The Cyber Front of Operation Epic Fury: What CISOs Need to Know Right Now

<p>The United States and Israel are four days into Operation Epic Fury &mdash; the most significant kinetic military campaign against Iran since the 1980s. But while the world watches missile strikes and carrier group movements, a second front is already open, and it runs through your network.</p> <p>US Cyber Command struck first. Iran's internet has been degraded to single-digit capacity. Iran's supreme leader is confirmed dead. Six US service members have been killed. And President Trump has announced the campaign will last four to five weeks.</p> <p>None of that has stopped Iranian cyber operators. They are online, they are adapting, and they are coming.</p> <p>If your organization touches the defense industrial base, government networks, critical infrastructure, energy, or financial services &mdash; this is your threat briefing. The window for preparation is closing.</p> <h2>What Changed in the Last 72 Hours</h2> <p>The situation has shifted materially since late February. Here is what is new:</p> <ul> <li><strong>US Cyber Command confirmed as "first mover."</strong> Joint Chiefs Chair Dan Caine publicly stated that offensive cyber operations preceded or accompanied kinetic strikes &mdash; the first official confirmation of cyber-kinetic synchronization doctrine in this campaign.</li> <li><strong>The campaign timeline doubled.</strong> Trump's 4&ndash;5 week projection extends the expected Iranian cyber retaliation window from roughly three weeks to <strong>six weeks</strong> (through mid-April 2026).</li> <li><strong>Iranian hackers are using Starlink to stay operational.</strong> Despite a near-total state internet blackout, at least one of Iran's most prominent hacking crews is using commercial satellite internet to maintain command-and-control and claim retaliatory attacks against the US.</li> <li><strong>MuddyWater deployed three new malware families.</strong> Operation Olalampo &mdash; active since January 26 &mdash; introduced <strong>GhostFetch</strong>, <strong>CHAR</strong>, and <strong>HTTP_VIP</strong>, described as AI-assisted malware, targeting government, financial services, energy, and education organizations across the Middle East and North Africa.</li> <li><strong>Active Iranian command-and-control infrastructure identified.</strong> A high-confidence C2 server (78.38.30.71) on Iran's state-controlled telecom network remains active during the blackout &mdash; meaning it is, by definition, a government-sanctioned operational asset.</li> </ul> <h2>Conflict &amp; Threat Timeline</h2> <table> <tbody> <tr> <td> <p><strong>Date</strong></p> </td> <td> <p><strong>Event</strong></p> </td> <td> <p><strong>Cyber Significance</strong></p> </td> </tr> <tr> <td> <p><strong>26 Jan 2026</strong></p> </td> <td> <p>MuddyWater begins Operation Olalampo</p> </td> <td> <p>GhostFetch, CHAR, HTTP_VIP malware deployed against MENA targets &mdash; pre-positioning before kinetic escalation</p> </td> </tr> <tr> <td> <p><strong>26 Feb 2026</strong></p> </td> <td> <p>CISA issues ICS advisories for Yokogawa CENTUM VP and Johnson Controls Frick</p> </td> <td> <p>Fresh attack surface for OT/SCADA targeting; relevant to IOCONTROL malware</p> </td> </tr> <tr> <td> <p><strong>~28 Feb 2026</strong></p> </td> <td> <p>Operation Epic Fury begins; US/Israeli kinetic strikes on IRGC command centers</p> </td> <td> <p>USCYBERCOM confirmed as "first mover" &mdash; offensive cyber preceded or accompanied strikes</p> </td> </tr> <tr> <td> <p><strong>1 Mar 2026</strong></p> </td> <td> <p>Iran's supreme leader confirmed dead; Iranian internet at 1&ndash;4% capacity</p> </td> <td> <p>Retaliation motivation at maximum; state internet degraded but not eliminated</p> </td> </tr> <tr> <td> <p><strong>1 Mar 2026</strong></p> </td> <td> <p>IOCONTROL (QUEUECAT) malware updated in threat intelligence feeds</p> </td> <td> <p>OT/SCADA-targeting malware actively maintained by Iranian operators</p> </td> </tr> <tr> <td> <p><strong>2 Mar 2026</strong></p> </td> <td> <p>Iranian hackers confirmed using Starlink for C2 resilience</p> </td> <td> <p>Commercial SATCOM bypasses state internet blackout &mdash; offensive operations continue</p> </td> </tr> <tr> <td> <p><strong>2 Mar 2026</strong></p> </td> <td> <p>MuddyWater Operation Olalampo publicly reported</p> </td> <td> <p>Three new AI-assisted malware families confirmed across multiple sources</p> </td> </tr> <tr> <td> <p><strong>3 Mar 2026</strong></p> </td> <td> <p>Trump confirms 4&ndash;5 week campaign; 6 US service members KIA</p> </td> <td> <p>Retaliation window extends to mid-April; Israeli strikes expand to Hezbollah in Lebanon</p> </td> </tr> </tbody> </table> <h2>Threat Analysis: The Actors, the Tools, and the Targets</h2> <h3>1. MuddyWater's New Arsenal (Operation Olalampo)</h3> <p><strong>Actor:</strong> MuddyWater (also tracked as Mango Sandstorm, TEMP.Zagros, UNC3313, UNC5667)</p> <p><strong>Affiliation:</strong> Iran's Ministry of Intelligence and Security (MOIS)</p> <p>MuddyWater has been one of Iran's most prolific cyber espionage groups for years. What's different now: they have new tools, and they appear to be using AI to build them faster.