In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors.
Key takeaways:
- Following the military operations of Operation Epic Fury, Iranian-linked actors have moved beyond quiet intelligence gathering to a coordinated, hybrid offensive and actively engaging in disruptive and destructive campaigns targeting critical infrastructure and other sectors.
- MOIS-affiliated actors are increasingly operating under the veil of cybercriminal infrastructure to complicate attribution.
- A significant increase in the targeting of IP cameras by Iranian-nexus actors has been observed using known and exploitable vulnerabilities.
Background
Following the February 28 military operations conducted by the United States and Israel known as Operation Epic Fury, Tenable’s RSO team released a blog post examining Iranian-linked threat actors and their operational focus. As ongoing kinetic strikes have continued to target Iranian leadership and infrastructure, Iranian threat actor activity has surged into a coordinated, hybrid offensive targeting Western, Israeli and regional economic and critical infrastructure.
Analysis
Recently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran.
From silt to strike: How MuddyWater weaponized pre-positioned access
MuddyWater, also known as Seedworm and additional aliases, is a MOIS affiliated actor known for targeting telecommunications and government organizations. The group is well known for gaining initial access to victim networks, often acting as an initial-access broker. Recent reporting indicates that the group infiltrated U.S. and Israeli infrastructure weeks prior to the military operations conducted as part of Operation Epic Fury. According to Symantec, a U.S bank, software company, airport and non-government organizations in both the U.S. and Canada were targeted. These attacks uncovered a previously unknown backdoor known as Dindoor, and a Python backdoor known as Fakeset.
Additional targeting by MuddyWater includes a campaign tracked by Group-IB known as Operation Olalampo. The campaign observed in late January included targeting across the Middle East and North Africa (MENA) region, where multiple malware variants attributed to MuddyWater were identified. This included the use of a Telegram bot used as a command and control (C2) channel.
The Handala hand-off: From silent espionage to wiping the slate clean
The Void Manticore persona known as Handala specializes in destructive attacks, often wiping data from compromised hosts. They frequently collaborate with initial access brokers (IAB) in a tag-team approach, taking control of victim networks to deploy custom wipers like the BiBi Wiper and Cl Wiper after the IAB group has exfiltrated data from the victim.
On March 11, Handala posted to Telegram, claiming an attack on the global medical technology company Stryker. The group claims to have erased data on more than 200,000 systems, including mobile devices. While a root-cause is unknown, reports suggest that the wipe attack on the mobile devices may have been the result of compromising Stryker’s Microsoft Intune instance. Handala also claims to have stolen 50 terabytes of data and defaced Microsoft Entra login pages with their logo as part of their attack on Stryker.
Despite widespread internet blackouts at the onset of the initial strikes in February, Handala has been observed using Starlink IP ranges in order to bypass Iran's internet blackout and allowing them to maintain C2 infrastructure.
State intent, criminal consent: Analyzing the MOIS-Cyber crime alliances
Recent reporting from Check Point points to Iran-linked actors engaging with and operating under the veil of other cyber criminals. In one instance, MuddyWater was likely using the infrastructure provided by Qilin, the well known ransomware-as-a-service (RaaS) operator, in order to conduct attacks targeting Israeli hospitals. Using cyber crime and hacktivism as cover for destructive activity gives the attackers a layer of cover and plausible deniability. Attribution of attacks has always been tricky to pinpoint, but these tactics and reliance on criminal infrastructure make attribution even more difficult, providing greater chances of anonymity in their attacks.
Industries targeted and likely to be targeted
Following a missile strike on Bank Sepah, one of the largest public banks in Iran, an Iranian spokesperson warned that U.S. and Israeli financial institutions would be targeted in response. While it’s unclear whether these will be kinetic or digital attacks, the financial sector is just one of many industries that are likely to see targeting. Industries known to have been targeted or likely to be at elevated risk include:
- Aviation
- Transportation
- Finance
- Healthcare
- Defense
- Government
- Critical Infrastructure (Energy/Utilities/Water & Wastewater)
- Telecommunications
While warnings of attacks targeting critical infrastructure and attacks against supervisory control and data acquisition (SCADA) and industrial control systems (ICS) systems are of great concern to Western countries, it’s unclear what pre-positioning or successful attacks can be attributed to Iranian-nexus actors.
Recently, the pro-Russia hacktivist group Z-Pentest claimed to have compromised several SCADA and ICS systems of U.S. based organizations as well as CCTV networks. However, these claims have not been verified. Despite this, collaboration or hacktivism in support of Iran by threat actors is a concern.
With the threat of increased cyberattacks from Iranian state-sponsored actors, hacktivists and cybercriminal groups targeting critical infrastructure, the Information Technology-Information Sharing and Analysis Center (IT-SAC) published a joint advisory outlining various groups, their operations and recommendations for defensives measures. We recommend reviewing this advisory and taking proactive steps to reduce your threat from these actors.
Focusing on flaws: The surge in Hikvision and Dahua exploitation
In connection with the ongoing military campaign, Check Point has identified an increase in IP camera targeting, including devices from Hikvision and Dahua. The attack infrastructure was assessed to be linked to Iran-nexus actors and activity appears to have increased during various geopolitical events. While it’s unclear if the camera targeting is to observe targets for kinetic attacks or to make observations after a strike, the timing and compromise of these devices should be of concern to any organization who may be affected by the following vulnerabilities:
| CVE | Description | CVSSv3 | VPR* |
|---|---|---|---|
| CVE-2017-7921 | Hikvision IP Camera Improper Authentication Vulnerability | 10 | 9.2 |
| CVE-2021-33044 | Dahua Authentication Bypass Vulnerability | 9.8 | 7.4 |
| CVE-2021-36260 | Hikvision IP Camera Command Injection Vulnerability | 9.8 | 9.7 |
| CVE-2023-6895 | Hikvision Intercom Broadcasting System Command Injection Vulnerability | 9.8 | 6.7 |
| CVE-2025-34067 | Hikvision Integrated Security Management Platform Command Execution Vulnerability | 9.8 | 6.7 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 11, 2026 and reflects VPR at that time.
Of these five vulnerabilities, three of them have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. At the time this blog was published, CVE-2023-6895 and CVE-2025-34067 were not yet part of the KEV.
Additional CVEs that have been widely exploited and have also been attributed to Iranian-nexus threat actors include:
| CVE | Description | CVSSv3 | VPR* |
|---|---|---|---|
| CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability | 7.8 | 9.8 |
| CVE-2020-0688 | Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability | 8.8 | 9.5 |
Additionally, you can review our previous blog posts on Iranian threat actors for other CVEs that have been attributed to Iran-nexus threat actors:
- Frequently Asked Questions About Iranian Cyber Operations
- Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations
- Group-IB blog: Operation Olalampo: Inside MuddyWater’s Latest Campaign
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2017-11882, CVE-2017-7921, CVE-2020-0688, CVE-2021-33044, CVE-2021-36260, CVE-2023-6895 and CVE-2025-34067 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- Tenable Blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations
- Symantec Blog: Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company
- Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
- Check Point Blog: Iranian MOIS Actors & the Cyber Crime Connection
- Check Point Blog: Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
The post Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury appeared first on Security Boulevard.
Research Special Operations
Source: Security Boulevard
Source Link: https://securityboulevard.com/2026/03/cyber-retaliation-analyzing-iranian-cyber-activity-following-operation-epic-fury/