In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors.Key takeaways:Following the military operations of Operation Epic Fury, Iranian-linked actors have moved beyond quiet intelligence gathering to a coordinated, hybrid offensive and actively engaging in disruptive and destructive campaigns targeting critical infrastructure and other sectors. MOIS-affiliated actors are increasingly operating under the veil of cybercriminal infrastructure to complicate attribution. A significant increase in the targeting of IP cameras by Iranian-nexus actors has been observed using known and exploitable vulnerabilities.BackgroundFollowing the February 28 military operations conducted by the United States and Israel known as Operation Epic Fury, Tenable’s RSO team released a blog post examining Iranian-linked threat actors and their operational focus. As ongoing kinetic strikes have continued to target Iranian leadership and infrastructure, Iranian threat actor activity has surged into a coordinated, hybrid offensive targeting Western, Israeli and regional economic and critical infrastructure.AnalysisRecently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran.From silt to strike: How MuddyWater weaponized pre-positioned accessMuddyWater, also known as Seedworm and additional aliases, is a MOIS affiliated actor known for targeting telecommunications and government organizations. The group is well known for gaining initial access to victim networks, often acting as an initial-access broker. Recent reporting indicates that the group infiltrated U.S. and Israeli infrastructure weeks prior to the military operations conducted as part of Operation Epic Fury. According to Symantec, a U.S bank, software company, airport and non-government organizations in both the U.S. and Canada were targeted. These attacks uncovered a previously unknown backdoor known as Dindoor, and a Python backdoor known as Fakeset.Additional targeting by MuddyWater includes a campaign tracked by Group-IB known as Operation Olalampo. The campaign observed in late January included targeting across the Middle East and North Africa (MENA) region, where multiple malware variants attributed to MuddyWater were identified. This included the use of a Telegram bot used as a command and control (C2) channel.The Handala hand-off: From silent espionage to wiping the slate cleanThe Void Manticore persona known as Handala specializes in destructive attacks, often wiping data from compromised hosts. They frequently collaborate with initial access brokers (IAB) in a tag-team approach, taking control of victim networks to deploy custom wipers like the BiBi Wiper and Cl Wiper after the IAB group has exfiltrated data from the victim.On March 11, Handala posted to Telegram, claiming an attack on the global medical technology company Stryker. The group claims to have erased data on more than 200,000 systems, including mobile devices. While a root-cause is unknown, reports suggest that the wipe attack on the mobile devices may have been the result of compromising Stryker’s Microsoft Intune instance. Handala also claims to have stolen 50 terabytes of data and defaced Microsoft Entra login pages with their logo as part of their attack on Stryker.Despite widespread internet blackouts at the onset of the initial strikes in February, Handala has been observed using Starlink IP ranges in order to bypass Iran's internet blackout and allowing them to maintain C2 infrastructure.State intent, criminal consent: Analyzing the MOIS-Cyber crime alliancesRecent reporting from Check Point points to Iran-linked actors engaging with and operating under the veil of other cyber criminals. In one instance, MuddyWater was likely using the infrastructure provided by Qilin, the well known ransomware-as-a-service (RaaS) operator, in order to conduct attacks targeting Israeli hospitals. Using cyber crime and hacktivism as cover for destructive activity gives the attackers a layer of cover and plausible deniability. Attribution of attacks has always been tricky to pinpoint, but these tactics and reliance on criminal infrastructure make attribution even more difficult, providing greater chances of anonymity in their attacks.Industries targeted and likely to be targetedFollowing a missile strike on Bank Sepah, one of the largest public banks in Iran, an Iranian spokesperson warned that U.S. and Israeli financial institutions would be targeted in response. While it’s unclear whether these will be kinetic or digital attacks, the financial sector is just one of many industries that are likely to see targeting. Industries known to have been targeted or likely to be at elevated risk include:AviationTransportationFinanceHealthcareDefenseGovernmentCritical