</p> <p><strong>GhostFetch</strong>, <strong>CHAR</strong>, and <strong>HTTP_VIP</strong> are three previously unseen malware families deployed since late January against organizations in the Middle East and North Africa. Targeted sectors include government, financial services, energy, utilities, education, and insurance. The malware has been described as "AI-assisted" &mdash; suggesting the use of large language models to accelerate development and obfuscation.</p> <p><strong>Why this matters to you:</strong> MuddyWater has historically expanded targeting from regional to Western organizations during periods of escalation. The jump from MENA government targets to US and European defense contractors is a matter of weeks, not months. AI-assisted development means new variants will arrive faster than your signature updates.</p> <h3>2. The Wiper Arsenal &mdash; 30 Families and Counting</h3> <p><strong>Malware families:</strong> ZeroCleare, Meteor, DEADWOOD, Apostle, BFG Agonizer, MultiLayer, PartialWasher, and approximately two dozen more</p> <p>Iran maintains one of the world's deepest arsenals of destructive wiper malware. These tools are designed to do one thing: destroy data irreversibly. They are not ransomware &mdash; there is no decryption key, no negotiation, no recovery.</p> <p><strong>The critical signal right now is silence.</strong> We are ten days into an active kinetic campaign and no confirmed wiper deployment has been reported against US or allied networks. Historically, Iran deployed the Shamoon wiper within two weeks of major escalations. The current absence likely means one of two things:</p> <ul> <li>Iranian C2 infrastructure is too degraded to coordinate a wiper campaign (the optimistic read), or</li> <li>Iran is deliberately timing deployment for maximum psychological impact &mdash; perhaps to coincide with a major US casualty event or a symbolic date (the concerning read)</li> </ul> <p>With the campaign now extended to 4&ndash;5 weeks, Iran has time to choose its moment. <strong>We assess a 65% probability of wiper deployment against Israeli or Gulf state targets within the next 14 days</strong>, potentially disguised as ransomware for plausible deniability.</p> <h3>3. Pre-Positioned Access: The Doors Are Already Open</h3> <p><strong>Actor:</strong> Pioneer Kitten (also tracked as UNC757, Lemon Sandstorm, Fox Kitten)</p> <p><strong>Active CVEs being exploited:</strong></p> <ul> <li><strong>CVE-2023-3519</strong> &mdash; Citrix ADC / NetScaler remote code execution (CVSS 9.8)</li> <li><strong>CVE-2024-21887</strong> &mdash; Ivanti Connect Secure command injection (CVSS 9.1)</li> </ul> <p>Pioneer Kitten has been running a long-duration campaign exploiting these two vulnerabilities to establish persistent access in financial services, healthcare, manufacturing, and telecommunications networks. This group has a documented history of selling access to ransomware operators &mdash; and of acting as an initial access broker for more destructive IRGC operations.</p> <p><strong>The wartime concern:</strong> Access that was established for espionage or monetization can be repurposed for destruction with a single command. If your Ivanti or Citrix appliances are unpatched, assume compromise until proven otherwise.</p> <h3>4. Hacktivist Proxies: Plausible Deniability at Scale</h3> <p><strong>Groups:</strong> Handala, Cyber Toufan, and affiliated clusters</p> <p><strong>Tactics:</strong> DDoS, website defacement, data leaks, cognitive warfare via Telegram</p> <p>Iran's hacktivist proxy ecosystem provides something invaluable to a state under military attack: plausible deniability. These groups operate semi-independently, claim attacks loudly on Telegram, and create noise that complicates attribution.</p> <p>The Forbes reporting that Iranian hackers are using Starlink to maintain operations despite the internet blackout confirms that these groups remain active and capable. <strong>We assess a 70% probability of DDoS and defacement campaigns against US government and defense industrial base websites within the next seven days.