Iranian APT Groups & Cyber Capabilities

Although Iranian cyber capabilities are generally regarded as less advanced than those of larger cyber powers such as China or Russia, they are known to successfully carry out espionage and disruption/influence objectives. Iran has traditionally used an asymmetric cyber strategy via Advanced Persistent Threat (APT) Groups to focus heavily on espionage, credential theft, social engineering and long term access. Iranian cyber operations often exploit vulnerabilities in industrial control systems (ICS) and other Critical National Infrastructure (CNI). The impact of such attacks, at relatively low cost, is economic, operational, or societal disruption. Previously, Iran could carry out such attacks without triggering conventional military retaliation.

Key Targets of Iran Cyber Attacks

CNI (including ICS), energy grids, transportation networks, water systems, and oil & gas organisations remain targets for hostile activity by Iran. A successful attack against CNI is a means of signalling successful and high impact retaliation. Organisations within the supply chain of these sectors remain potential targets.

Furthermore, Iran may prioritise a range of strategically significant targets across both the public and private sectors, including national government departments and defence ministries, intelligence associated contractors, financial institutions, healthcare and media organisations, and key individuals.

Again, suppliers are also potential targets. Collectively, the above entities represent political, economic, technological, and psychological influence, making them attractive targets for cyber operations intended to gather intelligence, exert pressure, or conduct asymmetric retaliation.

Geopolitical Context

Capitalist and “Westernised” countries remain frequent targets for cyber threat actors from nation states, such as Iran, which are ideologically opposed to their values. Interactions between Iran and Western nations in the months leading up to February 28th gave an indication of the potential for the escalation of hostilities. A diplomatic dispute in August 2025 between Iran and Australia led to warnings from Western intelligence sources of an increased risk of Iranian “hybrid” operations (when cyberattacks are blended with more “traditional” types of attack). In July 2025, 13 allies, including the “E3” (the UK, Germany and France) condemned a rise in hostile activity by Iranian intelligence services against individuals in Europe and North America. In the same month, Germany announced plans to strengthen cyber security collaboration with Israel. Although traditional U.S. and Israeli allies may not have had direct involvement in the air strikes on Iran beginning February 28th 2026, they could nonetheless be perceived as “guilty by association”, given their strategic alignment with the United States and Israel. Therefore, these allies could be subject to increased hostile activity as the conflict continues.

Common Attack Vectors Used by Iran

Iranian APT groups typically rely on social engineering and direct engagement with targets. These practices are core to their approach and align with recognised techniques within the MITRE ATT&CK framework.

Social Engineering and Direct Human Targeting

Recent intelligence consistently identifies social engineering as a principal tactic. Iranian APT groups utilise direct communication methods (including encrypted chats, SMS, and video calls) to establish a rapport and deliver malicious files to targeted individuals. This approach is designed to circumvent traditional email-based filtering and perimeter defences, exploiting human trust and the relative opacity of these communication channels within many organisations. This tactic corresponds to MITRE ATT&CK technique T1566 (Phishing) but with an expanded emphasis on non-email vectors.

Malware Delivery and Persistence

The deployment of persistent malware, such as the PowGoop ‘E400’ variant, has been observed in Iranian APT operations. Analysis of this variant reveals the maintenance of an extensive network of control servers in operation since at least 2020, demonstrating a focus on establishing and retaining long-term access within target environments. This aligns with MITRE ATT&CK techniques related to command and control (T1071) and persistence (T1547).

Exploitation of Geopolitical and Sectoral Targets

Iran prefers to target entities of strategic value, with broader historical patterns of Iranian cyber activity directed at governmental and defence sectors. Data highlights the targeting of military organisations, previously including the Pakistani military by the group VajraEleph.

Use of Advanced Communication and Evasion

Available intelligence suggests the use of control infrastructures supporting ongoing operations, including technologies for encrypted command and control, with advanced evasion techniques and specific methods for bypassing detection implied.

Influence & Information Warfare Tactics

In keeping with its asymmetric tactics, Iran uses influence operations to spread disinformation via media outlets and fake/automated accounts on social media, polarising opinion and exploiting division in target societies. This tactic has been in evidence since 28th February with exaggerated claims of American casualty numbers and false claims of successful retaliatory attacks against US Navy warships. Iran uses AI to better understand the media landscape and amplify its messaging worldwide.

How Organisations Can Mitigate Iran Cyber Threats

With Iran currently experiencing an internet blackout, it is reasonable to expect a spike in activity such as scanning, brute force and Distributed Denial of Service (DDoS) when access resumes. A caveat to this is that if there is a societal uprising, resources that would have otherwise been deployed elsewhere may be used within Iran and directed on its own population rather than externally. Mitigations can be divided into the following categories:

• Strengthen defences against social engineering

Provide ongoing staff training, run up-to-date phishing simulations (including more sophisticated AI-enabled campaigns), promote awareness, and ensure simple reporting channels are in place to minimise the risk of credential theft and compromise.

• Harden identity & access controls

Enforce multi-factor authentication (MFA), apply least-privilege principles, and maintain strong password and account management standards.

• Improve endpoint detection & persistence monitoring

Utilise endpoint detection and response (EDR) capabilities to identify suspicious behaviour and detect attempts to establish or maintain unauthorised access.

• Strengthen command & control (C2) detection

Actively monitor network traffic for irregular outbound connections and known indicators linked to malicious command-and-control infrastructure.

• Enhance email & file security controls

Strengthen email gateway protections, sandbox attachments, and monitor file activity to reduce the likelihood of malware infection and data loss.
Strengthen email gateway protections, sandbox attachments, and monitor file activity to reduce the likelihood of malware infection and data loss.

• Protect mobile & remote workforce

Secure remote connectivity through controlled VPN access, enforce device management policies, and apply zero-trust security principles across distributed environments.

• Sector-specific defensive posture (Government/Defence/IT)

Align security controls and threat intelligence with the specific risk profile of government, defence, and technology sectors.

• Incident response readiness

Keep incident response plans current and tested, establish clear escalation pathways, and conduct regular exercises to support swift containment and recovery.

• DDoS preparedness

Put measures in place such as traffic filtering, system redundancy, and dedicated mitigation services to maintain availability during denial-of-service attacks.