Iranian Cyber Threats Escalate: U.S. Critical Infrastructure Under Siege
In early February 2026, the Iranian advanced persistent threat (APT) group known as Seedworm—also referred to as MuddyWater, Temp Zagros, and Static Kitten—initiated a series of cyber intrusions into multiple U.S. organizations. This surge in activity has raised significant concerns within the cybersecurity community, especially in the wake of coordinated U.S. and Israeli military strikes on Iran on February 28, 2026. These strikes resulted in the death of Iran’s Supreme Leader, dramatically escalating regional tensions.
Iran’s response has not been confined to conventional military actions; its cyber operatives have leveraged the heightened conflict to intensify attacks against American and allied targets. Seedworm, active since at least 2017 and classified by the Cybersecurity and Infrastructure Security Agency (CISA) as a subordinate element of Iran’s Ministry of Intelligence and Security (MOIS), has expanded its focus beyond the Middle East. The group now targets telecommunications companies, defense contractors, local governments, and oil and natural gas organizations across Asia, Africa, Europe, and North America.
Symantec researchers have identified Seedworm’s intrusion activities within the networks of a U.S. bank, a U.S. airport, a software company with ties to the defense and aerospace industries, and non-governmental organizations in both the U.S. and Canada. Notably, the software company’s Israeli operations appeared to be the primary focus, suggesting that Seedworm may use global corporate networks as conduits for lateral access. These breaches commenced before the military conflict, indicating that the group had been strategically positioning itself within high-value networks well in advance of the escalation.
The UK’s National Cyber Security Centre has issued a formal alert, warning that Iranian state-aligned actors almost certainly currently maintain at least some capability to conduct cyber activity, despite disruptions to internet infrastructure within Iran. This underscores a critical reality: Seedworm and other affiliated actors operate from multiple countries, meaning that domestic disruptions within Iran do not halt their overall operations. The hacktivist group Handala, aligned with Iran’s geopolitical interests, has reportedly been leveraging the Starlink satellite network to maintain connectivity since mid-January 2026, well before Iran’s government announced a nationwide internet shutdown.
Beyond Seedworm, other Iran-linked actors have intensified their activities. The pro-Palestinian hacktivist group DieNet, which emerged in early 2025, has claimed responsibility for distributed denial-of-service (DDoS) attacks targeting U.S. critical infrastructure across the energy, financial, healthcare, and transportation sectors. These attacks employ techniques such as TCP SYN floods, DNS amplification, and NTP amplification. This combination of state-sponsored espionage and hacktivist disruption creates a layered threat environment that no single defensive measure can fully contain.
Backdoor Deployment and Stealth Persistence
Seedworm’s recent toolkit includes two newly identified backdoors: Dindoor and Fakeset. Dindoor is a previously unknown backdoor designed to execute through Deno, a secure runtime for JavaScript and TypeScript, giving it an unconventional footprint that many security tools may not immediately detect. It was found on networks belonging to the software company’s Israeli branch, a U.S. bank, and a Canadian non-profit, signed with a certificate issued to Amy Cherne. Fakeset, a Python-based backdoor, was deployed on the airport’s network, indicating a tailored approach to different targets.
During the software company intrusion, attackers also attempted to exfiltrate data using Rclone, a legitimate file-transfer utility repurposed to move files to a Wasabi cloud storage bucket. Whether this attempt succeeded remains unclear.
Mitigation Strategies
Organizations are advised to implement the following measures to mitigate the risk posed by these advanced threats:
– Enforce Multi-Factor Authentication (MFA): Apply MFA across all remote access entry points to enhance security.
– Monitor for Abnormal Data Transfers: Closely observe outbound data transfers to detect potential exfiltration attempts.
– Deploy Web Application Firewalls (WAFs): Utilize WAFs with updated rule sets to protect against web-based attacks.
– Restrict Access to External Cloud Storage: Limit or monitor access to external cloud storage services to prevent unauthorized data movement.
– Maintain Offline Immutable Backups: Ensure rapid recovery by keeping offline backups that cannot be altered or deleted.
The evolving cyber threat landscape, characterized by the activities of groups like Seedworm and DieNet, underscores the need for continuous vigilance and adaptive security measures to protect critical infrastructure from sophisticated state-sponsored attacks.
