection gap identified in the Vercel/Context.ai breach — current monitoring does not capture OAuth grant/revocation events that would provide early warning for this attack pattern. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Evaluate expanding threat intelligence collection to include Telegram channel monitoring for Iranian hacktivist groups (CyberAv3ngers, Homeland Justice, Karma, Handala). The 15+ day silence from these groups may indicate a shift to non-monitored channels. </td> </tr> </tbody> </table> <h3>Executive & IR Preparedness</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> Executive / CISO </td> <td> Approve proactive hunt tasking for dormant DIB pre-positioning indicators. The 30-day silence is the single highest-risk indicator — dormant access is invisible by design. </td> </tr> <tr> <td> IMMEDIATE </td> <td> Executive / CISO </td> <td> Approve emergency OAuth audit across all cloud environments. The Vercel breach demonstrates this is an active, exploited attack vector. </td> </tr> <tr> <td> 7-DAY </td> <td> Executive / Legal </td> <td> Brief board and legal counsel on the ceasefire-cyber gap. The ceasefire does not reduce cyber risk — it may increase it by creating a false sense of security. Ensure cyber insurance coverage accounts for state-sponsored destructive attacks. </td> </tr> <tr> <td> 7-DAY </td> <td> IR Team </td> <td> Validate wiper response playbook. Confirm offline backup integrity, recovery time objectives, and communication plans. If ceasefire collapses, wiper deployment probability rises to 40–45% within 48–72 hours. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO / Executive </td> <td> Engage external red team to assess Iranian APT TTPs against your environment — specifically OAuth supply chain compromise, Cobalt Strike C2 detection, and ICS/OT lateral movement via RUGGEDCOM/SINEC NMS. </td> </tr> </tbody> </table> <h2>The Bottom Line                       </h2> Eight weeks into the U.S.-Israel-Iran conflict, the ceasefire has created the most dangerous condition in cybersecurity: a false sense of safety. The kinetic pause is real. The cyber pause is not. Iranian state-sponsored groups — MuddyWater, APT34, Charming Kitten, CyberAv3ngers, UNC1549, UNC5866 — are refreshing infrastructure, rotating C2 servers, and maintaining access. The economic damage from the Strait of Hormuz standoff is intensifying, not easing, which gives Iran every incentive to keep cyber operations running as strategic leverage. The 30-day silence on defense industrial base pre-positioning is not reassuring. It is the loudest alarm in this report. Dormant access exists to be invisible. The question is not whether it exists — it is when it activates. Three things need to happen now: <ol> <li>Hunt for what you cannot see. The dormant access hunt is not optional. If you operate in defense, aerospace, energy, or government, assume pre-positioned access exists and look for the activation indicators.</li> <li>Close the OAuth door. The Vercel/Context.ai breach is a preview of what happens when AI productivity tools get OAuth access to your crown jewels. Audit every OAuth grant. Revoke what you don’t need. Enforce least privilege on what remains.</li> <li>Patch the OT management plane. Siemens SINEC NMS authentication bypass is not just another vulnerability. It is the keys to the OT kingdom. In a threat environment where CyberAv3ngers have confirmed SCADA manipulation capability, an unpatched OT management plane is an unacceptable risk.</li> </ol> The ceasefire bought time. It did not buy safety. Use the time.

FEATURED RESOURCES

April 23, 2026

Anomali Cyber Watch