Over the past decade, Iranian cyber attacks conducted by state-linked operators have become a persistent component of global cyber threat activity. Security researchers and intelligence agencies have linked numerous campaigns to Iranian advanced persistent threat (APT) groups that conduct espionage, disruptive attacks, and critical infrastructure targeting.
These operations are typically attributed to groups such as APT33, APT34 (OilRig), APT35 (Charming Kitten), MuddyWater, and the hacktivist-style group CyberAv3ngers. Their activities range from credential harvesting and spear-phishing to industrial control system (ICS) targeting and destructive malware deployments.
Between 2016 and 2025, researchers have documented roughly 20–25 major Iranian cyber campaigns, targeting governments, energy companies, telecom providers, universities, and critical infrastructure worldwide.
| Year | Campaign / Incident | Suspected Iranian Group | Target / Region | Attack Type | Notes |
|---|---|---|---|---|---|
| 2025 | Critical infrastructure reconnaissance campaigns | MuddyWater | Middle East utilities | Espionage | Credential harvesting & remote admin abuse |
| 2025 | AI-assisted phishing campaigns | Charming Kitten (APT35) | US & EU researchers | Spear-phishing | Use of fake login portals |
| 2024 | Water utility hacking attempts | CyberAv3ngers | US & Israel water systems | ICS compromise | Targeted Unitronics PLC devices |
| 2024 | Israel-Hamas cyber conflict operations | Multiple Iranian groups | Israeli infrastructure | DDoS / defacement | Coordinated cyber operations |
| 2023 | Israel critical infrastructure attacks | CyberAv3ngers | Water treatment facilities | ICS exploitation | Claimed by pro-Iran hacktivist group |
| 2023 | Aerospace and defense espionage | APT33 | US / Europe | Cyber espionage | Malware delivery via spear phishing |
| 2022 | Log4Shell exploitation campaigns | MuddyWater | Global organizations | Vulnerability exploitation | Leveraging CVE-2021-44228 |
| 2022 | Telecom and government espionage | APT34 (OilRig) | Middle East | Credential theft | Custom backdoors |
| 2021 | Academic researcher phishing | Charming Kitten | Universities worldwide | Social engineering | Credential harvesting |
| 2021 | Israeli shipping company attacks | APT35 | Maritime sector | Cyber disruption | Linked to regional tensions |
| 2020 | US election interference attempts | APT35 | Political organizations | Phishing / influence ops | Attempted credential theft |
| 2020 | Israeli water infrastructure intrusion | Iranian operators | Water treatment systems | ICS intrusion | Attempted chemical manipulation |
| 2019 | Global telecom espionage | APT34 | Telecom operators | Espionage | Long-term data exfiltration |
| 2019 | Saudi energy sector attacks | APT33 | Energy companies | Malware deployment | Industrial targeting |
| 2018 | Middle East aviation espionage | APT33 | Aviation sector | Cyber espionage | Supply chain reconnaissance |
| 2018 | US universities cyber espionage | Iranian academic hacking group | Universities | Data theft | Intellectual property targeting |
| 2017 | Saudi petrochemical attack | Iranian-linked actors | Industrial plant | ICS malware | Safety system targeting |
| 2017 | Shamoon 2 destructive malware attacks | Iranian actors | Saudi energy companies | Wiper malware | Thousands of systems wiped |
| 2016 | Global banking DDoS attacks | Iranian operators | US financial institutions | DDoS | Operation Ababil continuation |
| 2016 | Middle East government espionage | OilRig (APT34) | Government networks | Espionage | Custom malware campaigns |
Total Iranian Cyber Campaigns by Category
Based on publicly documented incidents, Iranian cyber operations in the last decade can be categorized as follows:
| Category | Approximate Campaigns |
|---|---|
| Cyber espionage operations | ~9 |
| Critical infrastructure / ICS attacks | ~4 |
| Phishing and credential harvesting | ~4 |
| Destructive malware attacks | ~2 |
| DDoS / disruptive operations | ~2 |
| Total major campaigns identified | ~21 |
Major Iranian Threat Groups
Several Iranian cyber units have been repeatedly linked to state-backed cyber activity.
