When the Ceasefire Doesn't Apply to Cyberspace: Iran's Dual-Track Doctrine and What It Means for Your Defenses

<p><strong>Threat Assessment Level: CRITICAL</strong></p> <p><em>The ceasefire between the United States and Iran is now 53 days old. In the physical world, it is already fracturing &mdash; an IRGC gunboat fired on a container ship in the Strait of Hormuz hours after a ceasefire extension was announced. In cyberspace, the ceasefire never existed at all.</em></p> <p>Three independent investigations &mdash; from the <em>New York Times</em>, <em>Yahoo News</em>, and <em>Fast Company</em> &mdash; have converged on the same conclusion: Iranian state-sponsored cyber operations have continued without pause throughout ceasefire negotiations. Tehran's digital warriors are not standing down. They are pre-positioning, probing, and preparing for what comes next.</p> <p>For CISOs responsible for critical infrastructure, defense industrial base organizations, energy systems, or government networks, the message is stark: <strong>the diplomatic calendar is irrelevant to your threat model.</strong> The cyber threat from Iran is at its highest sustained level since the conflict began on February 28, 2026, and the kinetic escalation on April 22 has started a 48&ndash;72 hour countdown during which retaliatory cyber operations are historically most likely.</p> <p>This blog provides the latest intelligence, specific threat actor activity, and concrete defensive actions your teams should take &mdash; today, this week, and this month.</p> <h2><strong>What Changed&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>The past 72 hours have produced six developments that collectively raise the threat posture:</p> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Event</p> </th> <th> <p>Significance</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>22 Apr 2026</strong></p> </td> <td> <p>IRGC gunboat fires on Liberian-flagged container ship off Oman coast, causing heavy bridge damage</p> </td> <td> <p>Ceasefire is functionally collapsing. Historical pattern: Iranian cyber operations spike 24&ndash;72 hours after kinetic escalation</p> </td> </tr> <tr> <td> <p><strong>22 Apr 2026</strong></p> </td> <td> <p>Censys research confirms <strong>5,219 internet-exposed Rockwell Allen-Bradley PLCs</strong> globally, 74.6% in the U.S. &mdash; Iranian actors confirmed using legitimate vendor tools to manipulate SCADA displays</p> </td> <td> <p>Transforms theoretical OT risk into a quantified, actionable crisis. Operational disruption and financial losses already occurring</p> </td> </tr> <tr> <td> <p><strong>22 Apr 2026</strong></p> </td> <td> <p>UNC1549 (Imperial Kitten / TA455 / Smoke Sandstorm) actor profile updated &mdash; active aerospace targeting via fake GitHub resume lures</p> </td> <td> <p>First confirmed defense industrial base pre-positioning activity in 43 days. IRGC-linked espionage against aerospace is live</p> </td> </tr> <tr> <td> <p><strong>21 Apr 2026</strong></p> </td> <td> <p>MOIS-operated <strong>MuddyWater</strong> registers fresh DinDoor/DinoDance C2 infrastructure and goes operationally silent &mdash; assessed as infrastructure rotation preceding activation</p> </td> <td> <p>The most active MOIS cyber espionage group going quiet during active hostilities is anomalous and historically precedes operational surges</p> </td> </tr> <tr> <td> <p><strong>21 Apr 2026</strong></p> </td> <td> <p>CISA publishes <strong>12 ICS advisories</strong> in a single batch, including Siemens SINEC NMS authentication bypass and SCALANCE wireless vulnerabilities</p> </td> <td> <p>Network management and industrial wireless platforms used across OT environments now have remotely exploitable flaws</p> </td> </tr> <tr> <td> <p><strong>19 Apr 2026</strong></p> </td> <td> <p>UNC5866 (Emennet Pasargad) last observed deploying wipers against Israeli targets while masquerading as ESET; Homeland Justice, Karma, and Handala confirmed as unified MOIS operation ("Void Manticore")</p> </td> <td> <p>Iran's wiper arsenal is loaded and aimed. Restraint is holding but assessed as fragile under current kinetic pressure</p> </td> </tr> </tbody> </table> <h2><strong>Conflict and Threat Timeline&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>The following timeline captures the key cyber and kinetic events since the conflict began, illustrating how physical escalation and cyber operations are