A wise wizard’s job is to warn people before things go wrong. Staying alert before the danger arrives often makes all the difference. That’s especially true right now with Iranian cyber activity starting to heat up.
Here at RM Cyber, we aim to provide the same kind of warning. The difference is our threats are not orcs or dragons. They are cyber threats, and they are often much closer than organizations realize.
Why Should I Care About Iranian Cyber Activity?
When military options shrink for adversaries, cyber becomes the weapon of choice. It’s cheap, scalable, and hard to trace. Iran has repeatedly launched cyber campaigns during geopolitical tensions, and intelligence agencies are already seeing the warning signs: increased phishing, network scanning, and hacktivist activity.
In plain English: the bad guys are warming up.
Who’s Coming?
Iranian cyber activity isn’t growing from just one attack group. It operates a network of cyber threat groups. APT33 targets energy and aviation. APT34 specializes in long-term espionage. MuddyWater often gains access through telecom and government networks. And Charming Kitten (yes, really) focuses on phishing campaigns against journalists, academics, and political groups.
Think of it like the villain lineup in a heist movie. Everyone has a specialization.
What Are They After?
The top targets right now are energy and utility companies, water systems, defense contractors, government agencies, and transportation. That doesn’t mean you’re off the hook if you’re a university, consulting firm, nonprofit, or media outlet – those are on the list too. These organizations are often tangential targets that attackers may leverage for intelligence or access into related networks, and they’re often easier marks because security budgets tend to be thinner.
How Will They Attack?
Most attacks will start the same way many do: phishing emails designed to steal employee login credentials. From there, attackers may steal cloud access tokens, bypass multi-factor authentication, and quietly access sensitive data before leaking it to the press at the worst possible moment.
We are likely to see more waves of DDoS attacks, where websites are flooded with traffic and temporarily go offline. The main aim often isn’t the outage itself, but the headlines that come afterward. Iran has developed a pattern of using social media to make small disruptions appear much larger than they really are.
In more serious cases, attackers may exploit unpatched VPNs or firewalls, establish a foothold inside the network, and remain dormant. That access can later be used for sabotage or destructive malware.
What Can You Do About It?
You don’t need a wizard’s magic to defend your organization, but preparation matters. Start with these high-impact steps:
- Enable phishing-resistant MFA wherever possible. Hardware keys or app-based authentication are far safer than SMS codes.
- Patch internet-facing systems, including VPNs, firewalls, and email servers. If it’s connected to the internet, assume it’s a target.
- Review cloud app permissions. Unknown third-party applications can become the front door to your data.
- Review your incident response plan. Make sure everyone knows who to call if something goes wrong.
- Monitor unusual login activity such as impossible travel logins, MFA fatigue attempts, or unexpected app consent requests.
The Bottom Line
It’s unlikely that Iranian cyber activity would knock out the U.S. power grid tomorrow. But sustained phishing campaigns, strategic data leaks, and noisy DDoS attacks are likely to occur. These operations are designed to create disruption and headlines that far outweigh their actual technical impact.
Organizations that weather this best will be the ones that took practical security steps before the headlines hit.
As our favorite grey-robed advisor once said: “All we have to decide is what to do with the time that is given us.”
So decide wisely. And patch your stuff. Then tell the attackers, “You shall not pass!”