</strong></p> <h3>5. IOCONTROL: The OT/SCADA Threat</h3> <p><strong>Malware:</strong> IOCONTROL (also tracked as QUEUECAT, OrpraCab)</p> <p><strong>Targets:</strong> Water systems, energy infrastructure, SCADA-connected industrial control systems</p> <p>IOCONTROL is purpose-built to target operational technology environments. It was updated as recently as March 1 in threat intelligence feeds, confirming active maintenance. Combined with fresh CISA ICS advisories for Yokogawa CENTUM VP (ICSA-26-057-09) and Johnson Controls Frick Controls (ICSA-26-057-01), the attack surface is real.</p> <p><strong>We assess a 25% probability of IOCONTROL deployment against US water or energy SCADA systems within 21 days.</strong> The probability is low, but the impact would be catastrophic and the political symbolism &mdash; striking American critical infrastructure during a military campaign &mdash; would be enormous.</p> <h3>6. The Starlink Paradox</h3> <p>This deserves its own section because it represents a genuinely novel development.</p> <p>US and Israeli cyber operations successfully degraded Iran's state internet to 1&ndash;4% capacity. By traditional doctrine, this should have severely degraded Iranian offensive cyber capability. Instead, Iranian operators pivoted to Starlink &mdash; commercial satellite internet made freely available by SpaceX.</p> <p>The same infrastructure enabling Iranian civilians to communicate is enabling Iranian offensive cyber operations. This is a strategic irony with immediate tactical consequences: <strong>you cannot assume that degrading a nation's internet degrades its cyber attack capability.</strong> Iranian C2 infrastructure is now resilient against the very operations designed to suppress it.</p> <h2>Predictive Analysis: What Comes Next</h2> <table> <tbody> <tr> <td> <p><strong>Threat Scenario</strong></p> </td> <td> <p><strong>Timeframe</strong></p> </td> <td> <p><strong>Probability</strong></p> </td> <td> <p><strong>Impact</strong></p> </td> </tr> <tr> <td> <p>Hacktivist DDoS and defacement against US government/DIB websites (Handala, Cyber Toufan)</p> </td> <td> <p>7 days</p> </td> <td> <p><strong>70%</strong></p> </td> <td> <p>Moderate &mdash; reputational, operational disruption</p> </td> </tr> <tr> <td> <p>Wiper deployment against Israeli or Gulf state targets, possibly disguised as ransomware (ZeroCleare/Meteor variant)</p> </td> <td> <p>14 days</p> </td> <td> <p><strong>65%</strong></p> </td> <td> <p>Severe &mdash; data destruction, operational paralysis</p> </td> </tr> <tr> <td> <p>MuddyWater Operation Olalampo expands to US/European defense contractors via GhostFetch</p> </td> <td> <p>14 days</p> </td> <td> <p><strong>40%</strong></p> </td> <td> <p>High &mdash; espionage, potential pre-positioning for destructive follow-on</p> </td> </tr> <tr> <td> <p>IOCONTROL deployment against US water/energy SCADA systems</p> </td> <td> <p>21 days</p> </td> <td> <p><strong>25%</strong></p> </td> <td> <p>Critical &mdash; physical safety, national security</p> </td> </tr> <tr> <td> <p>Compromise of military AI/cloud infrastructure (AWS, OpenAI/Anthropic API endpoints)</p> </td> <td> <p>30 days</p> </td> <td> <p><strong>15%</strong></p> </td> <td> <p>Extreme &mdash; intelligence compromise, decision-support degradation</p> </td> </tr> </tbody> </table> <h2>Defense Recommendations</h2> <h3>🔴 Immediate (Today)</h3> <table> <tbody> <tr> <td> <p><strong>Action</strong></p> </td> <td> <p><strong>Why</strong></p> </td> </tr> <tr> <td> <p><strong>Block Iranian C2 infrastructure</strong> at all perimeter firewalls: 78.38.30.71, 193.151.151.218, 151.245.110.39. Query SIEM for any historical connections to these IPs.</p> </td> <td> <p>Active, high-confidence C2 on Iranian state telecom &mdash; government-sanctioned operational infrastructure exposed during blackout.</p> </td> </tr> <tr> <td> <p><strong>Emergency patch verification for Ivanti Connect Secure</strong> (CVE-2024-21887) <strong>and Citrix ADC/NetScaler</strong> (CVE-2023-3519).</p> </td> <td> <p>Pioneer Kitten is actively exploiting these vulnerabilities right now. CVSS scores of 9.1 and 9.8 respectively. If unpatched, assume compromise.</p> </td> </tr> <tr> <td> <p><strong>Extend your cyber retaliation watch posture to 42 days</strong> (through mid-April). Communicate this to all partners, subsidiaries, and managed security providers.</p> </td> <td> <p>The 4&ndash;5 week campaign timeline means Iranian motivation for retaliatory cyber operations will be sustained far longer than initially modeled.</p> </td> </tr> <tr> <td> <p><strong>Brief your executive team and board</strong> on the elevated threat environment. Ensure incident response retainers are active and contact trees are current.</p> </td> <td> <p>This is a wartime cyber posture. Decision-makers need to understand that destructive attacks &mdash; not just espionage &mdash; are a realistic near-term scenario.