🚀 A CloudSEK se torna a primeira empresa de segurança cibernética de origem indiana a receber investimentos da Estado dos EUA fundo
🚀 CloudSEK se torna a primeira empresa indiana de segurança cibernética a fazer parceria com o The Private Office
🚀 O CloudSEK aumentou Rodada da Série B1 de $19 milhões — Potencializando o futuro da cibersegurança preditiva
Voltar

A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict AND THE SCALE OF THE RISK

The 28 February 2026 strikes accelerated an existing cyber threat to U.S. critical infrastructure, rather than creating it. This report examines who is targeting industrial control systems (ICS), how attacks are carried out, and the scale of the exposed attack surface. Critical infrastructure is a prime retaliation target due to high civilian impact, a large number of internet-exposed ICS devices, and long-standing underinvestment in OT cybersecurity.
March 5, 2026
5
min
Tabela de conteúdo
Exemplo H2
Exemplo H2

Executive Summary

The strikes of 28 February 2026 did not create the cyber threat to US critical infrastructure. They accelerated one that has been building for over a decade. This report answers three questions: who is actively targeting US and allied industrial systems, how they do it, and how large the exposed attack surface is.

60+
hacktivist groups activated within hours of 28 Feb strikes
Palo Alto Unit 42, Mar 2026
5 yrs
confirmed dwell time in US critical infrastructure
CISA AA24-038A (Volt Typhoon)
75+
US ICS devices compromised in one campaign
CISA AA23-335A (CyberAv3ngers)
40K+
internet-exposed ICS devices in the United States
Forescout / Shodan, 2024

Three things make US critical infrastructure the primary retaliation surface:

  • Civilian impact: disrupting water, power, or fuel generates immediate political pressure without direct military engagement
  • Accessible attack surface: tens of thousands of ICS devices are directly internet-reachable, many with default or no credentials
  • Structural under-investment: water utilities and industrial operators run OT environments with security budgets far below commercial standards
THE BOTTOM LINE
The disruption of a single US water treatment facility or power substation commands national attention and achieves strategic effect on par with kinetic action. For Iranian-aligned actors this is not theoretical. It is documented operational history.
The conflict has expanded the pool of motivated actors and reduced political constraints on action. Defenders cannot wait for specific threat intelligence before acting.

Active Threat Actors Targeting ICS / OT Environments

Some actors are profiled below, ordered from Tier 1 nation-state APTs with years-long persistence and custom tooling, to Tier 2 proxy and hacktivist groups that are less disciplined but far more numerous and rapidly activated. All are assessed as active and directly relevant to ICS / OT targeting.

APT33 / Elfin  |  IRGC  |  Tier 1

Affiliation IRGC | Mandiant; Microsoft; MITRE ATT&CK G0064
Targets Energy, Oil and Gas, Aerospace, Defense Industrial Base, Electric Utilities
US activity Password spray campaigns against US electric utilities and oil and gas operators | Microsoft CyberWarCon 2019; Mandiant
Notable Associated with TRITON/TRISIS (2017): first malware targeting industrial Safety Instrumented Systems

Initial Access Vectors

  • High-volume password spraying against Office 365 and Azure accounts across thousands of organisations simultaneously
  • Spearphishing with malicious Office macro attachments, .hta links, and malicious archives
  • LinkedIn impersonation of recruiters and students for credential harvesting

Confirmed TTPs  |  Microsoft Aug 2024; MITRE ATT&CK G0064

  • Tickler backdoor (2024): multi-stage, Azure-based C2, persists via Run key named SharePoint.exe
  • AzureHound and Roadtools for Azure AD reconnaissance; credential theft via LaZagne and Mimikatz
  • AnyDesk deployed for persistent remote access without IT authorisation
WHAT TO WATCH FOR
High-volume distributed login attempts with low per-account frequency against Azure / M365  |  SharePoint.exe Run registry key  |  AnyDesk installed without IT knowledge on OT-adjacent workstations

MuddyWater  |  MOIS  |  Tier 1

MuddyWater (MERCURY, Seedworm, Mango Sandstorm, TA450)    MOIS nation-state APT, continuous operations since 2017
Affiliation
MOIS (Ministry of Intelligence and Security)  |  CISA/FBI/NSA/NCSC-UK AA22-055A
Targets
Telecommunications, Defense, Oil and Gas, Government, Critical Infrastructure
2026 tooling
RustyWater: new Rust-based RAT, C2 via domains mimicking Dropbox and WordPress  |  CloudSEK Feb 2026
Broker role
Confirmed initial access broker within MOIS, shares access with other Iranian actors

Initial Access Vectors

  • Spearphishing with malicious Excel macro attachments and PDF droppers
  • Abuse of legitimate RMM tools (Syncro, PDQ Connect) installed by third-party IT integrators on OT networks
  • Internal email takeover for follow-on phishing of additional staff and suppliers

Confirmed TTPs  |  CISA AA22-055A; ESET Dec 2025; CloudSEK Feb 2026

  • PowGoop DLL side-loader disguised as Google Update; POWERSTATS PowerShell backdoor for credential theft
  • Small Sieve backdoor: Telegram Bot API for C2, persists via Outlook/Microsoft registry run key
  • Mori backdoor: DNS tunneling for covert C2 exfiltration
  • MuddyViper (2024): fake Windows Security dialog for credential theft during phishing campaigns
WHAT TO WATCH FOR
Outlook/Microsoft registry run key | Telegram API outbound traffic from internal endpoints | High-entropy DNS subdomain queries | Syncro or PDQ Connect installed without IT authorisation

Handala Hack Team  |  MOIS-Aligned  |  Tier 2

Handala (Void Manticore, Banished Kitten, Storm-0842)    MOIS-directed hacktivist persona, active since December 2023
Affiliation
MOIS-affiliated | Check Point Research; KELA; Cisco Talos / Splunk
Targets
Israeli organisations (primary); Western, US, and Gulf targets escalating
Approach
Speed and psychological impact over sophistication: hack-and-leak, wiper, ransomware, ICS disruption claims
Note
Claims are regularly overstated. Treat Telegram announcements as psychological operations until independently verified.

Initial Access Vectors

  • Phishing via SMS and email impersonating IT vendors and service providers
  • Supply chain compromise via MSPs for simultaneous downstream industrial operator access
  • Scanning internet-facing apps for misconfigurations and weak credentials (observed via Starlink IPs to evade geolocation blocks)

Confirmed TTPs  |  Cisco Talos / Splunk Jul 2024; Check Point Mar 2026

  • Custom wiper: AutoIT-based, NSIS-packaged, delivered via vendor-impersonation phishing; Telegram channel as C2
  • Ransomware deployment with non-recovery intent (wiper behavior disguised as ransomware for psychological effect)
WHAT TO WATCH FOR
Vendor-impersonation phishing emails | New MSP or remote access connections to OT environments | Mass file deletion consistent with wiper behavior | Telegram C2 callbacks from internal hosts

Charming Kitten / APT35  |  IRGC-IO  |  Tier 1

Charming Kitten (APT35, APT42, Phosphorus, Mint Sandstorm, Magic Hound, TA453)    IRGC Intelligence Organisation nation-state APT, active since at least 2014
Affiliation
IRGC Intelligence Organisation (IRGC-IO) | CISA; Mandiant; Microsoft; MITRE ATT&CK G0059
Targets
Military, Government, Energy, Defense Industrial Base, Engineering, Telecoms, Journalists, Researchers, Academics
Primary role
Intelligence collection against people with access to policy, energy, and defense decision-makers; feeds IRGC targeting for other operations
US relevance
Confirmed targeting of US government, military, and energy-adjacent individuals for credential theft and long-term access | CISA; Mandiant

Initial Access Vectors

  • Sophisticated social engineering via fake social media profiles, WhatsApp, Telegram, and email impersonating conference coordinators, research assistants, and analysts
  • Phishing sites cloning Google Login and Google Meet hosted on legitimate Google Sites infrastructure to add authenticity  |  Source: Dark Atlas, 2025
  • Password-protected archives containing malicious LNK files delivered after trust is established