interleaved:</p> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Event</p> </th> <th> <p>Domain</p> </th> </tr> </thead> <tbody> <tr> <td> <p>28 Feb 2026</p> </td> <td> <p>U.S. begins major combat operations against Iran</p> </td> <td> <p>Kinetic</p> </td> </tr> <tr> <td> <p>Mar 2026 (ongoing)</p> </td> <td> <p>Iranian actors begin causing operational disruption and financial loss via PLC manipulation</p> </td> <td> <p>Cyber</p> </td> </tr> <tr> <td> <p>07 Apr 2026</p> </td> <td> <p>Reuters confirms Russia providing satellite ISR and cyber support to Iran; APT28 (GRU) infrastructure observed on Iranian ASN 213790</p> </td> <td> <p>Cyber / Geopolitical</p> </td> </tr> <tr> <td> <p>08 Apr 2026</p> </td> <td> <p>SecurityWeek reports on Iranian OT targeting campaigns</p> </td> <td> <p>Cyber</p> </td> </tr> <tr> <td> <p>13 Apr 2026</p> </td> <td> <p><em>Fast Company</em>: "Why the Iran Cyberattack Everyone Warned About Hasn't Really Happened Yet" &mdash; documents ongoing below-threshold operations</p> </td> <td> <p>Cyber / OSINT</p> </td> </tr> <tr> <td> <p>16 Apr 2026</p> </td> <td> <p><em>New York Times</em>: "Iran's Hackers Haven't Logged Off" &mdash; confirms digital operations continue during ceasefire</p> </td> <td> <p>Cyber / OSINT</p> </td> </tr> <tr> <td> <p>17 Apr 2026</p> </td> <td> <p>CISA Advisory AA26-097A confirms IRGC-affiliated <strong>CyberAv3ngers</strong> actively exploiting Rockwell/Allen-Bradley PLCs; TRK25-ADVANCED malware deployed beyond reconnaissance into active process interference</p> </td> <td> <p>Cyber</p> </td> </tr> <tr> <td> <p>17&ndash;21 Apr 2026</p> </td> <td> <p>APT42 (Charming Kitten) credential harvesting campaigns updated &mdash; no new IOCs but infrastructure refreshed</p> </td> <td> <p>Cyber</p> </td> </tr> <tr> <td> <p>18 Apr 2026</p> </td> <td> <p><em>Yahoo News</em>: "A Ceasefire That Ignores Cyber Is Not a Real Ceasefire"</p> </td> <td> <p>OSINT</p> </td> </tr> <tr> <td> <p>19 Apr 2026</p> </td> <td> <p>UNC5866 (Emennet Pasargad) last IOC observed &mdash; wiper and IO operations against Israeli targets via ESET masquerade campaign</p> </td> <td> <p>Cyber</p> </td> </tr> <tr> <td> <p>21 Apr 2026</p> </td> <td> <p>MOIS-operated <strong>MuddyWater</strong> registers fresh DinDoor/DinoDance C2 infrastructure; analysts confirm Homeland Justice, Karma, and Handala are a unified MOIS operation ("Void Manticore")</p> </td> <td> <p>Cyber</p> </td> </tr> <tr> <td> <p>21 Apr 2026</p> </td> <td> <p>CISA publishes 12 ICS advisories (Siemens SINEC NMS, SCALANCE, RUGGEDCOM, SenseLive, EV chargers)</p> </td> <td> <p>Vulnerability</p> </td> </tr> <tr> <td> <p>22 Apr 2026</p> </td> <td> <p>IRGC gunboat fires on container ship in Strait of Hormuz hours after ceasefire extension announced</p> </td> <td> <p>Kinetic</p> </td> </tr> <tr> <td> <p>22 Apr 2026</p> </td> <td> <p>Censys confirms 5,219 internet-exposed Rockwell PLCs; 62% via cellular modems</p> </td> <td> <p>Cyber / Exposure</p> </td> </tr> <tr> <td> <p>22 Apr 2026</p> </td> <td> <p>UNC1549 (Imperial Kitten / TA455) confirmed targeting aerospace via fake GitHub resume lures</p> </td> <td> <p>Cyber</p> </td> </tr> </tbody> </table> <h2><strong>Key Threat Analysis&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <h3><strong>1. The Rockwell PLC Crisis: 5,219 Exposed Devices, Most Beyond Your SOC's Visibility</strong></h3> <p>The single most actionable finding this cycle is the Censys quantification of internet-exposed Rockwell Automation Allen-Bradley PLCs. The numbers are sobering:</p> <ul> <li><strong>5,219 devices</strong> exposed to the internet globally, <strong>74.6% in the United States</strong></li> <li><strong>49.1%</strong> connected via <strong>Verizon cellular modems</strong>, 13.3% via AT&amp;T &mdash; field-deployed devices using consumer cellular as their sole internet path</li> <li><strong>24 hosts on Starlink</strong> &mdash; satellite-connected ICS that is effectively unmonitorable by most defenders</li> <li><strong>771 instances of VNC</strong> exposed (direct HMI remote desktop access)</li> <li><strong>280 instances of Telnet</strong> &mdash; cleartext legacy protocol on internet-facing OT</li> <li><strong>530 instances of SSH</strong> exposed as remote access pathways</li> </ul> <p>Iranian-affiliated actors &mdash; specifically the IRGC-linked <strong>CyberAv3ngers</strong> &mdash; are confirmed using <strong>legitimate vendor software</strong> (Rockwell Studio 5000 Logix Designer) to interact with project files and manipulate HMI/SCADA displays. This is a "living off the land" approach in OT environments: the tools are legitimate, the intent is not. Confirmed targeted device families include <strong>CompactLogix</strong> (1769-L30ER/A), <strong>Micro850</strong> (2080-), and <strong>MicroLogix 1400</strong> (1766-) running end-of-sale firmware.