</p> </td> </tr> </tbody> </table> <h3>🟡 Within 7 Days (by March 10)</h3> <table> <tbody> <tr> <td> <p><strong>Action</strong></p> </td> <td> <p><strong>Why</strong></p> </td> </tr> <tr> <td> <p><strong>Deploy behavioral detection rules</strong> for GhostFetch, CHAR, and HTTP_VIP malware families. Prioritize email gateway telemetry for MENA-themed phishing lures and endpoint detection for novel scripting-based payloads.</p> </td> <td> <p>MuddyWater's Operation Olalampo is active and expanding. AI-assisted development means signature-based detection alone will not be sufficient.</p> </td> </tr> <tr> <td> <p><strong>Conduct a threat hunt for anomalous satellite-routed traffic</strong> in any forward-deployed or remote network segments.</p> </td> <td> <p>Iranian operators are confirmed using Starlink to bypass the internet blackout. Any environment with SATCOM connectivity is potentially exposed.</p> </td> </tr> <tr> <td> <p><strong>Audit all OT/SCADA environments</strong> against CISA ICS advisories ICSA-26-057-09 (Yokogawa CENTUM VP) and ICSA-26-057-01 (Johnson Controls Frick). Cross-reference with IOCONTROL/QUEUECAT detection signatures.</p> </td> <td> <p>Fresh vulnerabilities in industrial control systems combined with an actively maintained OT-targeting malware family create a convergent risk.</p> </td> </tr> <tr> <td> <p><strong>Validate offline backup integrity</strong> for all critical systems, with specific attention to domain controllers, identity infrastructure, and operational databases.</p> </td> <td> <p>If a wiper lands, your recovery time is determined by the quality of your backups. Test restores now, not during an incident.</p> </td> </tr> </tbody> </table> <h3>🟢 Within 30 Days (by April 2)</h3> <table> <tbody> <tr> <td> <p><strong>Action</strong></p> </td> <td> <p><strong>Why</strong></p> </td> </tr> <tr> <td> <p><strong>Commission a red team exercise</strong> simulating an Iranian wiper attack: initial access via compromised Ivanti VPN, lateral movement through Windows domain, deployment of a ZeroCleare/Meteor-style wiper. Test detection, containment, and recovery.</p> </td> <td> <p>You need to know &mdash; before it happens &mdash; whether your defenses can detect and contain a wiper before it executes. The exercise should include your incident response plan, communication protocols, and backup restoration procedures.</p> </td> </tr> <tr> <td> <p><strong>Develop a collection and monitoring plan for military AI/cloud dependencies.</strong> Specifically: monitor for adversary reconnaissance against cloud API endpoints, establish traffic baselines for cloud regions serving your operations, and assess data poisoning risk to any AI-assisted decision-support systems.</p> </td> <td> <p>This is the emerging attack surface that no one is adequately covering. The intersection of military AI dependence and Iranian offensive capability is a gap that adversaries will eventually find.</p> </td> </tr> <tr> <td> <p><strong>Tabletop exercise with senior leadership:</strong> Scenario &mdash; simultaneous wiper attack on your network and DDoS against public-facing services during a period of heightened media attention on the conflict. Test decision-making under pressure, public communications, and coordination with government partners (CISA, FBI, sector ISAC).</p> </td> <td> <p>The most likely Iranian playbook combines destructive and disruptive attacks for maximum psychological impact. Your leadership needs to have rehearsed this scenario before it arrives.</p> </td> </tr> </tbody> </table> <h2>The Bottom Line</h2> <p>We are in the early days of what will be a sustained, multi-week period of elevated Iranian cyber threat activity. The kinetic campaign is escalating, not de-escalating. Iranian operators have demonstrated they can maintain offensive capability despite massive infrastructure degradation. New malware is already deployed and expanding. The wiper arsenal is loaded and the deployment window is wide open.</p> <p>The historical pattern is unambiguous: every major kinetic escalation with Iran has been followed by retaliatory cyber operations. The question is not <em>whether</em> &mdash; it is <em>when</em>, <em>where</em>, and <em>how destructive</em>.</p> <p>The organizations that will weather this period are the ones that act now: patch the known doors (Ivanti, Citrix), hunt for pre-existing access, validate their ability to survive a wiper, and extend their watch posture through mid-April. The organizations that treat this as routine will be the ones in the incident response retainer queue.</p> <p>The next six weeks will test whether our cyber defenses are as ready as our kinetic ones. Make sure yours are.</p> <p><em>Anomali Threat Research provides continuous threat intelligence monitoring and analysis. For questions about this assessment or to request tailored indicators of compromise for your environment, contact your Anomali representative.</em></p>