Iranian Cyber Threat activity has reached a critical level as CISA issues urgent warnings regarding the vulnerability of U.S. water and energy sectors. Recent intelligence suggests that the Iranian Cyber Threat is now weaponizing existing network access to exploit industrial programmable logic controllers, a development that signifies a major escalation in the global Iranian Cyber Threat.
Understanding the Current Iranian Cyber Threat to Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other U.S. agencies recently published a cyber advisory notice warning of the cyber threat posed by Iranian hackers to U.S. critical infrastructure. These Critical Questions take a look at the overall cyber threat posed by Iran to the United States’ critical infrastructure in relation to the conflict, and the vulnerable state of U.S. cybersecurity.
Q1: What is the latest in the Iran war from a cyber perspective?
A1: Recently, CISA and other U.S. agencies published an advisory notice warning of the threat posed to U.S. critical infrastructure by Iran-affiliated actors—many of which are thought to be associated with the Islamic Revolutionary Guard Corps.
CISA warned that cyber incidents exploiting vulnerabilities in programmable logic controllers (PLCs)—types of computers that control and monitor industrial equipment or machinery—had caused disruption to an unspecified number of U.S. organizations across multiple critical infrastructure sectors (including local government, water, and energy), gaining unauthorized access to systems and manipulating data displayed on monitors. Though the number of victims was not confirmed, the advisory stated that the incidents had resulted in operational disruption and financial loss.
The actors thought to be behind these incidents are the “CyberAv3ngers” group, which presents itself as a “hacktivist” group, but is in fact thought to be an advanced persistent threat associated with the Islamic Revolutionary Guard Corps’ Cyber Electronic Command.
This group has a history of over-inflating its attacks and their impact, to sow discord as their primary objective. In this instance, the cyber incidents themselves were unlikely to have been especially sophisticated, exploiting basic vulnerabilities present in the targets. In response, CISA urged these sectors to apply various security mitigations to reduce the risk of further compromise, in the absence of any available software update to fix the underlying vulnerability that the actors were able to exploit.
These incidents are the latest in a spate of Iranian cyber activity during the conflict. Media coverage has tended to skew toward the most disruptive or high-profile cyber activity, such as the cyberattack on U.S. medical supply company Stryker, the hacking of FBI Director Kash Patel’s emails, or a data breach of Lockheed Martin thought to be linked to Iranian hacktivists. In fact, Iran’s cyber activity during this conflict has been much broader than just disruption, and can be categorized into four types:
Opportunistic disruption, by the Iranian state or state-linked actors, on U.S. and regional targets Cyber espionage to assess battle damage or to inform kinetic activity, such as hacking into security cameras in Israel, intelligence gathering to inform kinetic targeting, or the use of spyware against Israeli citizens disguised as a bomb shelter location app Pre-positioning, or establishing access or footholds into new networks or victim organizations for use at a later point Cyber-enabled information operations, including the hacking of digital signage at Israeli railway stations, intended to sow fear among local populations
Analyzing the Iranian Cyber Threat to Water and Energy Sectors
Q2: What does this mean for U.S. critical infrastructure?
A2: Critical infrastructure is an especially attractive target set for cyber operations during a conflict: It can provide an asymmetric means of punching back against an adversary. Targeting critical infrastructure offers a means of sowing fear and distrust in local populations dependent upon that infrastructure, and as the Iranians know all too well, it offers high symbolic value through demonstrating an ability to reach into a country and disrupt some of its most critical systems.
The attacks detailed in the CISA advisory impacted the water and energy sectors in particular, owing to the presence of PLCs in their networks. Iran has a long history of targeting these sectors and of hacking into operational technology in the United States and other countries’ infrastructure.
This history goes as far back as 2013, when Iranian hackers accessed the systems of a small dam outside New York City (though with minimal operational impact), and also accessed the systems and data of Calpine Corporation, one of California’s largest power producers. The methods outlined in the CISA advisory bear similarities to Iran-linked cyberattacks against U.S. water facilities in November 2023, which targeted a PLC produced by an Israeli company, Unitronics, in which the hackers digitally defaced the equipment, setting screens to display the message, “you have been hacked, down with Israel.”
However, the threat to U.S. critical infrastructure goes far beyond Iran. The U.S. government has struggled to boot out persistent Chinese cyber actors, such as Salt Typhoon, from U.S. telecommunications networks, despite having been present in these networks since at least 2021–2022, with the same actors also having compromised U.S. National Guard networks.
In the public sector, the FBI recently declared a “major incident” upon discovering malicious activity on an internal system related to surveillance operations. U.S. critical infrastructure is not spared either by cyber criminals; water facilities across the United States have long been subjected to ransomware attacks, while the healthcare sector was named the most targeted sector by ransomware in a 2025 FBI report. The risk is, therefore, that as the United States pursues its campaign against Iran, it does so with its backyard wide open to capable, malicious cyber actors.
U.S. Vulnerabilities vs. the Evolving Iranian Cyber Threat
Q3: How vulnerable is the United States?
A3: U.S. critical infrastructure has remained in a vulnerable state for decades, struggling to secure networks and key assets across multiple sectors. The vast majority of U.S. critical infrastructure is privately owned. It comprises highly complex, fragmented systems at scale—a factor complicated by the sheer number of critical infrastructure operators at the state and local levels in the United States.
Awareness of cybersecurity threats and risks remains highly varied across different critical infrastructure sectors, unaided by the fact that resources (whether funding, skilled staff, or expertise) from the federal government have been limited in scope. And in many cases, these systems rely on dated technology that was designed without security in mind, or still use legacy information technology (hardware or software no longer supported by its manufacturer) that is riddled with easily-exploitable and well-known technical vulnerabilities.
