U.S. officials have warned against the growing cyberthreat of Iranian state-sponsored actors to American public and private sector organizations amid intensifying tensions in the Middle East. While the threat of missile and drone attacks on U.S. assets persists, Iranian cyber groups are looking for ways to infiltrate American systems and data to disrupt peace and stability in the homeland.
The intelligence community already issued private warnings to American companies in March, calling for vigilance as Iranian officials and regime supporters promote retaliatory attacks, CNN reported.
One bulletin from the Department of Homeland Security referenced an Iranian Revolutionary Guard Corps decree that its enemy “will no longer have security anywhere in the world, even in their own homes.”
The increased cyberthreat as a result of geopolitical conflict reflects the growing role of the cyber domain in warfare. At the Potomac Officers Club’s 2026 Cyber Summit on May 21, leaders from the Department of War, the Cybersecurity and Infrastructure Security Agency, the FBI and other agencies will address not just the Iranian cyberthreat, but also the other risks that may impact the security of American systems and organizations. Get your tickets here.
Table of Contents
What Would an Iranian Cyber Campaign Look Like?
Tim Haugh, former commander of the U.S. Cyber Command and director of the National Security Agency (as well as a Wash100 Award winner), and Kevin Mandia, CEO of artificial intelligence-native cybersecurity company Armadin, explained at an April event that Iran’s cyber operations would likely be “low and slow,” relying on basic security gaps rather than more sophisticated attacks.
“I doubt you’re gonna see custom web app attacks done,” Mandia shared via The Record.
Haugh and Mandia also warned that attackers will target organizations with ties to the U.S. or Israel and then pair a cyber incident with an information campaign.
Meanwhile, Hemant Baidwan, former Department of Homeland Security chief information security officer and current Knox Systems CISO, told GovCIO Media & Research that hackers may not immediately target federal systems, but search for entry points to exploit in “the enabling layer around it.”
“From my perspective, the Iranian cyberthreat has become more opportunistic, more distributed and more willing to target the broader ecosystem that supports government and critical infrastructure and not just federal agencies directly,” he explained.
The broader ecosystem, according to Baidwan, includes cloud and software-as-a-system providers, government contractors, and critical infrastructure operators.
Why Are Hackers Targeting US Critical Infrastructure?
In April, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the U.S. Cyber Command, the FBI and the Department of Energy issued a joint advisory about an Iran-backed cyberattack on U.S. critical infrastructures. According to the agencies, hackers are exploiting vulnerabilities in internet-facing programmable logic controllers, or PLC, across water, energy, and government services and facilities.
The attack is not the first time that Iran-affiliated cyber groups have targeted U.S. critical infrastructure. In 2013, Iranian hackers gained access to systems used at a small dam outside New York, causing minimal operational impact. The hackers also infiltrated systems owned by the power producer Calpine Corp.
According to the Center for Strategic & International Studies, U.S. critical infrastructure remains a primary target for hackers, especially groups backed by hostile nation-states, for several reasons:
- Fragmented systems and uneven cybersecurity postures – Critical infrastructure across the nation is often run by private organizations, each with its own systems and cyber practices.
- Continued reliance on legacy systems – Outdated technologies, or hardware and software no longer supported by manufacturers and with known vulnerabilities, continue to be ubiquitous in the U.S. critical infrastructure sector.
- To sow distrust – When hackers target critical infrastructure, their main objective is to disrupt essential services, such as electricity and water, and to stir fear among the local population.
Chris Butera, acting executive assistant director at CISA, will deliver a keynote address at the 2026 Cyber Summit. Do not miss your chance to hear about threats to U.S. critical infrastructure from one of the government’s top cyber leaders. Sign up today.
What Other Sectors Are Being Targeted?
Authorities have also warned that Iranian hackers are actively targeting the financial and health sectors in the U.S.
Michigan-based Stryker, a medical device manufacturer, announced in March that it had experienced a “global network disruption to our Microsoft environment as a result of a cyberattack.” CNN reported that the company’s Lifenet, an IT system that emergency responders use to send patient data to hospitals, was “non-functional” following the cyber incident.
A pro-Tehran group claimed responsibility for the hack, saying that the attack was in retaliation for the U.S. missile strike on an elementary school in Iran.
The U.S. financial sector is also on high alert, with firms ramping up monitoring of cyberthreats, according to a Reuters report.
“The industry remains vigilant and ready to respond to cyber threats at all times, and especially when global cybersecurity risks are heightened,” Todd Klessman, managing director for financial services cyber and technology at Securities Industry and Financial Market Association, told Reuters.
Cyberattacks on US Service Members, Government Officials
U.S. government and military officials are also under increased cyberthreat as the conflict in the Middle East continues. In late March, the Iran-linked hacker group Handala Hack Team breached the private email inbox of FBI Director Kash Patel, CNN reported.
Handala Hack Team was also responsible for the threatening messages that service members deployed to the Middle East received in April. Stars and Stripes, which was first to cover the threat, said the messages warned U.S. troops that they were under surveillance.
“Your identities are fully known to our missile units, and every move you make is under our surveillance,” the text read. “Very soon, you will be targeted by our Shahed drones and Kheibar and Ghadeer missiles.”
Threats Beyond Iran
The conflict with Iran has not stopped other U.S. adversaries from carrying out malicious cyber campaigns targeting American systems and data.
Russia-linked hacking collectives have been observed escalating cyber activity. A Moscow-aligned hacktivist group called Z-Pentest claimed responsibility for compromising American companies days after the conflict between the U.S. and Iran started, shared Adam Meyers, head of counter adversary operations at CrowdStrike, in a NextGov/FCW report.
Although claims of compromise are unconfirmed, authorities urged the private sector to remain vigilant.
Cynthia Kaiser, a former deputy director at the FBI’s Cyber Division who joined Halcyon as senior vice president in June 2025, shared in a LinkedIn post that the Kremlin is “comfortable providing some proxy support to Iran” and may take advantage of the conflict.
“Expect exaggeration, but don’t dismiss the underlying access. These groups regularly inflate the impact of their attacks for media attention. But they have caused real physical damage to critical infrastructure,” Kaiser wrote.
China, too, continues to pose a threat to U.S. systems.
An analysis by the Google Threat Intelligence Group, as reported by Forbes, revealed that state-sponsored groups affiliated with Beijing continue to lead in zero-day espionage exploits. Google said zero-day exploits linked to China-backed cyber espionage groups doubled in 2025 compared to 2024.
CISA and the U.K. National Cyber Security Centre also recently issued a warning against covert networks of compromised devices that have been linked to Chinese cyber actors. According to the agencies, state-sponsored hackers use the devices to spy on targets and steal data.
Gain a better understanding of the cyberthreat landscape at the Potomac Officers Club’s 2026 Cyber Summit on May 21. The event will feature some of the most important figures ensuring the security of government systems and data against adversaries. Michael Duffy, acting federal CISO, and Aaron Bishop, acting CISO for the Department of War, will deliver keynote addresses at the summit. Limited tickets are available here.