Infrastructure (Energy/Utilities/Water & Wastewater)TelecommunicationsWhile warnings of attacks targeting critical infrastructure and attacks against supervisory control and data acquisition (SCADA) and industrial control systems (ICS) systems are of great concern to Western countries, it’s unclear what pre-positioning or successful attacks can be attributed to Iranian-nexus actors.Recently, the pro-Russia hacktivist group Z-Pentest claimed to have compromised several SCADA and ICS systems of U.S. based organizations as well as CCTV networks. However, these claims have not been verified. Despite this, collaboration or hacktivism in support of Iran by threat actors is a concern.With the threat of increased cyberattacks from Iranian state-sponsored actors, hacktivists and cybercriminal groups targeting critical infrastructure, the Information Technology-Information Sharing and Analysis Center (IT-SAC) published a joint advisory outlining various groups, their operations and recommendations for defensives measures. We recommend reviewing this advisory and taking proactive steps to reduce your threat from these actors.Focusing on flaws: The surge in Hikvision and Dahua exploitationIn connection with the ongoing military campaign, Check Point has identified an increase in IP camera targeting, including devices from Hikvision and Dahua. The attack infrastructure was assessed to be linked to Iran-nexus actors and activity appears to have increased during various geopolitical events. While it’s unclear if the camera targeting is to observe targets for kinetic attacks or to make observations after a strike, the timing and compromise of these devices should be of concern to any organization who may be affected by the following vulnerabilities:CVEDescriptionCVSSv3VPR*CVE-2017-7921Hikvision IP Camera Improper Authentication Vulnerability109.2CVE-2021-33044Dahua Authentication Bypass Vulnerability9.87.4CVE-2021-36260Hikvision IP Camera Command Injection Vulnerability9.89.7CVE-2023-6895Hikvision Intercom Broadcasting System Command Injection Vulnerability9.86.7CVE-2025-34067Hikvision Integrated Security Management Platform Command Execution Vulnerability9.86.7*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 11, 2026 and reflects VPR at that time.Of these five vulnerabilities, three of them have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. At the time this blog was published, CVE-2023-6895 and CVE-2025-34067 were not yet part of the KEV.Additional CVEs that have been widely exploited and have also been attributed to Iranian-nexus threat actors include:CVEDescriptionCVSSv3VPR*CVE-2017-11882Microsoft Office Memory Corruption Vulnerability7.89.8CVE-2020-0688Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability8.89.5  Additionally, you can review our previous blog posts on Iranian threat actors for other CVEs that have been attributed to Iran-nexus threat actors:Frequently Asked Questions About Iranian Cyber OperationsOperation Epic Fury: Potential Iranian Cyber Counteroffensive OperationsGroup-IB blog: Operation Olalampo: Inside MuddyWater’s Latest CampaignIdentifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2017-11882, CVE-2017-7921, CVE-2020-0688, CVE-2021-33044, CVE-2021-36260, CVE-2023-6895 and CVE-2025-34067 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationTenable Blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive OperationsSymantec Blog: Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software CompanyIran-Backed Hackers Claim Wiper Attack on Medtech Firm StrykerCheck Point Blog: Iranian MOIS Actors & the Cyber Crime ConnectionCheck Point Blog: Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Following Operation Epic Fury (US-Israel military strikes on Iran), Iranian state-linked threat actors have escalated from espionage to destructive cyber campaigns. MOIS-affiliated groups MuddyWater and Handala are central actors: MuddyWater pre-positioned access in US and Israeli networks weeks before strikes, deploying new backdoors (Dindoor, Fakeset), while Handala claimed a wiper attack on Stryker affecting 200,000+ systems and 50TB of stolen data. Iranian actors are increasingly using cybercriminal infrastructure (e.g., Qilin RaaS) to obscure attribution. A surge in exploitation of Hikvision and Dahua IP camera vulnerabilities linked to Iranian-nexus actors has also been observed. Sectors at elevated risk include finance, healthcare, aviation, critical infrastructure, and telecommunications. Key CVEs to patch include CVE-2021-36260, CVE-2017-7921, CVE-2021-33044, CVE-2023-6895, and CVE-2025-34067.

Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury