Iran's Cyber Forces Shift from Espionage to Infrastructure Pre-Positioning

Iranian state-sponsored hacking groups have significantly escalated their operations against U.S. and Israeli targets over the past year, shifting from opportunistic cyber espionage to sustained campaigns aimed at critical infrastructure, cloud environments, and supply chains.

The shift reflects what security researchers describe as the full militarization of Iran's cyber forces, with hacking units now operating under formal command structures inside the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS).

A June 2025 joint advisory from NSA, CISA, FBI, and DC3 warned that Iranian state-sponsored actors are actively preparing to target U.S. critical infrastructure, defense contractors, and government entities—activity that officials say could serve as preparation for future kinetic conflict.

From Espionage to Infrastructure Disruption

Iranian cyber operations were once best known for destructive but unsophisticated attacks, such as the Shamoon wiper malware that crippled Saudi energy firms a decade ago. Today, those same units are demonstrating advanced tradecraft, abusing cloud identity systems and embedding themselves inside critical infrastructure networks.

The IRGC-affiliated group CyberAv3ngers gained international attention in late 2023 after compromising internet-exposed water system controllers in the United States and Europe. In November 2023, the group breached the Municipal Water Authority of Aliquippa in Pennsylvania, forcing the utility to switch to manual operations after attackers accessed a booster station running Israeli-made Unitronics programmable logic controllers.

According to CISA's updated December 2024 advisory, CyberAv3ngers compromised at least 75 Unitronics devices globally, including 34 in the U.S. water and wastewater sector. The attackers deployed custom ladder logic files and supplanted existing control configurations—demonstrating capabilities that exceeded typical hacktivist operations.

While technically opportunistic, the attacks sent a clear strategic message: Iran is willing and able to touch civilian infrastructure inside the U.S. homeland.

Leaked Documents Reveal Corporate-Style Cyber Units

In September 2025, internal documents tied to APT35—also known as Charming Kitten—were published online by an anonymous source calling itself "KittenBusters." The leak, described by researchers as one of the most significant exposures of an Iranian state-sponsored operation to date, revealed the group's organizational structure, target lists, and operational playbooks.

Analysis by CloudSEK, Gatewatcher, and independent researcher Nariman Gharib confirmed the documents show a rigid, bureaucratic system in which operators are assigned daily quotas for phishing attempts, account compromises, and reconnaissance activity. Daily reports track hours worked and task completion—functioning more like a government contractor than independent hackers.

The leaked materials identify the group's command structure, including Abbas Rahrovi (alias Abbas Hosseini), who reportedly oversees operations through front companies including "Zharf Andishaan Tafakkor Sefid" (Deep White Thinking Institute). Financial records revealed a complete 19-month trail of Bitcoin payments, infrastructure purchases, and ProtonMail credentials used to sustain operations.

The leak confirms long-held suspicions that Iran's cyber operations are now fully institutionalized, with performance metrics, salaries, and formal oversight tied directly to IRGC Intelligence Organization's Department 40.

Cloud and Identity Now the Primary Attack Surface

Rather than exploiting software vulnerabilities, Iranian groups increasingly rely on credential theft, password spraying, and abuse of cloud platforms such as Microsoft Azure and Microsoft 365.

Microsoft's 2025 Digital Defense Report noted an 87% increase in attacks intended to disrupt or destroy data in Azure customer tenants compared to 2023. Iranian actors are using compromised Azure subscriptions to host command-and-control infrastructure, allowing malicious traffic to blend in with legitimate enterprise activity.

APT33 (Peach Sandstorm) has been observed targeting defense, pharmaceutical, and satellite organizations using password spray attacks, then deploying custom malware like Tickler and FalseFont through Azure infrastructure. In one 2023 intrusion documented by Microsoft, Iranian hackers executed a golden SAML attack—forging authentication tokens trusted across an entire Microsoft 365 environment.

APT35 has developed tools like Hyperscrape specifically designed to silently exfiltrate emails from compromised Gmail and Microsoft accounts. The group tunnels RDP and C2 traffic through attacker-controlled Azure resources using Fast Reverse Proxy (FRP), bypassing firewalls while maintaining persistence.

"Iranian operators are no longer breaking in through the front door—they're logging in," noted one researcher in the Sysdig threat bulletin.

Hacktivism as Plausible Deniability

Alongside traditional espionage groups, Iran has expanded its use of aggressive "hacktivist" fronts that publicly claim responsibility for disruptive attacks while maintaining plausible deniability.

In March 2025, a group calling itself DieNet launched distributed denial-of-service attacks against U.S. transportation and energy-sector organizations, including the Port of Los Angeles, Los Angeles Metropolitan Transportation Authority, Chicago Transit Authority, and the North American Electric Reliability Corporation.

According to NETSCOUT analysis, DieNet has claimed more than 60 DDoS attacks since its emergence on March 7, 2025, targeting critical infrastructure across transportation, energy, healthcare, finance, and telecommunications sectors. The Center for Internet Security confirmed attacks against energy providers, regulatory organizations, hospitals, and financial institutions.

DieNet leverages DDoS-as-a-service infrastructure shared with other threat groups, enabling rapid attack mobilization without proprietary botnets. Although the group frames its operations as ideological activism, security researchers note its coordination with known pro-Iranian groups including Mr. Hamza, Sylhet Gang-SG, and LazaGrad Hack suggests access to state-level resources.

CSIS analysis of the June 2025 Israel-Iran conflict found that more than 178 hacktivist and proxy groups mobilized rapidly as airstrikes began, with Iranian-backed groups coordinating attacks aligned with kinetic military operations.

Why It Matters

U.S. and Israeli officials increasingly view these operations as pre-positioning for future conflict, blurring the line between cyber espionage and cyber warfare.

By embedding themselves in cloud environments, supply chains, and operational technology systems, Iranian actors may be creating options for rapid disruption during periods of heightened geopolitical tension—without crossing the threshold of open war.

The June 2025 CISA advisory explicitly warned that Defense Industrial Base companies, particularly those with holdings or relationships with Israeli research and defense firms, face increased risk. Nozomi Networks reported a 133% increase in Iran-linked attacks on OT customers between March and June 2025, with particular focus on transportation and manufacturing sectors.

Defensive Recommendations

Organizations should implement the following measures:

• Enforce MFA on all cloud accounts and monitor for unusual login patterns
• Audit internet-exposed OT/ICS devices, particularly those using default credentials
• Monitor for password spraying against Microsoft 365 and Azure environments
• Review vendor and third-party access to critical systems
• Implement network segmentation between IT and OT environments
• Enable logging and alerting for Azure resource creation and configuration changes