</p> <p>Since March 2026, this activity has caused <strong>confirmed operational disruption and financial loss</strong>.</p> <p>The critical architectural insight: <strong>62% of these devices are not on your enterprise network.</strong> They reach the internet through cellular modems that bypass your SIEM, your NDR, and your firewall policies. Your SOC cannot see what it cannot reach.</p> <h3><strong>2. UNC1549 (Imperial Kitten / TA455): The Aerospace Recruiter You Didn't Apply To</strong></h3> <p>UNC1549 &mdash; tracked as <strong>Imperial Kitten</strong> (CrowdStrike), <strong>Smoke Sandstorm</strong> (Microsoft), <strong>TA455</strong> (ClearSky), and <strong>Nimbusmanticore</strong> (Check Point) &mdash; is an IRGC-linked espionage group that has resumed active targeting of the <strong>aerospace and defense industrial base</strong> using a social engineering vector that exploits the hiring process.</p> <p>The campaign distributes malware through <strong>fake resume lures hosted on GitHub</strong>, specifically through coding challenge repositories. The target set spans aerospace, energy, technology, transportation, and utilities across seven or more countries. This is not a new technique for this group, but its reactivation during active hostilities &mdash; after 43 days of silence &mdash; signals that IRGC espionage operations against DIB contractors are being prioritized alongside the kinetic campaign.</p> <p>For organizations in the aerospace supply chain, this means your recruiting pipeline is an attack surface.</p> <h3><strong>3. The Wiper Arsenal: Loaded, Aimed, Not Yet Fired</strong></h3> <p>Iran's undeployed wiper arsenal &mdash; <strong>BiBiWiper</strong>, <strong>ZeroShred</strong>, <strong>GoneXML</strong>, and <strong>Meteor</strong> &mdash; represents the highest-impact, condition-dependent threat in the current landscape. Notably, no new wiper deployments have been detected during the ceasefire window. This restraint is deliberate, not incidental.</p> <p><strong>UNC5866</strong> (assessed as linked to <strong>Emennet Pasargad</strong>, an IRGC contractor) was last observed on April 19 deploying wipers against Israeli technology and manufacturing organizations while masquerading as security company ESET. The group conducts both destructive malware operations and cyber-enabled information operations using multiple online personas. Analysts have confirmed that <strong>Homeland Justice</strong>, <strong>Karma</strong>, and <strong>Handala</strong> are a unified MOIS operation operating under the umbrella designation <strong>"Void Manticore"</strong> &mdash; collapsing three previously distinct hacktivist personas into one coordinated threat.</p> <p>The wiper restraint is fragile. If the ceasefire collapses &mdash; an increasingly likely scenario given the gunboat incident &mdash; wiper deployment against energy, water, and government targets is the most probable immediate cyber response, assessed to occur within <strong>48&ndash;72 hours</strong> of kinetic escalation.</p> <h3><strong>4. MuddyWater's Silence Is Not Reassuring</strong></h3> <p><strong>MuddyWater</strong> (UNC3313 / UNC5667), the most operationally active MOIS cyber espionage group, registered fresh <strong>DinDoor/DinoDance C2 infrastructure</strong> on April 21 but has gone operationally silent since. For the most active Iranian cyber unit to go quiet during active hostilities is anomalous. The most likely explanation: <strong>C2 infrastructure rotation preceding operational activation.</strong> When MuddyWater goes quiet, it is typically preparing to go loud.</p> <h3><strong>5. Russia's Hand: APT28 on Iranian Infrastructure</strong></h3> <p>Confirmed on April 7 by Reuters: Russia is providing satellite ISR and cyber support to Iran. <strong>APT28</strong> (GRU Unit 26165 / Fancy Bear) infrastructure has been observed on <strong>Iranian ASN 213790</strong>. This Russia-Iran cyber convergence means defenders must account for Russian TTPs being deployed in service of Iranian targeting objectives &mdash; a significant complication for attribution and detection.