US agencies warn Iranian hackers ‘may still conduct malicious cyber activity’

US Agencies Warn Iranian Hackers May Still Conduct Malicious Cyber Activity

The United States government has issued a renewed alert that Iranian‑linked hacking groups remain a potent threat to critical infrastructure, private enterprises, and individual users. Recent statements from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS) stress that, despite diplomatic pressure and sanctions, these actors continue to evolve their tactics, techniques, and procedures (TTPs).

Key indicators of ongoing Iranian cyber operations

• Target diversification: While past campaigns focused heavily on oil and energy sectors, attackers are now probing telecommunications, healthcare, and supply‑chain vendors.
• Advanced malware families: New variants of WisperGate and Stonedrill have been observed, featuring encrypted payloads that evade signature‑based detection.
• Supply‑chain infiltration: Threat actors are leveraging compromised software updates to gain footholds in downstream networks.
• Social‑engineering sophistication: Phishing emails now incorporate deep‑fake video clips and localized language to increase credibility.
• Rapid weaponization: Exploits for recently disclosed zero‑day vulnerabilities are being weaponized within weeks of public disclosure.

Official warnings and recommendations

In a joint advisory released on July 28, 2025, CISA, the FBI, and the National Security Agency (NSA) outlined a set of actionable steps for organizations of all sizes. The guidance emphasizes a “defense‑in‑depth” approach:

1. Patch management: Apply security updates within 48 hours of release, especially for operating systems and widely used enterprise applications.
2. Multi‑factor authentication (MFA): Enforce MFA on all privileged accounts and remote access gateways.
3. Network segmentation: Isolate critical assets from general‑purpose workstations to limit lateral movement.
4. Threat‑intel sharing: Participate in Information Sharing and Analysis Centers (ISACs) to receive timely indicators of compromise (IOCs).
5. Incident response drills: Conduct tabletop exercises that simulate Iranian‑style intrusion scenarios.

Why the threat persists

Iranian cyber units, often referred to as “APT34,” “APT35,” and “APT38,” receive direct support from state resources, allowing them to maintain sophisticated infrastructure and recruit skilled developers. The geopolitical landscape—particularly ongoing tensions in the Middle East and sanctions related to nuclear negotiations—provides both motivation and a veil of plausible deniability for continued operations.

Moreover, the shift toward “hybrid warfare” means cyber attacks are increasingly coordinated with disinformation campaigns, economic coercion, and physical sabotage. This integration amplifies the impact of each intrusion, making it harder for defenders to isolate the cyber component from broader strategic objectives.

What businesses can do now

Organizations should treat the advisory as a call to action rather than a routine update. A practical first step is to perform a comprehensive risk assessment that maps out data flows, identifies high‑value assets, and evaluates existing security controls against the listed Iranian TTPs. Following the assessment, prioritize remediation based on potential impact and likelihood of exploitation.

Finally, maintain an open line of communication with federal agencies. The Cybersecurity Information Sharing Act (CISA) portal offers free access to threat feeds, and the FBI’s Internet Crime Complaint Center (IC3) provides a channel for reporting suspicious activity. By staying informed and proactive, the private can blunt the effectiveness of Iranian cyber actors and protect the digital ecosystem from further malicious activity.