All news with #iran nexus tag

🔒 A joint U.S. federal advisory warns that Iranian state-backed hackers have been targeting Rockwell Automation/Allen‑Bradley PLCs since March 2026, extracting project files and manipulating HMI/SCADA displays. Researcher Censys found 5,219 EtherNet/IP hosts exposed online globally, with 3,891 (74.6%) in the United States and a notable share on cellular carrier ASNs. Agencies urge disconnecting or firewalling PLCs, enforcing MFA, applying updates, disabling unused services, and monitoring OT ports and logs for suspicious overseas traffic.

⚠️Six US agencies warn an Iranian-affiliated group has compromised internet-exposed programmable logic controllers at water, energy, and government facilities since at least March 2026. The actors used leased overseas infrastructure and legitimate Rockwell Automation configuration tools to access CompactLogix and Micro850 controllers. Victims suffered operational disruption, project file theft, altered SCADA/HMI data, and persistent remote access.

⚠ Iranian-affiliated threat actors have been exploiting internet-facing operational technology (OT) assets to target US critical national infrastructure (CNI) providers since late March, according to a CISA advisory. Attackers used vendor configuration tools such as Rockwell Automation's Studio 5000 Logix Designer to create accepted connections to PLCs and manipulated HMI/SCADA displays. Observed inbound traffic used ports 44818, 2222, 102, 22 and 502 and included deployment of Dropbear SSH for remote access. Agencies urge immediate log review, segmentation, and removal of direct internet exposure for PLCs.

🔒 Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across U.S. critical infrastructure, including energy, water and government facilities. U.S. agencies warn attackers used third-party hosted infrastructure and Rockwell Automation tools to connect to CompactLogix and Micro850 PLCs, deploy Dropbear SSH, extract project files, and manipulate HMI/SCADA displays, causing degraded functionality and disruption. Organizations are advised to remove internet exposure, enforce multi-factor authentication, place firewalls or proxies in front of PLCs, disable unused features, keep devices up to date, and monitor for anomalous traffic.

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.

🚨 CISA, the FBI, NSA and partner agencies warn that Iranian-affiliated APT actors are actively exploiting internet-facing operational technology controllers, notably Rockwell Automation/Allen-Bradley PLCs. The actors used vendor configuration software and leased overseas hosting to access exposed PLCs, extracted project files, and altered data shown on HMIs and SCADA displays, causing operational disruption and financial loss. Organizations should urgently apply the advisory's IOCs and mitigations: remove PLCs from direct internet exposure, enforce access controls and MFA, and contact vendor and federal incident contacts if targeted.

🔒 Check Point reports an ongoing Iran-nexus password-spraying campaign against Microsoft 365 tenants, primarily impacting Israel and the U.A.E. in three waves on March 3, 13 and 23, 2026. The actor employed Tor exit nodes and commercial VPN infrastructure (AS35758) and used tools and techniques resembling Gray Sandstorm to scan, attempt logins, and exfiltrate mailbox content. Organizations are advised to enforce MFA, apply conditional access by geography, and monitor sign-in and audit logs for signs of compromise.

🔒 Check Point Research identified an Iran-linked password-spraying campaign targeting Microsoft 365 cloud environments carried out in three waves on March 3, March 13, and March 23. The campaign primarily focused on Israel and the UAE, affecting more than 300 organizations in Israel and over 25 in the UAE. Activity tied to the same actor was also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. These attempts seek account takeover and cloud footholds, highlighting the need for strengthened access controls and faster detection.

🔒 In the March 2026 edition Tony Anscombe reviews several high-impact incidents and trends that should shape organizational defenses. He summarizes the reported Stryker intrusion claimed by the Iran-linked Handala group, new research from the Google Threat Intelligence Group showing a rise in data theft tied to ransomware, Instagram's plan to stop encrypting private messages in May, and a Europol-led takedown of the Tycoon 2FA phishing platform. Watch the video for practical lessons and related coverage.

⚠️ The FBI confirmed that Iran-linked hackers accessed the personal email account of FBI Director Kash Patel and published private photos and what appears to be his CV. The pro-Iranian hacktivist group Handala posted a selection of personal and work correspondence, with reporters verifying some items from Patel's Gmail account. The FBI said no classified or government systems were compromised and has taken steps to mitigate risks; strong, unique passwords and multi-factor authentication are advised.

📧 The FBI confirmed that the Iran-linked Handala group breached the personal Gmail account of Director Kash Patel and published watermarked photos, documents, and email correspondence. The bureau said the material appears historical, is not recent, and does not include government information. The FBI added it has taken precautions to mitigate potential fallout. Handala claimed the attack was retaliation after domain seizures and a $10 million reward.

