(TLP:CLEAR) Deep Dive into Iranian Cyber Actor Tactics – What Utilities Need to Know

Summary: Recent reporting highlights that Iranian cyber operations continue to intensify alongside geopolitical tensions, leveraging a well-established playbook focused on speed, persistence, and opportunistic targeting.

The report below offers a deeper look into the main tactics current and historical research has attributed to Iranian-linked threat actors. These are actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) and Iran’s primary intelligence agency known as the Ministry of Intelligence and Security (MOIS). They are advanced persistent threat actors (APTs) and are known to target critical infrastructure, including water and wastewater utilities.

WaterISAC strongly encourages utilities also review the mitigations included below which are tailored to water utilities and directly address Iranian-linked threat actor tactics. They are also aligned with WaterISAC’s 12 Fundamentals for Water and Wastewater Utilities.

Analyst Note: Iranian cyber activity reflects a consistent and repeatable playbook that relies heavily on phishing, password spraying, and exploitation of unpatched or internet-facing systems to gain initial access. Once inside, they frequently use legitimate administrative tools and remote management software to blend into normal activity, maintain access, and move laterally. Activity increasingly spans hack-and-leak campaigns, disruptive operations, and identity-based attacks, including abuse of cloud and management platforms to scale impact. Targeting has included critical infrastructure and supply chain relationships, where weak credentials, misconfigurations, and trusted vendor access create entry points.

Identity and Access as the Primary Attack Surface

A defining trend is these actors’ focus on identity compromise through phishing, credential harvesting, and password spraying campaigns targeting cloud services and remote access portals. These campaigns are often high-volume but low-noise, enabling attackers to test credentials broadly until access is achieved. This is done by conducting thousands of login attempts across a significant number of accounts. But it’s broad enough to make it difficult to detect. These attacks can also be highly targeted. Once access is obtained, attackers commonly:

• Leverage compromised accounts to conduct internal phishing.
• Access sensitive emails, files, and shared drives.
• Escalate privileges and move laterally across the network.

Password spraying campaigns against Microsoft 365 and VPN services remain a consistent tactic. Groups like Pioneer Kitten (UNC757) have historically leveraged weak credential hygiene for initial access.

Additionally, in more targeted operations, these adversaries have focused on high-trust individuals to enable broader compromise and persistence. Activity from advanced persistent threat (APT) groups Educated Manticore and Charming Kitten (APT35/APT42) have demonstrated sustained campaigns using high-trust impersonation and multi-channel phishing, targeting individuals with privileged access to enable broader compromise.

Abuse of Legitimate Tools and Management Platforms

Iranian-affiliated actors also consistently rely on living-off-the-land techniques, using built-in tools and legitimate remote management software to operate within environments while avoiding detection. Common behaviors include:

• Use of PowerShell, RDP, and system-native tools for lateral movement.
• Deployment of legitimate RMM tools for persistent remote access.
• Blending malicious actions into normal administrative activity.

MuddyWater (MOIS-linked) has consistently relied on PowerShell and legitimate remote monitoring and management (RMM) tools to establish persistence and move laterally, and the group known as Agrius (Pink Sandstorm) has combined web shell access with legitimate administrative tooling to conduct both espionage and disruptive operations.

These tactics are also widely seen in groups’ use of “wiper attacks,” often using large-scale device actions on (MDM) platforms, to issue legitimate commands and remotely wipe data. The recent incident at Stryker is a good example of Iranian wiper attacks. In this incident, the threat actor Handala (Void Manticore) did not deploy a novel wiper or traditional compiled malware to conduct its wiper attack. Instead, the attackers compromised highly privileged identities, pushing legitimate remote-wipe commands to over 200,000 devices globally.

Exploitation of Known Weaknesses and External Exposure

Iranian threat actors frequently target unpatched vulnerabilities, misconfigured systems, and exposed services, rather than relying on advanced exploits. The window between patch release and deployment remains a key risk area. Common entry points include:

• Internet-facing VPNs, firewalls, and web applications.
• Systems with outdated software or known vulnerabilities.
• ICS/OT assets exposed to the internet or using default credentials.

Iranian-linked groups have repeatedly exploited N-day vulnerabilities (known vulnerabilities with existing patches) in technologies such as Fortinet, Citrix, and VMware, often shortly after patches become available. These patterns demonstrate that many successful intrusions stem from visibility gaps and delayed remediation of known issues.

Mitigations

To reduce exposure to these tactics, utilities are encouraged to focus on foundational security controls that directly address this playbook. The below list of recommendations directly addresses Iranian-linked threat actor tactics and are tailored to water utilities. They are also aligned with WaterISAC’s 12 Fundamentals for Water and Wastewater Utilities:

• Enforce phishing-resistant MFA and strengthen monitoring of authentication activity.
• Prioritize patching of internet-facing systems and track known exploited vulnerabilities.
• Audit and eliminate default or weak credentials, especially across ICS/OT assets.
• Increase visibility into administrative tool usage and RMM activity.
• Strengthen network segmentation and third-party access controls to limit lateral movement.

Original Sources:

• https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/
• https://www.sophos.com/en-us/blog/initial-access-techniques-used-by-iran-based-threat-actors
• https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/
• https://www.cobalt.io/blog/the-iranian-cyber-playbook-what-security-teams-should-expect

Additional Reading:

• (TLP:AMBER+STRICT) Situation Report: Heightened Threat Environment – Potential Retaliation by Iranian Threat Actors Following U.S. Strikes on Iran (Updated March 18, 2026)

Related WaterISAC PIRs: 6 – 12