Confirmed TTPs  |  CISA; Mandiant; Gatewatcher; Dark Atlas 2025

  • Multi-stage infection chains: cloud-hosted C2, encrypted archives, malicious LNK files, cross-platform implants for Windows and macOS
  • ProxyShell exploitation against Microsoft Exchange servers for persistent email access  |  Source: Gatewatcher analysis of leaked operational archive, 2025
  • Relationship-based access cultivation over extended timeframes before any credential harvest attempt
  • Leaked operational archive (2025) revealed monthly performance reports in Persian and structured target development campaigns across Iran, South Korea, Kuwait, Turkey, Saudi Arabia, and Lebanon
WHAT TO WATCH FOR
Unsolicited outreach via LinkedIn, WhatsApp, or Telegram from individuals claiming academic, research, or conference roles | Phishing links to Google Sites mimicking login pages | ASPX webshells on internet-facing Exchange servers | Individuals with energy sector or policy-adjacent roles receiving unusual relationship-building contact

Volt Typhoon  |  PRC  |  Tier 1

Volt Typhoon (Dragos: VOLTZITE | Bronze Silhouette, Insidious Taurus)    PRC nation-state APT | CISA/NSA/FBI AA24-038A
Affiliation
People's Republic of China (PRC) | CISA AA24-038A
Targets
Communications, Energy, Transportation, Water and Wastewater | confirmed CISA AA24-038A
Intent
Pre-positioning for destructive attacks in a US-China conflict scenario. Not espionage. CISA high-confidence assessment.
Dwell time
Minimum 5 years confirmed in some victim environments | CISA AA24-038A
FBI, Jan 2024
Director Wray to Congress: described Volt Typhoon as the defining cyber threat of our generation

Initial Access Vectors

  • Exploitation of internet-facing edge devices: Fortinet, Ivanti, Citrix appliances
  • KV Botnet: compromised end-of-life SOHO routers (Cisco, Netgear) used as relay infrastructure
  • Valid account abuse, timed to business hours to blend with legitimate traffic

Confirmed TTPs  |  CISA AA24-038A

  • Exclusive living-off-the-land execution: netsh, wmic, ntdsutil, PowerShell only. No custom malware, rendering signature detection ineffective.
  • Lateral movement from IT to OT network segments: the defining characteristic distinguishing this from traditional espionage
  • PortProxy registry modifications; AD Explorer for Active Directory environment mapping
WHAT TO WATCH FOR
Unusual netsh / wmic / ntdsutil execution in OT-adjacent environments | PortProxy registry modifications | IT-to-OT lateral movement from unexpected source IPs | Account activity that perfectly mirrors business hours

TWO MORE TO KNOW
APT34 / OilRig (MOIS): Long-dwell energy and finance sector access. Currently operationally silent since 28 Feb 2026, assessed as covert pre-positioning. Watch: low-frequency DNS anomalies and ASPX webshells on Exchange servers. Sandworm (GRU Unit 74455): The only confirmed Tier 1 actor with a track record of destructive ICS attacks causing physical impact. FrostyGoop (Jan 2024) cut heating to 600+ buildings in Ukraine in winter. Creates hacktivist proxy groups for deniable OT attack execution. Source: CISA; US DOJ; Dragos 2025.

CyberAv3ngers  |  IRGC-CEC Proxy  |  Tier 2

CyberAv3ngers (Dragos: BAUXITE | Microsoft: Storm-0784)    IRGC state-directed hacktivist proxy
Affiliation
IRGC-CEC (Islamic Revolutionary Guard Corps Cyber Electronic Command) | CISA AA23-335A; US Treasury Feb 2024
Targets
Water / Wastewater, Energy, Fuel Management, Manufacturing | explicit mandate: any Israeli-manufactured equipment is a legitimate target
Active since
2020, significantly escalated from October 2023
US bounty
$10 million USD issued by US government, 2024

Initial Access Vectors

  • Default credential login on internet-exposed Unitronics PLCs via TCP port 20256 (default password: 1111)
  • Shodan and Censys scanning for exposed devices, AI-assisted query generation via ChatGPT confirmed (OpenAI, Oct 2024)
  • No software vulnerability exploitation required in any confirmed campaign

