Ceasefire Offline: Iranian Cyber Threats Surge Despite Diplomatic Thaw

While diplomats debate in Geneva, Iranian threat actors are still probing American networks. The NSA, CISA, FBI, and DC3 issued a rare joint Cybersecurity Information Sheet this week warning that U.S. entities—particularly critical infrastructure operators—remain exposed to an escalating campaign of Iranian cyber aggression.

According to the advisory, cyber actors aligned with the Islamic Revolutionary Guard Corps (IRGC) are exploiting outdated systems, default credentials, and unpatched vulnerabilities to establish access across poorly secured U.S. environments. The timing is telling: although military tensions in the Middle East may be cooling, the tempo of digital conflict appears to be intensifying.

“My reaction aligns with the advisory's core message: vigilance remains paramount,” said Nic Adams, Co-Founder and CEO, 0rcus. “The notion that diplomatic de-escalation translates to a pause in cyber operations is, frankly, naive.”

Cyberspace: Where the Truce Doesn't Apply

Unlike kinetic warfare, cyber operations don’t pause for peace talks. “A ceasefire is for kinetic engagements; digital espionage and sabotage pre-positioning operate on a completely different timeline,” Adams said. Iran’s cyber operations are viewed as an asymmetric lever—high impact, low cost, and offering plausible deniability. They’re also remarkably persistent.

The advisory lists attack vectors that are all too familiar to defenders: credential stuffing, MFA push fatigue attacks, unpatched software, and exploitation of outdated third-party systems. But Adams warns that Iranian groups—particularly APTs with ties to the IRGC—have become more methodical, pragmatic, and opportunistic in their approach.

“In the current environment, expect continued emphasis on N-day vulnerabilities, default credentials, and poorly secured industrial control systems,” Adams said.

Infrastructure in the Crosshairs

Iranian actors are reportedly escalating their targeting of Operational Technology (OT) systems—industrial controllers that manage water, power, and other critical infrastructure sectors. Groups like CyberAv3ngers have previously attacked Israeli water utilities. U.S. operators may now face similar attention.

“Unexplained changes in PLC logic, unusual commands on HMIs, or deviations from baseline parameters—even without malware—should raise red flags,” Adams advised. “Watch for OT-specific behavioral anomalies.”

He also emphasized the importance of OT/IT segmentation and zero-trust principles: “Deny-by-default. Eliminate internet exposure. Lock PLCs into run mode. The basics aren't sexy, but they're vital.”

Weaponization Moves Faster Now

What’s changed since the last major wave of Iranian cyberattacks? One answer: speed. Thanks to AI, Iranian threat actors are likely accelerating their development of new tactics, techniques, and procedures (TTPs).

“Traditional security measures are simply not fast enough to counter this pace,” Adams said. “The emphasis shifts from detecting what is known to anticipating and neutralizing what is unknown or custom.”

Adams highlighted the increasing use of AI in both synthetic media and cyberattack execution. Deepfakes and disinformation campaigns can be layered with phishing or used to erode trust inside organizations—an evolution in social engineering that makes spear-phishing harder to detect and easier to personalize.

Beyond Patching: Proactive Adversarial Defense

The latest advisory recommends patching and credential management, but Adams believes organizations must go much further. He argues for adopting a “black-hat authenticity” mindset—thinking like the adversary and proactively finding gaps before attackers do.

“CI teams must pivot from a purely reactive, patch-and-detect mindset to one of proactive anticipation and neutralization,” he said. That includes rigorous red teaming that mimics Iranian TTPs, scenario-based incident response drills, and continuous monitoring of user access and supply chain anomalies.

Even subtle signs—like scheduled tasks appearing out of nowhere, anomalous vendor activity, or low-volume network beacons—should be treated as potential indicators of compromise.

No Illusions, No Downtime

The joint advisory is a stark reminder that even as ceasefires are brokered and treaties drafted, America’s digital infrastructure remains a target. “Adversaries such as Iran don't adhere to traditional geopolitical calendars in cyberspace,” Adams said. “They operate on their own tempo—and that tempo is accelerating.”

For defenders, that means ditching illusions of safety during diplomatic lulls. There is no downtime in cyberspace. There is only readiness—or regret.