</p> <h3><strong>6. Siemens ICS Vulnerabilities: 12 Advisories in One Day</strong></h3> <p>CISA published 12 ICS advisories on April 21, several of which are directly relevant to environments targeted by Iranian actors:</p> <table> <thead> <tr> <th> <p>Advisory</p> </th> <th> <p>Product</p> </th> <th> <p>Impact</p> </th> </tr> </thead> <tbody> <tr> <td> <p>ICSA-26-111-03</p> </td> <td> <p>Siemens SINEC NMS (pre-V4.0 SP3)</p> </td> <td> <p>Authentication bypass &mdash; network management platform used across OT</p> </td> </tr> <tr> <td> <p>ICSA-26-111-09</p> </td> <td> <p>Siemens SINEC NMS</p> </td> <td> <p>Authorization bypass &mdash; second vulnerability in same product</p> </td> </tr> <tr> <td> <p>ICSA-26-111-02</p> </td> <td> <p>Siemens RUGGEDCOM CROSSBOW SAM-P</p> </td> <td> <p>Privilege escalation &mdash; deployed in substations, pipeline monitoring</p> </td> </tr> <tr> <td> <p>ICSA-26-111-07</p> </td> <td> <p>Siemens SCALANCE W-700 (pre-V6.6.0)</p> </td> <td> <p>Multiple vulnerabilities in industrial wireless infrastructure</p> </td> </tr> <tr> <td> <p>ICSA-26-111-04</p> </td> <td> <p>Siemens Analytics Toolkit</p> </td> <td> <p>Improper certificate validation &mdash; unauthenticated access risk</p> </td> </tr> <tr> <td> <p>ICSA-26-111-12</p> </td> <td> <p>SenseLive X3050</p> </td> <td> <p>Complete device takeover &mdash; IoT/ICS sensor platform</p> </td> </tr> <tr> <td> <p>ICSA-26-111-05</p> </td> <td> <p>Hardy Barth Salia EV Charge Controller</p> </td> <td> <p>Buffer overflow enabling remote code execution</p> </td> </tr> </tbody> </table> <p>Iranian actors have demonstrated consistent interest in Siemens products (dating back to Stuxnet and continuing through current campaigns). The SINEC NMS authentication bypass is particularly concerning &mdash; compromising a network management system gives an attacker visibility and control over the entire OT network it manages.</p> <h2><strong>Predictive Analysis: What Comes Next</strong></h2> <p>Based on the convergence of kinetic escalation, confirmed cyber pre-positioning, and historical Iranian operational patterns, the following assessments reflect the most likely developments in the near term:</p> <table> <thead> <tr> <th> <p>Timeframe</p> </th> <th> <p>Scenario</p> </th> <th> <p>Probability</p> </th> <th> <p>Basis</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>24&ndash;48 hours</strong></p> </td> <td> <p>Pro-Iran hacktivist groups (Handala / Void Manticore, Ababil of Minab) claim cyber operations related to the Strait of Hormuz gunboat incident. Expect Telegram-based information operations and DDoS against maritime/logistics targets.</p> </td> <td> <p><strong>HIGH (70%)</strong></p> </td> <td> <p>Historical pattern: IO claims follow kinetic events within 48 hours. Void Manticore has demonstrated this cadence repeatedly.</p> </td> </tr> <tr> <td> <p><strong>48&ndash;72 hours</strong></p> </td> <td> <p>If ceasefire negotiations fail, MuddyWater and APT34 (OilRig) activate pre-positioned access in energy and government networks. Current C2 silence is assessed as infrastructure rotation preceding activation.</p> </td> <td> <p><strong>MODERATE-HIGH (55%)</strong></p> </td> <td> <p>MuddyWater C2 refresh on Apr 21 + operational silence = preparation pattern. Iran sending "mixed messages" per Al Jazeera.</p> </td> </tr> <tr> <td> <p><strong>48&ndash;72 hours</strong></p> </td> <td> <p>Wiper deployment (BiBiWiper, ZeroShred, GoneXML, or Meteor) against Israeli, Gulf state, or U.S.-allied targets if kinetic escalation continues.</p> </td> <td> <p><strong>MODERATE (45%)</strong></p> </td> <td> <p>Wiper restraint is holding but under stress. Gunboat incident + ceasefire collapse = threshold conditions for destructive operations.</p> </td> </tr> <tr> <td> <p><strong>1&ndash;2 weeks</strong></p> </td> <td> <p>UNC1549 (TA455) expands fake resume campaign beyond aerospace to energy and technology sectors, leveraging GitHub and LinkedIn as delivery platforms.</p> </td> <td> <p><strong>MODERATE (50%)</strong></p> </td> <td> <p>Campaign reactivation after 43-day pause suggests renewed tasking. Historical pattern shows target expansion after initial sector focus.</p> </td> </tr> <tr> <td> <p><strong>1&ndash;2 weeks</strong></p> </td> <td> <p>APT42 (Charming Kitten) intensifies credential harvesting against universities, think tanks, and Iranian diaspora as ceasefire talks progress or collapse.</p> </td> <td> <p><strong>MODERATE (50%)</strong></p> </td> <td> <p>Campaign infrastructure refreshed Apr 17&ndash;21 without new IOCs &mdash; consistent with preparation phase.</p> </td> </tr> <tr> <td> <p><strong>2&ndash;4 weeks</strong></p> </td> <td> <p>CyberAv3ngers escalate from SCADA display manipulation to process interference causing physical effects (e.g., pressure/flow manipulation in water treatment or pipeline systems).</p> </td> <td> <p><strong>MODERATE (40%)</strong></p> </td> <td> <p>TRK25-ADVANCED malware confirmed beyond reconnaissance. Censys data shows 5,219 accessible targets. Escalation ladder has room to climb.</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <h3><strong>What to Monitor</strong></h3> <p><strong>OT/ICS Network Traffic:</strong></p> <ul> <li>Connections to <strong>TCP 44818</strong> (EtherNet/IP), <strong>TCP 502</strong> (Modbus), <strong>TCP 102</strong> (Siemens S7) from any non-engineering workstation or external IP</li> <li><strong>Rockwell Studio 5000 Logix Designer</strong> sessions originating from unexpected hosts &mdash; this is the confirmed "living off the land" tool being used by CyberAv3ngers (<strong>T0890 &mdash; Exploitation of Remote Services</strong>)</li> <li>VNC (TCP 5900+), Telnet (TCP 23), and SSH (TCP 22) connections to any PLC or HMI system (<strong>T1021 &mdash; Remote Services</strong>)</li> <li>EtherNet/IP identity enumeration requests from external IP ranges (<strong>T1046 &mdash; Network Service Discovery</strong>)</li> </ul> <p><strong>Cellular and Satellite Connectivity:</strong></p> <ul> <li>Audit all cellular modem gateways (Verizon, AT&amp;T, T-Mobile) providing internet access to field-deployed PLCs</li> <li>Inventory Starlink-connected ICS devices &mdash; these represent an unmonitored attack surface</li> <li>Implement allowlist-only firewall rules on cellular gateways where possible</li> </ul> <p><strong>Identity and Access:</strong></p> <ul> <li>Failed authentication attempts against Siemens SINEC NMS consoles (<strong>T1190 &mdash; Exploit Public-Facing Application</strong>)</li> <li>OAuth application consent requests in Azure AD / Entra ID from unfamiliar applications (<strong>T1078 &mdash; Valid Accounts</strong>)</li> <li>Anomalous service principal activity in cloud environments</li> </ul> <p><strong>Email and Social Engineering:</strong></p> <ul> <li>GitHub repository links in unsolicited job applications, particularly for aerospace and defense roles (<strong>T1566.002 &mdash; Spearphishing Link</strong>, <strong>T1204.002 &mdash; User Execution: Malicious File</strong>)</li> <li>Emails impersonating ESET or other security vendors (<strong>T1036 &mdash; Masquerading</strong>)</li> </ul> <h3><strong>Hunting Hypotheses</strong></h3> <table> <thead> <tr> <th> <p>Hypothesis</p> </th> <th> <p>ATT&amp;CK Technique</p> </th> <th> <p>Data Source</p> </th> <th> <p>What to Look For</p> </th> </tr> </thead> <tbody> <tr> <td> <p>CyberAv3ngers are using legitimate Rockwell tools to modify PLC project files</p> </td> <td> <p>T0890, T0816</p> </td> <td> <p>OT network logs, PLC audit logs</p> </td> <td> <p>Studio 5000 connections from non-engineering subnets; project file modifications outside change windows</p> </td> </tr> <tr> <td> <p>MuddyWater is rotating C2 infrastructure and will beacon from pre-positioned implants</p> </td> <td> <p>T1071 (Application Layer Protocol), T1573 (Encrypted Channel)</p> </td> <td> <p>DNS logs, proxy logs, EDR</p> </td> <td> <p>STARWHALE/GRAMDOOR beaconing patterns; DNS queries to recently registered domains with DGA-like characteristics</p> </td> </tr> <tr> <td> <p>UNC1549 has delivered malware via GitHub coding challenge repos to aerospace employees</p> </td> <td> <p>T1195.001, T1204.002</p> </td> <td> <p>Endpoint telemetry, GitHub access logs</p> </td> <td> <p>Execution of binaries downloaded from GitHub repos not in the organization's approved list; new repos cloned by employees in aerospace programs</p> </td> </tr> <tr> <td> <p>Void Manticore (Handala/Karma/Homeland Justice) is preparing IO + DDoS related to Strait of Hormuz</p> </td> <td> <p>T1498 (Network Denial of Service), T1491.002 (External Defacement)</p> </td> <td> <p>WAF logs, DDoS mitigation telemetry, Telegram OSINT</p> </td> <td> <p>Volumetric traffic spikes against maritime/logistics web properties; Telegram channel posts claiming operations</p> </td> </tr> <tr> <td> <p>Iranian