🔒 Threat actors linked to Iran's MOIS claimed they breached the personal email account of FBI Director Kash Patel and published a cache of photos and historical emails. The FBI confirmed Patel's emails were targeted, said necessary mitigations were enacted, and characterized the released material as historical and not government information. Security firms attribute the campaign to the Handala Hack persona, which relies on compromised VPN accounts, RDP lateral movement, and destructive wipers, prompting Microsoft and CISA guidance to harden Intune and enforce phishing‑resistant MFA.

🔒 Security researchers warn that the Iran-linked Pay2Key ransomware group has re-emerged with enhanced evasion, execution and anti-forensics capabilities. A Halcyon and Beazley Security analysis of a recent US healthcare provider incident describes interactive access via TeamViewer, credential theft with Mimikatz, LaZagne and ExtPassword, and host discovery using Advanced IP Scanner and ns.exe. Operators used the AD console (dsa.msc) to blend in, deployed an SFX payload (abc.exe) to encrypt systems within three hours, and removed a 'No Defender' toolkit to hide tracks. Report authors found no clear evidence of data exfiltration and warn defenders to monitor this unpredictable, politically motivated threat.

🛡️ The FBI has attributed a sustained campaign of targeted malware and hack-and-leak operations to the Iranian-linked threat actor Handala, noting activity against dissidents, journalists and opposition groups dating to autumn 2023. The group claimed responsibility for a wiper attack on US medtech firm Stryker and used a multi-stage payload that disguises itself as legitimate Windows applications. Investigators observed social engineering lures, PowerShell-based evasion, and a Telegram-based command-and-control channel enabling remote access and data exfiltration, and urged standard hardening and reporting measures.

🧨 The TeamPCP group is deploying a geopolitically targeted wiper that seeks out Iranian systems and either destroys host data or implants a persistent backdoor on Kubernetes nodes. Aikido researchers link the campaign to the earlier CanisterWorm and Trivy supply-chain incidents, noting identical C2 infrastructure and the same /tmp/pglog drop path. When Iran indicators (timezone/locale) and Kubernetes are detected, the malware creates a privileged DaemonSet named Host-provisioner-iran that mounts the host root and runs Alpine containers called "kamikaze" to delete top-level directories and force a reboot. If Kubernetes is present but the host is not identified as Iranian, it deploys host-provisioner-std to write a Python backdoor and install it as a systemd service; variants also propagate via SSH or unauthenticated Docker APIs.

🚨 A financially motivated group known as TeamPCP deployed a self‑propagating worm called CanisterWorm that spreads through poorly secured cloud control planes and conditionally executes a destructive wiper on systems set to Iran’s timezone or Farsi locale. The actors leveraged exposed Docker APIs, misconfigured Kubernetes clusters, Redis servers and the React2Shell vector, and inserted credential‑stealing code into official Trivy releases via compromised GitHub Actions. Researchers observed the group using ICP canisters to host payloads and noted the malicious builds were active only intermittently, leaving uncertainty about the extent of successful data destruction.

🔐 The FBI warns that Iranian-linked actors, including Handala and a state-associated Homeland Justice group, are using Telegram as command-and-control infrastructure in Windows malware campaigns. Attackers employ social engineering to install malware that exfiltrates screenshots and files from journalists, dissidents, and opposition groups worldwide. The alert followed the seizure of four clearnet domains and references prior disruptive operations such as Handala's attack on Stryker.

🛡️ Geopolitical tensions are driving a rise in destructive, non‑financial cyber campaigns that aim to disrupt operations rather than extort payment. Recent Iranian-linked wiper activity — exemplified by the March 2026 Handala attack on Stryker — shows attackers rely on stolen credentials and legitimate admin tools to move freely. Zero Networks recommends a five-step playbook focused on identity-aware access, default‑deny admin ports, scoped privileged access, detection of tunnels, and rapid automated containment to limit blast radius and preserve operations.

🔒 The FBI has seized two clearnet domains used by the Iranian-linked hacktivist group Handala after its destructive cyberattack on medical device maker Stryker. A seizure banner cites a Maryland court warrant and says the domains facilitated malicious cyber activities; DNS now points to FBI name servers. Handala acknowledged the seizures and said it will rebuild resilient infrastructure. Microsoft and CISA issued guidance to help organizations secure Intune and Windows domains against similar compromises.

🔒 The Council of the European Union has sanctioned three companies and two individuals from China and Iran for cyberoperations that targeted devices and critical infrastructure. The measures name Integrity Technology Group (linked to the Raptor Train botnet), Anxun Information Technology (i‑Soon) and Iranian firm Emennet Pasargad. Listed parties face asset freezes and prohibitions on accessing funds, and natural persons are subject to travel bans through EU territory.