The Silent Countdown: Iran's Cyber Operations Enter a Dangerous Steady State While Critical Blind Spots Grow

Anomali Threat Research

Published on

May 20, 2026

Table of Contents

Threat Assessment Level: ELEVATED Maintained from prior cycle. Iranian APT operations continue at steady tempo with expanding infrastructure, new ICS/OT vulnerabilities align with established targeting doctrine, and the longest-running intelligence gap — dormant access in defense-industrial networks — now exceeds 41 days without detection. <h2> Introduction </h2> Eighty-one days into the 2026 Iran conflict, the cyber dimension has settled into a pattern that should alarm every security leader: steady, professional, and increasingly invisible . The explosive hacktivist attacks and headline-grabbing ICS compromises of the conflict's early weeks have given way to something far more dangerous — mature state APT operations running at consistent tempo, shared Russian-Iranian infrastructure quietly expanding, and critical SCADA vulnerabilities emerging that map precisely to Iran's demonstrated targeting playbook. The most important signal today isn't what we can see. It's what we can't. Iranian pre-positioning in defense-industrial base (DIB) networks has produced zero detectable activity for 41 consecutive days. For dormant access designed to activate during a crisis escalation, silence is not absence — it's readiness. <h2> What Changed (Last 72 Hours) </h2> <table> <thead> <tr> <th> Development </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> ScadaBR critical RCE disclosed (CVE-2026-8602, CVE-2026-8603) — unauthenticated root access + sensor data injection in open-source SCADA </td> <td> Directly aligns with Iranian proxy targeting doctrine (Unitronics, fuel ATGs). No exploitation yet, but weaponization timeline is short for unauth RCE. </td> </tr> <tr> <td> ASN 213790 infrastructure refresh confirmed — APT28 + Cactus ransomware + SystemBC proxy now co-resident on Iranian hosting </td> <td> Russia-Iran cyber cooperation infrastructure continues expanding. 60+ days of confirmed shared hosting. </td> </tr> <tr> <td> APT42 campaign updated (May 19) — BELLACIAO/SHELLAFEL backdoors targeting energy, government, healthcare, manufacturing across 4 countries </td> <td> Campaign metadata refreshed but zero new IOCs published — suggests faster infrastructure rotation or improved operational security. </td> </tr> <tr> <td> Siemens RUGGEDCOM APE1808 vulnerability — PAN-OS buffer overflow on ruggedized military/industrial network appliances </td> <td> Expands attack surface for industrial network edge devices deployed in military and energy environments. </td> </tr> <tr> <td> UNC3890 (Imperial Kitten) updated (May 18) — Iran-nexus actor targeting Israeli government, logistics, shipping, energy, healthcare </td> <td> Corroborates broad Iranian APT reactivation pattern alongside APT42. </td> </tr> <tr> <td> PIR-007 (DIB pre-positioning) now QUIET 41 days </td> <td> Longest-running intelligence gap. Dormant access produces no signals by design — cumulative risk increases daily. </td> </tr> </tbody> </table> <h2> Conflict Cyber Timeline (Selected Events, Feb 28 – May 20, 2026) </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actor/Attribution </th> </tr> </thead> <tbody> <tr> <td> Feb 28 </td> <td> Conflict begins; initial Iranian cyber operations launched </td> <td> Multiple Iranian state actors </td> </tr> <tr> <td> Mar 11 </td> <td> Destructive wiper attack destroys 200,000+ endpoints </td> <td> Handala / Void Manticore (IRGC) </td> </tr> <tr> <td> ~Apr 9 </td> <td> Last confirmed DIB pre-positioning activity detected </td> <td> Pioneer Kitten / Fox Kitten (MOIS) </td> </tr> <tr> <td> May 14–17 </td> <td> APT28 activates 5 new IPs on ASN 213790 (Tehran) </td> <td> APT28 (GRU Unit 26165) </td> </tr> <tr> <td> May 15 </td> <td> UNC5187 actor profile updated </td> <td> Iran-nexus (MOIS-linked) </td> </tr> <tr> <td> May 18 </td> <td> CyberAv3ngers compromise U.S. fuel ATG systems via CVE-2026-1340 </td> <td> Ababil of Minab / CyberAv3ngers (IRGC) </td> </tr> <tr> <td> May 18 </td> <td> UNC5858 (Black Shadow) refreshes spear-phishing infrastructure </td> <td> MOIS-linked </td> </tr> <tr> <td> May 18 </td> <td> UNC3890 (Imperial Kitten) activity update </td> <td> IRGC-affiliated </td> </tr> <tr> <td> May 19 </td> <td> APT42 BELLACIAO/SHELLAFEL campaign updated — multi-sector targeting </td> <td> APT42 / Charming Kitten (IRGC-IO) </td> </tr> <tr> <td> May 19 </td> <td> CISA discloses ScadaBR RCE (CVE-2026-8602/8603) </td> <td> N/A — vulnerability disclosure </td> </tr> <tr> <td> May 19 </td> <td> CISA discloses Siemens RUGGEDCOM APE1808 PAN-OS vuln </td> <td> N/A — vulnerability disclosure </td> </tr> <tr> <td> May 20 </td> <td> ASN 213790 infrastructure refresh confirmed — APT28 + SystemBC + Cactus co-tenancy </td> <td> APT28 + ransomware affiliates on Iranian hosting </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> 1. Russia-Iran Infrastructure Convergence Is Now Operational Reality </h3> ASN 213790 ("Limited Network," Tehran) has evolved from a curiosity into a confirmed multi-actor staging ground. Intelligence confirms simultaneous presence of: <ul> <li> APT28 (Fancy Bear / GRU Unit 26165) — Russian military intelligence </li> <li> Cactus — ransomware operation </li> <li> SystemBC — proxy malware used by ransomware affiliates </li> </ul> This is not coincidental co-hosting. The same /24 IP blocks host state espionage tools alongside criminal ransomware infrastructure, providing both parties with attribution confusion and plausible deniability. Any network traffic to or from ASN 213790 should be treated as hostile regardless of which specific actor is attributed. Key IOCs (confidence 90–100): <ul> <li> 185.93.89[.]79 — Cactus/APT (confidence 93) </li> <li> 185.93.89[.]43 — Cactus/APT/Command Injection (confidence 96) </li> <li> 192.253.248[.]52 — APT28 C2 (confidence 90) </li> <li> 192.253.248[.]55 — APT28 C2 (confidence 90) </li> <li> 185.93.89[.]143 — SystemBC proxy (confidence 100) </li> <li> 185.93.89[.]150 — SystemBC proxy (confidence 100) </li> </ul> <h3> 2. ScadaBR: The Next Unitronics </h3> CVE-2026-8603 allows unauthenticated OS command injection as root on ScadaBR v1.2.0, an open-source SCADA HMI platform. CVE-2026-8602 allows unauthenticated injection of arbitrary sensor readings — meaning an attacker can make operators see whatever the attacker wants them to see. Why this matters for the Iran conflict: Iranian proxy groups (CyberAv3ngers, Ababil of Minab) have repeatedly demonstrated preference for "soft" ICS targets — systems with weak authentication, internet exposure, and limited monitoring. The Unitronics PLC attacks of 2023 and the fuel ATG compromise of May 18, 2026 (CVE-2026-1340) follow the same pattern. ScadaBR deployments in smaller utilities, research facilities, and developing-nation infrastructure are the most probable next targets. <h3> 3. APT42's Invisible Campaign </h3> APT42 (Charming Kitten / Mint Sandstorm / TA453) updated its BELLACIAO and SHELLAFEL backdoor campaign on May 19, targeting chemical, energy, government, healthcare, manufacturing, and non-profit sectors across four countries. The concerning development: the campaign was refreshed without any new IOCs being published. This indicates either: <ul> <li> Infrastructure rotation faster than intelligence collection cycles </li> <li> Deliberate compartmentalization of indicators from campaign metadata </li> <li> Maturation of operational security practices </li> </ul> For defenders, this means IOC-based detection is increasingly insufficient against APT42. Detection must shift to behavioral and TTP-based approaches — monitoring for OAuth token abuse ( T1528 ), MFA fatigue attacks ( T1621 ), and anomalous cloud account usage ( T1078.004 ). <h3> 4. The 41-Day Silence: DIB Pre-Positioning </h3> Pioneer Kitten (Fox Kitten / UNC6446 / Refined Kitten) — the MOIS-linked actor responsible for pre-positioning in defense-industrial base contractor networks — has produced zero detectable signals for 41 consecutive days. This is the highest-consequence blind spot in the current threat landscape. Pre-positioned dormant access is, by definition, invisible to passive collection. The actor has already demonstrated capability to exploit Ivanti, Citrix, and VPN infrastructure for initial access. The silence does not indicate the threat has passed — it indicates the access is waiting for activation, likely tied to a conflict escalation trigger. <h2> Predictive Analysis </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability (72-hour) </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Iranian APT tempo remains steady (APT42, UNC3890 continue espionage) </td> <td> 70% </td> <td> Consistent with 81-day pattern; no escalation triggers detected </td> </tr> <tr> <td> APT28 leverages ASN 213790 infrastructure for new campaign </td> <td> 25% (7-day) </td> <td> Infrastructure refresh suggests preparation; NetSup RAT deployment to agriculture sector may be early indicator </td> </tr> <tr> <td> Hacktivist groups break silence with coordinated attack/claim </td> <td> 20% </td> <td> Current quiet period exceeds historical average (7–14 days between major claims); pressure builds for demonstration effect </td> </tr> <tr> <td> ScadaBR exploitation attempt by Iranian proxy </td> <td> 15% (7-day) </td> <td> Unauth RCE + sensor injection is too aligned with CyberAv3ngers doctrine to ignore; weaponization timeline for simple vulns is typically 7–21 days </td> </tr> <tr> <td> PIR-007 activation — dormant DIB access leveraged </td> <td> 10% per cycle </td> <td> Low per-day probability but cumulative risk is substantial; any conflict escalation could trigger </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Approach </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> T1190 (Exploit Public-Facing App) </td> <td> Monitor ScadaBR, Ivanti vTM (CVE-2026-8051), RUGGEDCOM for exploitation attempts </td> <td> All three disclosed this cycle; Iranian actors historically weaponize within days </td> </tr> <tr> <td> T1059 (Command & Scripting Interpreter) </td> <td> Alert on command execution from ScadaBR web interface; correlate with ASN 213790 source IPs </td> <td> CVE-2026-8603 enables root shell; APT28 IOCs tagged with T1059 </td> </tr> <tr> <td> T1071 (Application Layer Protocol C2) </td> <td> Monitor for beaconing to 192.253.248[.]52 and 192.253.248[.]55 </td> <td> APT28 C2 infrastructure on Iranian ASN </td> </tr> <tr> <td> T1090 (Proxy) </td> <td> Detect SystemBC proxy connections to 185.93.89[.]143 and 185.93.89[.]150 </td> <td> Confidence 100; enables C2 tunneling for ransomware and APT operations </td> </tr> <tr> <td> T1528 (Steal Application Access Token) </td> <td> Monitor Entra ID audit logs for anomalous OAuth token grants, especially device-code flow abuse </td> <td> APT42 primary initial access technique; OAuth phishing bulletin confirms active exploitation </td> </tr> <tr> <td> T1621 (MFA Request Generation) </td> <td> Alert on >3 MFA push notifications to single user within 10 minutes </td> <td> APT42 known TTP for bypassing MFA </td> </tr> <tr> <td> T1565.002 (Transmitted Data Manipulation) </td> <td> Monitor SCADA sensor readings for impossible value changes or readings outside physical bounds </td> <td> CVE-2026-8602 enables arbitrary sensor injection — integrity monitoring is the only detection </td> </tr> <tr> <td> T1078.004 (Cloud Accounts) </td> <td> Baseline normal OAuth application consent patterns; alert on new high-privilege app registrations </td> <td> APT42 BELLACIAO campaign leverages cloud account compromise </td> </tr> </tbody> </table> <h3> Hunting Hypotheses </h3> <ul> <li> Hunt: Pioneer Kitten dormant VPN access — Query VPN authentication logs for connections from known Pioneer Kitten IP ranges, unusual geographic login patterns to contractor VPN, or dormant service accounts with recent authentication. Focus on Ivanti, Citrix, and Fortinet VPN appliances. </li> </ul> <ul> <li> Hunt: ScadaBR internet exposure — Scan internal asset inventory for ScadaBR v1.2.0 deployments. Cross-reference with external attack surface management for any internet-facing instances. Any exposed instance is presumed compromised given the unauth RCE. </li> </ul> <ul> <li> Hunt: OAuth device-code abuse — Query Entra ID sign-in logs for grant_type=urn:ietf:params:oauth:grant-type:device_code with unusual client IDs or from unexpected geographic locations. </li> </ul> <ul> <li> Hunt: ASN 213790 historical connections — Query 90-day netflow/firewall logs for any historical connections to the 185.93.89[.]0/24 and 192.253.248[.]0/24 ranges. Any hit warrants full incident investigation. </li> </ul> <h3> Blocking Guidance </h3> Block the following at perimeter firewalls, proxy, and EDR: <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 185.93.89[.]79 </td> <td> Cactus/APT infrastructure (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]43 </td> <td> Cactus/APT/Command Injection (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]52 </td> <td> APT28 C2 (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]55 </td> <td> APT28 C2 (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]143 </td> <td> SystemBC proxy (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]150 </td> <td> SystemBC proxy (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]154 </td> <td> Bot infrastructure (ASN 213790) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]167 </td> <td> DDoS/brute-force (ASN 213790, lower confidence) </td> </tr> </tbody> </table> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream and partner feeds. <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> <ul> <li> Primary threat: APT42 credential harvesting via OAuth abuse targeting cloud banking platforms; Cactus ransomware leveraging shared Iranian infrastructure for deniable extortion </li> <li> Action: Audit all third-party OAuth application consents in Entra ID/Azure AD. Revoke any applications with Mail.Read, Files.ReadWrite.All, or Directory.Read.All permissions that were not explicitly approved. Implement conditional access policies requiring compliant devices for OAuth token grants. </li> <li> Monitor: Anomalous wire transfer approval workflows following credential compromise; MFA fatigue attacks against treasury staff </li> </ul> <h3> Energy </h3> <ul> <li> Primary threat: ScadaBR exploitation (CVE-2026-8602/8603) at smaller utilities; RUGGEDCOM APE1808 compromise at substations and pipeline SCADA; CyberAv3ngers targeting fuel distribution systems </li> <li> Action: Immediately inventory all ScadaBR deployments and isolate from network. Verify RUGGEDCOM firmware versions against Siemens advisory. Ensure all Veeder-Root ATG systems are patched against CVE-2026-1340. Implement unidirectional gateways for SCADA sensor data where feasible. </li> <li> Monitor: Sensor reading anomalies that could indicate T1565.002 (data manipulation); unexpected commands to PLCs/RTUs from non-standard source IPs </li> </ul> <h3> Healthcare </h3> <ul> <li> Primary threat: APT42 BELLACIAO/SHELLAFEL campaign explicitly targets healthcare sector; UNC3890 (Imperial Kitten) targets healthcare in Israel and allied nations; ransomware via SystemBC proxy infrastructure </li> <li> Action: Segment clinical networks from administrative IT. Ensure medical device firmware is current. Implement application allowlisting on systems managing patient data. Review all remote access pathways for clinical engineering staff. </li> <li> Monitor: Lateral movement from compromised email accounts to clinical systems; unusual PowerShell execution on healthcare information systems </li> </ul> <h3> Government </h3> <ul> <li> Primary threat: APT42 multi-sector espionage campaign; APT28 leveraging Iranian infrastructure for government targeting; UNC3890 targeting government entities; building management system compromise (Kieback & Peter DDC) enabling physical security bypass </li> <li> Action: Audit building automation/HVAC controllers for internet exposure. Implement network segmentation between BMS and classified networks. Enforce hardware security keys (FIDO2) for all privileged accounts — MFA push notifications are insufficient against T1621 . </li> <li> Monitor: Anomalous BMS controller commands; OAuth consent grants from government email accounts to unrecognized applications; VPN authentications from unexpected geographies </li> </ul> <h3> Aviation / Logistics </h3> <ul> <li> Primary threat: UNC3890 (Imperial Kitten) explicitly targets logistics and shipping sectors; Pioneer Kitten pre-positioning in aerospace/DIB contractor networks; supply chain compromise via fake GitHub repositories </li> <li> Action: Audit all GitHub repositories used in CI/CD pipelines — verify contributor identities and pin actions to commit SHAs. Review VPN access logs for aerospace contractor accounts with 30+ days of inactivity (potential dormant access). Implement code signing requirements for all software deployed to operational systems. </li> <li> Monitor: Unusual data exfiltration patterns from PLM systems; new SSH keys added to contractor accounts; GitHub Actions running from forked repositories </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block all ASN 213790 IOCs listed above at perimeter firewalls, DNS sinkholes, and EDR network policies </td> </tr> <tr> <td> 2 </td> <td> IT Ops / OT Security </td> <td> Identify and isolate ALL ScadaBR v1.2.0 deployments — CVE-2026-8603 enables unauthenticated root RCE with no workaround available </td> </tr> <tr> <td> 3 </td> <td> SOC </td> <td> Deploy detection for OAuth device-code flow abuse in Entra ID audit logs — alert on grant_type=device_code from unexpected client IDs or geolocations </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Validate SCADA sensor integrity monitoring is active — CVE-2026-8602 enables silent sensor data manipulation that bypasses traditional network detection </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> IT Ops </td> <td> Patch Ivanti Virtual Traffic Manager to version 22.9r4+ addressing CVE-2026-8051 (CVSS 7.2, authenticated RCE) — Pioneer Kitten has documented history of Ivanti exploitation </td> </tr> <tr> <td> 6 </td> <td> IT Ops </td> <td> Verify Siemens RUGGEDCOM APE1808 firmware is current per ICSA-26-139-02 — PAN-OS Captive Portal buffer overflow affects military/industrial network appliances </td> </tr> <tr> <td> 7 </td> <td> Identity/IAM </td> <td> Audit all OAuth application consents across Entra ID tenant — revoke high-privilege grants not explicitly approved; implement admin consent workflow </td> </tr> <tr> <td> 8 </td> <td> SOC </td> <td> Implement behavioral detection for APT42 TTPs: spearphishing with credential harvesting ( T1566.001 /002), token theft ( T1528 ), and MFA bombing ( T1621 ) — IOC-based detection is no longer sufficient </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 9 </td> <td> CISO </td> <td> Authorize and fund proactive threat hunt for Pioneer Kitten / Fox Kitten dormant access in DIB/aerospace contractor VPN infrastructure — 41 days of silence on the highest-consequence pre-positioning threat requires active investigation, not passive monitoring </td> </tr> <tr> <td> 10 </td> <td> CISO / IR </td> <td> Conduct tabletop exercise simulating simultaneous ICS/OT disruption (ScadaBR/ATG) + ransomware (Cactus via SystemBC) + espionage disclosure (APT42 data theft) — test organizational response to multi-vector Iranian cyber escalation </td> </tr> <tr> <td> 11 </td> <td> SOC / Engineering </td> <td> Evaluate and deploy redundant OSINT collection source — current primary source returned zero results across 12 queries this cycle, indicating degradation. Add Telegram-based collection for hacktivist monitoring </td> </tr> <tr> <td> 12 </td> <td> IT Ops / OT Security </td> <td> Implement unidirectional security gateways (data diodes) for all SCADA sensor data paths — eliminates the sensor injection attack class (CVE-2026-8602) at the architectural level </td> </tr> </tbody> </table> <h2> Closing </h2> Eighty-one days into this conflict, the most dangerous phase of Iranian cyber operations may not be the explosive attacks we've already witnessed — it's the quiet professional work happening now. APT42 is running campaigns without leaving IOCs. Pioneer Kitten's dormant access sits undetected in defense networks. Russian and Iranian intelligence services share infrastructure with ransomware operators to blur attribution. The ScadaBR vulnerabilities disclosed this week are a countdown timer. Iranian proxy groups have demonstrated — repeatedly — that they will exploit unpatched, internet-facing ICS systems within days of disclosure. The question is not whether CVE-2026-8603 will be weaponized, but whether your ScadaBR instances will be isolated before it happens. Three actions that cannot wait: <ul> <li> Block ASN 213790 infrastructure today. </li> </ul> <ul> <li> Find and isolate every ScadaBR deployment in your environment today. </li> </ul> <ul> <li> Authorize the Pioneer Kitten threat hunt this week — 41 days of silence on pre-positioned access is not reassurance, it's a warning. </li> </ul> The adversary is patient. Your response cannot afford to be. Published 2026-05-20 by the Anomali CTI Desk. Intelligence derived from CISA ICS-CERT advisories, Anomali ThreatStream, and open-source collection. For IOC feeds, detection signatures, and analyst consultation, contact your Anomali representative.

FEATURED RESOURCES

May 20, 2026

Anomali Cyber Watch