Confirmed TTPs  |  CISA AA23-335A; Claroty Team82

  • Authenticate to Unitronics PLC, overwrite ladder logic, deface HMI display
  • Disable upload / download functions to prevent operator remediation; downgrade firmware version
  • IOCONTROL malware (2024): custom Linux backdoor with MQTT-based C2, deployed across Unitronics and Orpak fuel management systems  |  Claroty Team82, Dec 2024
WHAT TO WATCH FOR
Inbound connections on TCP 20256 from external IPs | Outbound MQTT traffic (port 1883 / 8883) from ICS or IoT devices | HMI display changes, disabled remote access functions, unexpected firmware downgrades on any Unitronics or Orpak device

Mapping the Attack Surface

Every result returned by these queries represents a real ICS device running a live industrial process, reachable from any internet connection. Use the Shodan queries in the rightmost column to populate each row with current counts.

ICS/OT Internet Exposure Map
ICS/OT INTERNET EXPOSURE MAP (Count of Exposed Internet Assets (Live & Historical))
Country Modbus TCP S7comm Niagara Fox
United States 78.7K 50.1K 53.4K
Israel 27.9K 39.6K 37.4K
Saudi Arabia 340 525 451
UAE 1.4K 1.7K 1.4K
United Kingdom 30K 31.7K 27.1K
Germany 9.7K 9.5K 4.9K
Jordan 80 55 45
Bahrain 320 400 360

ADDITIONAL Ports along with associated OT ICS Protocols
port:20256 Unitronics PCOM | confirmed CyberAv3ngers target
port:44818 EtherNet/IP | Rockwell Allen-Bradley PLCs
port:47808 BACnet UDP | building and facility automation
port:4840 OPC UA | cross-vendor ICS communication
port:20000 DNP3 | electric utility SCADA protocol
port:5900 VNC | primary hacktivist OT remote access vector

WHAT THESE COUNTS MEAN
A count on port 502 is not a count of patched systems. It is a count of devices that will respond to unauthenticated Modbus read and write commands from any IP on the internet. These are the same queries threat actors run when selecting targets. Each result is a live industrial device that can be identified, fingerprinted, and accessed from any internet connection without prior network access.

How Threat Actors Move from Discovery to Disruption

All actors in this report use one or more of three paths to reach ICS and OT environments. The paths are not mutually exclusive.

Path 1: Direct Exploitation of Exposed Assets

The lowest-barrier, highest-volume risk. No social engineering, no network infiltration.

  • Threat actor queries Shodan for port 20256 or port 502, identifies exposed devices
  • Attempts default credentials. Unitronics: 1111. Other defaults published in vendor manuals and CISA advisories.
  • If authenticated: full operator-level access, read / write process values, modify control logic, disable safety alarms, stop processes
  • No ICS expertise required. AI-assisted query generation compresses target identification to minutes.

Path 2: Phishing Into OT-Adjacent Environments

Used by APT33, MuddyWater, Handala. The target is the people who operate ICS, not the device itself.

  • Spearphishing reaches SCADA engineers and control room operators impersonating equipment vendors or IT support
  • One compromised OT operator credential can provide access to the engineering workstation and PLC programming environment
  • MSPs with RMM tools installed on OT networks are a high-value target: a single MSP compromise yields access to all downstream industrial clients simultaneously

Path 3: IT Infiltration with Lateral OT Movement

The Volt Typhoon model. The hardest to detect, the longest dwell time, and the highest potential impact.

  • Internet-facing VPN or firewall exploited to gain IT network foothold
  • Actor moves silently toward IT/OT boundary: engineering workstations, historians, jump servers
  • Uses only native OS tools, no malware, minimum five-year confirmed dwell in some US victims
  • In a conflict or crisis the pre-positioned actor activates: disrupts processes, triggers safety failures, destroys equipment
THE COMMON THREAD
OT is not an on-premises problem. It is an internet-connected problem. Exposed ports provide direct access. Phishing accesses the people who operate OT. IT infiltration reaches the systems adjacent to OT. All three paths lead to the same destination: control over physical industrial processes. The 60+ groups activated since 28 February 2026 do not all need Path 3. Many only need an exposed port and a default password. That is enough to make national news.