actors are probing Siemens SINEC NMS for authentication bypass</p> </td> <td> <p>T1190, T1068</p> </td> <td> <p>SINEC NMS access logs, network IDS</p> </td> <td> <p>Unauthenticated API calls to SINEC NMS User Management Component; privilege escalation attempts on RUGGEDCOM CROSSBOW</p> </td> </tr> </tbody> </table> <h3><strong>Detection Priorities</strong></h3> <ol> <li><strong>Deploy Sigma/YARA rules</strong> for Rockwell Studio 5000 Logix Designer connections from non-engineering workstations</li> <li><strong>Alert on EtherNet/IP identity enumeration</strong> (CIP List Identity requests) from external or unexpected internal IPs</li> <li><strong>Monitor for DinDoor/DinoDance C2 patterns</strong> &mdash; MuddyWater's known beaconing intervals and domain generation characteristics</li> <li><strong>Flag any ESET-branded email or download</strong> that does not originate from verified ESET infrastructure &mdash; UNC5866's masquerade campaign is active</li> </ol> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <h3><strong>Financial Services</strong></h3> <p>Iranian cyber operations have historically targeted financial institutions for both espionage and destructive purposes (the 2012&ndash;2013 DDoS campaign against U.S. banks remains a precedent). In the current conflict:</p> <ul> <li><strong>Priority:</strong> Protect SWIFT messaging infrastructure and core banking platforms from wiper deployment. BiBiWiper and ZeroShred are designed for maximum data destruction with minimal dwell time.</li> <li><strong>Action:</strong> Verify offline backup integrity for all transaction processing systems. Test restoration procedures &mdash; do not assume backups are clean.</li> <li><strong>Action:</strong> Monitor for credential harvesting campaigns by APT42 (Charming Kitten, IRGC-IO) targeting financial sector employees, particularly those involved in sanctions compliance or Iran-related transactions.</li> <li><strong>Action:</strong> Review DDoS mitigation capacity. Pro-Iran hacktivist groups (Void Manticore, Ababil of Minab) have historically targeted financial sector web properties as part of information operations.</li> </ul> <h3><strong>Energy</strong></h3> <p>Energy is the <strong>primary target sector</strong> in the current threat landscape. CyberAv3ngers' confirmed exploitation of Rockwell PLCs, combined with the Censys exposure data, makes this the most urgent defensive priority.</p> <ul> <li><strong>Priority:</strong> Audit every internet-facing PLC, RTU, and HMI in your environment &mdash; including those connected via cellular modems. The Censys data shows 62% of exposed devices reach the internet through Verizon and AT&amp;T cellular connections that bypass enterprise security controls.</li> <li><strong>Action:</strong> Set physical mode switches to RUN on all CompactLogix and MicroLogix PLCs equipped with hardware key switches. This is the single most effective mitigation &mdash; it cannot be overridden remotely.</li> <li><strong>Action:</strong> Block inbound connections to TCP 44818, 502, 102, and 2222 from non-whitelisted IPs on all internet-facing OT segments.</li> <li><strong>Action:</strong> Patch Siemens SINEC NMS to V4.0 SP3 or later (ICSA-26-111-03, ICSA-26-111-09). If SINEC NMS manages your OT network, an authentication bypass gives an attacker the keys to the kingdom.</li> <li><strong>Action:</strong> Audit RUGGEDCOM CROSSBOW deployments in substations and pipeline monitoring for privilege escalation exposure (ICSA-26-111-02).</li> </ul> <h3><strong>Healthcare</strong></h3> <p>Healthcare has not been a primary target in this conflict cycle, but Iranian actors have demonstrated willingness to target healthcare in past campaigns (Orangeworm, Fox Kitten ransomware operations). The wiper threat is sector-agnostic.</p> <ul> <li><strong>Priority:</strong> Ensure medical device networks are segmented from IT networks and from the internet. Any Rockwell or Siemens controllers in building management or medical gas systems should be audited.</li> <li><strong>Action:</strong> Verify that ransomware/wiper response playbooks include procedures for maintaining patient care during IT system outages.</li> <li><strong>Action:</strong> Monitor for Pay2Key ransomware-as-a-service activity &mdash; this is a MOIS-cybercrime convergence operation that has targeted healthcare in the past.</li> <li><strong>Action:</strong> Brief clinical engineering teams on the Siemens ICS advisory batch &mdash; medical facilities often run Siemens building automation systems.</li> </ul> <h3><strong>Government</strong></h3> <p>Government networks &mdash; federal, state, and local &mdash; are confirmed targets of CyberAv3ngers' PLC exploitation campaign (CISA AA26-097A specifically names government facilities). Water and wastewater systems operated by municipalities are at particular risk.</p> <ul> <li><strong>Priority:</strong> Municipal water and wastewater utilities must immediately audit Rockwell PLC connectivity. The CyberAv3ngers campaign has specifically targeted water sector infrastructure.</li> <li><strong>Action:</strong> Implement CISA's AA26-097A mitigations without delay. This is not a theoretical advisory &mdash; it describes active exploitation.</li> <li><strong>Action:</strong> Audit Entra ID / Azure AD conditional access policies. Iranian actors (particularly MuddyWater and APT42) target government cloud identity infrastructure for persistent access.</li> <li><strong>Action:</strong> Brief election infrastructure teams &mdash; while not a primary vector in this conflict, Iranian IO operations have historically targeted election-related systems and public confidence.</li> </ul> <h3><strong>Aviation and Logistics</strong></h3> <p>The IRGC gunboat attack on a container ship in the Strait of Hormuz directly elevates the threat to maritime logistics and aviation. Pro-Iran hacktivist groups are assessed with high probability (70%) to claim cyber operations against maritime/logistics targets within 48 hours.</p> <ul> <li><strong>Priority:</strong> Harden public-facing web applications and APIs against DDoS and defacement. Void Manticore's IO playbook includes website defacement as a propaganda tool.</li> <li><strong>Action:</strong> Brief aerospace recruiting and HR teams on UNC1549/TA455 fake GitHub resume campaign. Do not execute code from unsolicited applicant repositories. Verify all coding challenge repos before any employee interaction.</li> <li><strong>Action:</strong> Audit supply chain dependencies on Strait of Hormuz transit. If your logistics depend on this chokepoint, develop contingency routing and monitor for disruption indicators.</li> <li><strong>Action:</strong> Review ADS-B, ACARS, and flight operations network segmentation. While no direct targeting of aviation control systems has been confirmed in this cycle, Iranian actors have demonstrated interest in transportation infrastructure.</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 24 Hours)</strong></h3> <table> <thead> <tr> <th> <p>Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Block inbound connections to TCP 44818, 2222, 502, and 102 from non-whitelisted IPs on all internet-facing OT segments. Audit Rockwell CompactLogix and MicroLogix 1400 devices for unexpected project file modifications since March 2026.</p> </td> </tr> <tr> <td> <p><strong>IT Ops</strong></p> </td> <td> <p>Disable VNC (port 5900+), Telnet (23), and FTP (21) on all systems connected to PLCs. If VNC is required for HMI access, restrict to a jump host with MFA.</p> </td> </tr> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Set physical mode switches to RUN on all CompactLogix and MicroLogix PLCs equipped with hardware key switches &mdash; this cannot be overridden remotely and is the single most effective mitigation available.</p> </td> </tr> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Activate cyber incident response standby posture. The IRGC gunboat attack creates a 48&ndash;72 hour window of elevated cyber retaliation risk. Ensure wiper response playbooks are accessible and IR retainers are confirmed.</p> </td> </tr> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Monitor Telegram channels associated with Handala, Cyber Toufan, and Ababil of Minab for claims related to the Strait of Hormuz incident or maritime targeting.</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY</strong></h3> <table> <thead> <tr> <th> <p>Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>IT Ops</strong></p> </td> <td> <p>Patch Siemens SINEC NMS to V4.0 SP3 or later to remediate authentication bypass (ICSA-26-111-03) and authorization bypass (ICSA-26-111-09). Audit RUGGEDCOM CROSSBOW SAM-P for privilege escalation exposure (ICSA-26-111-02).</p> </td> </tr> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Audit all cellular modem connections (Verizon, AT&amp;T, T-Mobile, Starlink) providing internet access to field-deployed PLCs. Implement allowlist-only firewall rules on cellular gateways. Inventory all satellite-connected ICS devices.</p> </td> </tr> <tr> <td> <p><strong>HR / Recruiting</strong></p> </td> <td> <p>Brief aerospace and DIB hiring teams on UNC1549/TA455 fake resume campaign. Verify all GitHub coding challenge repositories before execution. Do not run code from unsolicited applicant repos.</p> </td> </tr> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Deploy Sigma/YARA detection rules for Rockwell Studio 5000 Logix Designer connections from non-engineering workstations. Alert on any EtherNet/IP identity enumeration from external IPs.</p> </td> </tr> <tr> <td> <p><strong>SOC</strong></p> </td> <td> <p>Conduct proactive hunt for MuddyWater STARWHALE/GRAMDOOR beaconing patterns. The current C2 silence may indicate infrastructure rotation preceding operational activation.</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY</strong></h3> <table> <thead> <tr> <th> <p>Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>CISO</strong></p> </td> <td> <p>Commission assessment of cloud/OAuth attack surface for Iranian actor TTPs. The 43-day absence of cloud-focused Iranian activity may indicate operations held in reserve or a collection gap. Audit Entra ID conditional access policies and OAuth app consent flows.</p> </td> </tr> <tr> <td> <p><strong>CISO</strong></p> </td> <td> <p>Develop and tabletop a ceasefire-collapse cyber response playbook. If kinetic hostilities resume, expect wiper deployment within 48&ndash;72 hours targeting energy, water, and government sectors. Pre-stage incident response retainers and confirm offline backup integrity.</p> </td> </tr> <tr> <td> <p><strong>CISO</strong></p> </td> <td> <p>Engage Censys or equivalent external attack surface management platform to establish continuous monitoring of internet-exposed ICS/OT devices, including those on cellular and satellite connections outside traditional enterprise network visibility.</p> </td> </tr> <tr> <td> <p><strong>CISO</strong></p> </td> <td> <p>Review and update third-party risk assessments for any suppliers with Rockwell, Siemens, or Fortinet OT deployments. Supply chain compromise through a less-defended partner is a viable Iranian escalation path.</p> </td> </tr> <tr> <td> <p><strong>Executive</strong></p> </td> <td> <p>Brief the board on the Iran cyber conflict posture. Key message: the ceasefire does not extend to cyberspace, confirmed operational disruption is already occurring, and the probability of destructive cyberattacks increases materially if kinetic hostilities resume.</p> </td> </tr> </tbody> </table> <h2><strong>The Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>Fifty-three days into this conflict, the intelligence picture is unambiguous on three points:</p> <p><strong>First, the ceasefire is a fiction in cyberspace.</strong> Iranian state-sponsored cyber operations &mdash; from IRGC-affiliated CyberAv3ngers manipulating PLCs to MOIS-operated MuddyWater refreshing C2 infrastructure to UNC1549 targeting aerospace through fake GitHub resumes &mdash; have continued without interruption. Any security posture calibrated to diplomatic timelines is miscalibrated.</p> <p><strong>Second, the OT exposure is worse than anyone assumed.</strong> Five thousand two hundred nineteen internet-exposed Rockwell PLCs, the majority accessible through cellular modems that bypass every traditional security control your SOC operates. Iranian actors are already exploiting this with legitimate vendor tools. Operational disruption and financial losses are not theoretical &mdash; they are confirmed and ongoing.</p> <p><strong>Third, the escalation clock is ticking.</strong> The IRGC gunboat attack on April 22 &mdash; hours after a ceasefire extension was announced &mdash; signals that the kinetic restraint is breaking down. When kinetic restraint breaks, cyber restraint follows. Iran's wiper arsenal (BiBiWiper, ZeroShred, GoneXML, Meteor) is loaded and aimed. The 48&ndash;72 hour window after kinetic escalation is when destructive cyber operations are historically most likely.</p> <p>The ceasefire-collapse cyber response playbook is no longer a 30-day planning exercise. It is a near-term operational necessity. The question is not whether Iranian cyber operations will escalate &mdash; it is whether your organization will be ready when they do.</p>