APT33 (Elfin)
APT33 is believed to focus primarily on energy, aviation, and industrial sectors. The group frequently uses spear-phishing and custom malware to gain access to target environments.
APT34 (OilRig)
APT34 primarily targets government agencies and telecommunications providers in the Middle East, conducting long-term espionage campaigns.
APT35 (Charming Kitten)
APT35 is widely known for phishing and social engineering campaigns, often targeting academics, journalists, researchers, and political organizations.
MuddyWater
MuddyWater conducts global cyber espionage campaigns and has frequently leveraged vulnerabilities and living-off-the-land techniques to maintain persistence.
CyberAv3ngers
CyberAv3ngers emerged as a pro-Iran hacktivist group targeting industrial control systems and water infrastructure, particularly in the United States and Israel.
Key Trends in Iranian Cyber Operations
1. Increasing Focus on Critical Infrastructure
Recent campaigns show a growing interest in industrial control systems (ICS) and critical infrastructure. Water utilities, energy facilities, and industrial environments have become frequent targets.
2. Credential Harvesting as a Primary Entry Vector
Many Iranian campaigns begin with spear-phishing emails or fake login portals designed to steal credentials from targeted individuals.
3. Regional Geopolitical Targeting
Iranian cyber operations often align with geopolitical tensions and frequently target organizations in:
- Israel
- Saudi Arabia
- United States
- Gulf countries
- Western research institutions.
4. Use of Known Vulnerabilities
Iranian operators have also been observed exploiting publicly disclosed vulnerabilities, including widely exploited issues like Log4Shell, to gain initial access.
Security Implications for Organizations
Organizations across multiple sectors should remain aware of Iranian cyber threat activity, particularly those operating in:
- Energy and utilities
- Telecommunications
- Government networks
- Defense and aerospace
- Academic and research institutions.
Security teams can reduce risk by implementing strong credential protection, patch management, monitoring, and threat intelligence integration.
Threat Intelligence Report
Iranian Cyber Operations (2016–2025)
Report Type: Strategic Threat Intelligence
Audience: SOC Analysts, Threat Hunters, Security Engineers, CISOs
Report Date: 2026
Classification: Defensive Cybersecurity Intelligence
Executive Summary
Over the past decade, Iranian state-aligned cyber groups have conducted a wide range of cyber operations targeting critical infrastructure, government networks, telecom providers, universities, and private industry. These campaigns primarily focus on cyber espionage, credential harvesting, and infrastructure disruption.
Threat groups commonly attributed to Iranian cyber operations include:
- APT33 (Elfin)
- APT34 (OilRig)
- APT35 (Charming Kitten)
- MuddyWater
- CyberAv3ngers
Between 2016 and 2025, at least 20–25 major campaigns have been publicly documented by security researchers and government agencies. These operations demonstrate persistent targeting of Middle Eastern geopolitical adversaries, as well as Western research institutions and critical infrastructure.
Security operations centers (SOCs) should prioritize phishing detection, credential protection, vulnerability management, and monitoring for living-off-the-land activity commonly associated with Iranian threat actors.
Key Findings
| Finding | Description |
|---|---|
| Persistent cyber espionage | Majority of Iranian operations focus on intelligence collection |
| Infrastructure targeting increasing | Water utilities, energy facilities, and ICS environments are growing targets |
| Credential theft primary access method | Phishing remains the most common entry vector |
| Exploitation of known vulnerabilities | Groups often leverage widely exploited vulnerabilities |
| Long dwell times | Iranian groups frequently maintain persistence for months |
Iranian Cyber Campaign Timeline (2016–2025), with it use the table given at the begining.
Threat Actor Profiles
APT33 (Elfin)
Primary Targets
- Aviation industry
- Energy companies
- Defense contractors
Typical Tactics
- Spear-phishing
- Malware deployment
- Credential harvesting
Observed Capabilities
- Custom backdoors
- Long-term persistence inside enterprise networks
APT34 (OilRig)
Primary Targets
- Middle Eastern governments
- Telecommunications providers
- Financial institutions
Key Techniques
- Credential harvesting portals
- Supply-chain compromise attempts
- Custom remote access malware
APT35 (Charming Kitten)
Primary Targets
- Academics
- Journalists
- Security researchers
- Political organizations
Common Techniques
- Social engineering
- Fake login portals
- Credential harvesting
MuddyWater
Primary Targets
- Government organizations
- Telecom providers
- Critical infrastructure
Operational Characteristics
- Living-off-the-land techniques
- Use of legitimate administrative tools
- Exploitation of widely known vulnerabilities
CyberAv3ngers
Primary Targets
- Industrial control systems
- Water infrastructure
Notable Activity
- Attempts to access PLC devices in water treatment systems
- Public claims of cyber disruption campaigns
Observed Tactics, Techniques, and Procedures (TTPs)
| MITRE ATT&CK Category | Observed Behavior |
|---|---|
| Initial Access | Spear-phishing, vulnerability exploitation |
| Execution | Script execution using legitimate system tools |
| Persistence | Scheduled tasks and credential reuse |
| Credential Access | Phishing portals and credential dumping |
| Lateral Movement | Remote administration tools |
| Command and Control | Encrypted web traffic |
| Impact | Data exfiltration, infrastructure disruption |
Indicators and Behavioral Patterns
SOC teams should monitor for the following behavioral patterns frequently associated with Iranian campaigns.
Suspicious Authentication Activity
- Login attempts from unusual geographic locations
- Repeated failed authentication attempts
- OAuth or identity provider abuse
Phishing Infrastructure Indicators
- Fake login portals impersonating cloud services
- Domains mimicking research institutions or government portals
Network Behavior
- Beaconing to suspicious external servers
- Unexpected outbound connections to new domains
- Unusual PowerShell activity
Endpoint Indicators
- Execution of administrative tools outside normal workflows
- Suspicious scheduled task creation
- Unauthorized credential access attempts
Detection Recommendations for SOC Teams
Log Sources to Monitor
- SIEM authentication logs
- EDR process telemetry
- Email gateway logs
- DNS query logs
- Firewall traffic logs
Threat Hunting Queries (Conceptual)
SOC analysts should investigate:
- Unusual PowerShell or scripting activity
- Unexpected credential authentication patterns
- Remote administration tool usage outside approved workflows
- Network connections to suspicious domains
Mitigation Recommendations
Organizations can reduce exposure to Iranian cyber operations by implementing the following security measures.
Identity Security
- Enforce multi-factor authentication
- Monitor privileged account activity
- Implement conditional access policies
Email Security
- Deploy advanced phishing detection
- Train users to recognize spear-phishing attempts
Patch Management
- Rapidly apply security patches
- Monitor vulnerability disclosures
Network Security
- Segment critical infrastructure networks
- Restrict administrative access
Risk Assessment
| Sector | Risk Level |
|---|---|
| Energy | High |
| Water utilities | High |
| Government | High |
| Telecommunications | Medium |
| Universities | Medium |
| Private industry | Medium |
Strategic Outlook
Iranian cyber capabilities continue to evolve. Future campaigns are expected to focus on:
- Critical infrastructure disruption
- Supply-chain compromise
- Credential harvesting operations
- Industrial control system targeting
The increasing intersection of geopolitical conflict and cyber operations suggests continued Iranian cyber activity against regional adversaries and Western institutions.
Conclusion
Iranian cyber groups remain a persistent threat to global organizations. While many operations focus on espionage and intelligence gathering, the targeting of critical infrastructure and industrial systems indicates growing offensive capabilities.
Security teams should maintain strong detection capabilities, monitor credential abuse activity, and prioritize rapid vulnerability remediation to defend against Iranian cyber campaigns.
Conclusion
Iranian cyber operations have evolved significantly over the last decade, expanding from regional espionage campaigns to global cyber activities affecting critical infrastructure and research institutions. While destructive attacks remain relatively rare compared to espionage operations, the increasing focus on industrial systems and infrastructure highlights the growing strategic role of cyber operations in geopolitical conflict.
Understanding the timeline, threat groups, and attack patterns associated with Iranian cyber activity is essential for organizations seeking to improve detection and defense against state-linked cyber threats.