Takeaways

The scale of this threat is not measured in the sophistication of individual attacks. It is measured in the number of actors, the breadth of the attack surface, and the history of real disruption that has already occurred.

For Technical Teams

  • Remove ICS management interfaces from the public internet now. No Unitronics HMI, Siemens SIMATIC portal, or Niagara login page should be internet-accessible without a VPN.
  • Change default credentials on all deployed ICS devices. For eg. The Unitronics password 1111 is in a CISA advisory and is still in active use.
  • Block at the perimeter: TCP 20256, 102, 502, 44818, 1911, 4840, 20000 and UDP 47808
  • Audit all MSP and RMM tool access to OT environments. Syncro, PDQ Connect, AnyDesk installed without IT authorization are open doors.
  • Hunt for LOTL anomalies in OT-adjacent environments. Set behavioral baselines. Investigate deviations from normal.
  • Enable logging on all ICS management interfaces. Without logs, incidents cannot be detected, investigated, or confirmed.

For Leadership and Non-Technical Readers

  • A US water utility was forced onto manual operations by an Iranian-affiliated group using a default password in 2023. The threat pool is now larger, better coordinated, and AI-assisted.
  • Sixty-plus hacktivist groups were activated within hours of 28 February 2026. They do not need nation-state capability. They need an exposed device and motivation. Both conditions are currently met.
  • Volt Typhoon has been inside US critical infrastructure for years. The threat is not only incoming attacks. Some actors are already there.
  • The three highest-impact actions do not require large budgets: take ICS interfaces off the internet, change default passwords, block industrial protocol ports.
PRIORITY ACTIONS SUMMARY
1. Remove internet-exposed ICS interfaces immediately
2. Change default credentials on all deployed ICS devices
3. Block TCP 20256, 102, 502, 44818, 1911, 4840, 20000 and UDP 47808 at the perimeter
4. Audit and restrict all MSP and RMM tool access to OT environments
5. Enable logging on all ICS management interfaces
6. Hunt for LOTL behavioral anomalies (netsh, wmic, ntdsutil) in OT-adjacent environments

PRIMARY SOURCES

  • CISA AA23-335A  |  Exploitation of Unitronics PLCs Used in Water and Wastewater Systems
  • CISA AA22-055A  |  MuddyWater joint advisory  |  FBI, NSA, NCSC-UK, CNMF
  • CISA AA24-038A  |  Volt Typhoon / VOLTZITE in US critical infrastructure
  • CISA AA22-103A  |  PIPEDREAM / INCONTROLLER alert
  • Microsoft Threat Intelligence, Aug 2024  |  APT33 Tickler malware and Azure C2
  • Mandiant  |  APT33 and APT34 actor profiles
  • MITRE ATT&CK  |  G0064 (APT33), G0069 (MuddyWater), G0049 (APT34)
  • Claroty Team82, Dec 2024  |  IOCONTROL malware analysis
  • ESET Research, Dec 2025  |  MuddyWater / MuddyViper Israeli campaign analysis
  • CloudSEK TRIAD Team, Jan 2026  |  RustyWater RAT analysis
  • Check Point Research, Mar 2026  |  Handala / Void Manticore
  • Cisco Talos and Splunk, Jul 2024  |  Handala wiper malware
  • KELA Cyber Intelligence, Jan 2026  |  Handala actor profiling
  • Palo Alto Unit 42, Mar 2026  |  60+ Iranian hacktivist group activation
  • Dragos 2025 OT/ICS Security Report  |  VOLTZITE, KAMACITE-ELECTRUM, FrostyGoop
  • FBI Director Wray, Congressional Testimony, Jan 2024  |  Volt Typhoon
  • Forescout Research Labs, Jun 2025  |  Global internet-exposed OT/ICS counts
  • US Treasury Department, Feb 2024  |  IRGC-CEC sanctions documentation
Nenhum item encontrado.

Blogs relacionados

Nenhum item encontrado.