Together, these factors have resulted in basic cybersecurity measures not having been implemented across U.S. critical infrastructure, where low-sophistication cyberattacks are enough to get past weak cyber defenses. This degree of inherent vulnerability stands to become worse in the face of frontier AI models such as Mythos, should they fall into the hands of malicious states or cyber criminals.
The Trump administration acknowledges this degree of inherent vulnerability; its recently published National Cyber Strategy points to securing critical infrastructure as one of six priorities for stronger cyber defense. However, its priorities and rhetoric do not match up to reality.
Under the second Trump administration, the United States has experienced gaps in leadership; cuts to key agencies (including CISA and the Office for the Director of National Intelligence, or ODNI) and their internal functions that share or fuse information with the private sector; funding losses for information-sharing centers, states and local authorities, and lapses in legislation vital to information-sharing; and an anticipated scaling down of federal funding for cybersecurity in the latest budget proposal, with CISA expected to lose another $707 million in cuts.
And although the ODNI’s 2026 Annual Threat Assessment recognizes that state and criminal cyber actors will “continue to pose critical threats to U.S. networks and critical infrastructure,” in the ongoing Department of Homeland Security shutdown, the Acting Director of CISA has even stated that CISA cannot perform outreach and preparatory activity necessary to counter cyber threats. In the face of capable adversaries and highly vulnerable systems, the institutional outlook is dour.
Strategic Intent Behind the Iranian Cyber Threat
Q4: What do these attacks tell us about Iran’s capabilities and intent?
A4: There are five important observations we can take away from Iran’s cyber operations in the conflict so far, and from CISA’s advisory:
This activity represents an expected—though slight—uptick in cyber operations by Iran against the United States. It provides important evidence that Iran is starting to weaponize the existing access it already had to victim networks across the United States, in this case, going back to January 2025. And Iran will likely do more over this as a means of going after future targets.
Iran’s cyber actors are operating in their comfort zone. The activity identified in CISA’s advisory fits Iran’s track record of targeting water and energy facilities in the United States, usually using low-sophistication methods that exploit basic vulnerabilities in internet-connected systems.
Where Iranian cyber actors are operational, they are spread across a range of cyber operations that serve Iran’s broader strategic objectives in this conflict and go beyond just disruption, including espionage, access, and information operations. Iran has been—and will likely continue to be—constrained by several factors, including degraded cyber capabilities owing to the internet shutdown and loss of connectivity; the loss of cyber leadership figures owing to purported Israeli air strikes; and kinetic capabilities proving faster and higher in impact than offensive cyber operations.
Iran has been notably consistent in its cyber activity during this conflict so far compared to periods of peacetime, and even regular competition with Israel and the United States. This means it is highly likely that Iranian state or proxy actors will continue to target U.S. critical infrastructure as the conflict continues.
Q5: What does this actually mean in relation to the wider conflict, and who is winning the cyber war?
A5: Neither country is winning the “cyber war,” and in any case, phrases such as cyber war are unhelpful in distorting the role that cyber capabilities play in contemporary warfare. Just as with the ongoing Russia-Ukraine conflict, cyber does not become the primary domain or battlefield in a conflict because it is incredibly difficult for cyber operations to offer decisiveness in war.
Rather, their value lies best in cyber espionage and for defensive purposes during a conflict, not least given how long such calibrated capabilities take to prepare.
Instead, Iran’s use of disruptive cyber operations, espionage, and cyber-enabled information operations all serve the pursuit of Iran’s broader strategic objectives: to project power against its regional and global adversaries; to support and inform its military activity; and to support its economic coercion efforts in the Strait of Hormuz. Cyber capabilities for Iran have ultimately become an enabler for power projection, giving it an asymmetric means of reaching beyond its ability, while ratcheting up the pressure on countries participating in the conflict.
Q6: What should the United States and allies expect going forward?
A6: As the author has written elsewhere, these types of attacks, despite their disruptive nature, amount to a standard level of “noise” in the overall conflict; though they cause localized damage to victims, they are unlikely to change the conflict’s overall trajectory.
That is not to say that governments, businesses, and even citizens can let their guard down—in fact, quite the opposite. Over the coming weeks and months, likely, governments and organizations in the United States, Israel, and Middle Eastern states will be targeted by cyber actors working for or aligned with Iran. Causing collateral damage to businesses and organizations in other countries is very much the point for Iran, as a means of ratcheting up pressure on their leaders.
It is also vital that policymakers and analysts look beyond the immediate conflict. Iran’s motivation to conduct cyber activity against the United States was already high before this campaign took place; now, Iran will have an even stronger appetite for revenge.
And important strategic points loom ahead on the United States’ horizon: the World Cup in June and the midterm elections in November. Given the high-profile nature of both events—and Iran’s track record of infiltrating U.S. infrastructure ahead of strategic moments or during geopolitical tension—these events will highly likely be considered strategic priorities for Iran’s cyber resources, including intelligence collection, and potentially, disruptive cyber activity.
These upcoming strategic moments make it even more imperative that governments, businesses, and other organizations across the world ensure that they have basic cybersecurity measures and practices in place, as well as robust business continuity practices for quick recovery.
Doing so narrows the attack surface for opportunistic targeting by Iranian cyber threat actors and reduces Iran’s (and its proxies’) ability to project power through U.S. victims—especially if more threat actors come back online in the coming months. Importantly, it also makes it harder for other states and cyber criminals looking to exploit the same organizations for their own benefit.