RadioCSIRT English Edition - Update about Cyber situation on middle East - Ep. 77
In this episode: the cyber dimension of the Iran conflict — a six-week retrospective from the initial strikes of February 28 through the fragile ceasefire of April 9, 2026, covering the full evolution of Iranian and pro-Iranian cyber operations from the first hacktivist DDoS waves to confirmed exploitation of industrial control systems inside the United States.
On February 28, 2026, the United States and Israel launched joint military strikes against Iranian strategic sites under Operations Epic Fury and Roaring Lion. Within hours, two things happened simultaneously in cyberspace: Iran's domestic internet connectivity collapsed to between one and four percent of normal capacity, and a coordinated multi-vector cyber counteroffensive was launched combining state APT operations with a coalition of over sixty hacktivist groups. In the first seventy-two hours, more than 149 attack claims were recorded against 110 distinct organizations across sixteen countries. Two groups accounted for seventy percent of total DDoS volume: Keymous Plus targeting GCC governments and financial institutions, and DieNet hitting Bahrain and Sharjah airports, Riyadh Bank, Bank of Jordan, and UAE infrastructure. In parallel, APT34/OilRig was conducting active credential harvesting against regional telecoms and government institutions, with confirmed exploitation of CVE-2026-22719 — a CVSS 8.1 unauthenticated command injection in VMware Aria Operations, added to the CISA KEV catalog on March 4. MuddyWater was conducting Operation Olalampo against META-region IT providers. UNC1549 was operating against defense, aerospace, and telecoms targets. APT35 and APT42 were running cloud credential theft campaigns against M365 and Google Workspace environments.
A supply chain dimension emerged in week one: state actors began injecting malicious code into npm and PyPI packages, activating payloads only within production CI/CD pipelines, with AI-generated code designed to evade conventional detection tools. On March 31, the npm axios library — over one billion monthly downloads — was compromised via maintainer credential theft. Malicious versions 1.14.1 and 0.30.4 incorporated a hidden dependency, plain-crypto-js 4.2.1, executing a post-install dropper deploying a cross-platform RAT targeting Windows, macOS, and Linux. Any development environment that installed or updated axios during the compromise window should be treated as potentially affected.
Also on March 31, the IRGC formally designated Western technology and financial entities as legitimate targets for retaliatory operations effective April 1. Named targets include Cisco, HP, Intel, Oracle, Microsoft, Apple, Google, Meta, IBM, Dell, Nvidia, and Palantir in the technology sector — all classified high threat level — JPMorgan Chase in finance, Boeing and General Electric in defense and industry. This designation transformed the threat from opportunistic hacktivist activity into a declared targeting posture against named Western entities.
The most operationally significant escalation occurred on April 8, 2026. The FBI, CISA, NSA, EPA, Department of Energy, and USCYBERCOM published a joint advisory confirming active exploitation of programmable logic controllers in US water, wastewater, energy, and government facility sectors by Iranian-affiliated APT actors, with confirmed operational disruption and financial loss. Targeted devices include Rockwell Automation CompactLogix and Micro850 PLCs, with activity indicating possible extension to Siemens S7 devices. Actors accessed internet-facing PLCs using overseas infrastructure and Rockwell's Studio 5000 Logix Designer software, manipulating project files and HMI/SCADA displays. This is not an assessment — it is a confirmed joint government advisory with confirmed operational impact. The shift from DDoS and data exfiltration to confirmed OT/PLC exploitation with operational consequences represents a qualitative escalation in threat level that every industrial operator must integrate into their defensive posture immediately.
For detection priorities: audit all npm and PyPI installations for the compromised axios versions and the plain-crypto-js dependency. Integrate the FBI/CISA/NSA April 8 IOC set into SIEM and EDR platforms, with enhanced monitoring of SCADA and ICS systems and internet-exposed OT connections on ports 44818, 2222, 102, 22, and 502. For enterprise environments: APT34 DNS hijacking and APT35/42 cloud credential theft remain active — monitor M365 and Google Workspace for anomalous authentication patterns. Any organization explicitly named in the IRGC March 31 designation should treat that condition as a confirmed elevated threat, not background risk.
Sources
* CISA – Joint advisory AA26-097A: Iranian-affiliated cyber actors exploit programmable logic controllers across US critical infrastructure : https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a [https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a]
* Cybersecurity Dive – Iran-linked hackers target water and energy in US, FBI and CISA warn : https://www.cybersecuritydive.com/news/iran-linked-hackers-targeting-water-energy-in-us-fbi-and-cisa-warn/816949/ [https://www.cybersecuritydive.com/news/iran-linked-hackers-targeting-water-energy-in-us-fbi-and-cisa-warn/816949/]
* Security Affairs – US agencies alert: Iran-linked actors target critical infrastructure PLCs : https://securityaffairs.com/190485/apt/u-s-agencies-alert-iran-linked-actors-target-critical-infrastructure-plcs.html [https://securityaffairs.com/190485/apt/u-s-agencies-alert-iran-linked-actors-target-critical-infrastructure-plcs.html]
*
Don't think, patch!
Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com [https://www.radiocsirt.com]
Weekly Newsletter: https://radiocsirtenglishedition.substack.com/ [https://radiocsirtenglishedition.substack.com/]
#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #Iran #ICS #OT #PLC #CISA #CriticalInfrastructure #APT34 #MuddyWater
