The Security Brief

Tag: Israel

  • Iranian APTs and the Next Phase of Infrastructure Risk

    Iranian APTs and the Next Phase of Infrastructure Risk

    In the wake of escalating tensions in the Middle East this past spring, Iranian state-sponsored hackers turned their focus toward a new frontier: US critical infrastructure.

    From May through June 2025, cybersecurity telemetry revealed a 133% surge in Iran-attributed cyber activity targeting US industrial and operational technology (OT) environments. These campaigns hit transportation and manufacturing sectors, but energy and water infrastructure remain long-standing targets. While espionage remains a primary objective, the evidence increasingly suggests Iran is preparing for more overt disruption.

    Strategic Escalation

    Iran’s cyber posture has always mirrored its geopolitical environment. In Spring 2025, that meant responding to Israeli and US airstrikes with asymmetric cyber operations. Groups like APT33 (Elfin), APT34 (OilRig), and MuddyWater (Static Kitten) ramped up traditional espionage, while more aggressive actors like CyberAv3ngers and Fox Kitten (tied to recent Pay2Key.I2P ransomware operations) pursued OT-focused sabotage and ransomware deployment.

    Iran’s messaging through pseudo-hacktivist fronts and deepening ties with ransomware operators clearly framed this activity as retaliation for “Western aggression.” That framing is part of a broader Iranian cyber doctrine that views critical infrastructure compromised as a form of coercion and deterrence.

    In parallel with APT activity, pro-Iranian hacktivists ramped up operations against US defense and critical infrastructure sectors. Groups like “Mr. Hamza” claimed responsibility for defacing and leaking data tied to defense contractors, including Raytheon technologies (RTX), following US involvement in strikes against Iranian facilities. While attribution remains murky, these operations often mirror Iranian state objectives and timelines, suggesting coordination or at least ideological alignment. The targeting of US DIB entities serves Tehran’s broader goal of projecting reach and retaliation across both digital and strategic domains.

    Pre-Positioning

    Iran’s shift toward OT environments is the most significant development.

    • MuddyWater and APT33 continued to exfiltrate intellectual property from manufacturing and defense-adjacent industries.
    • CyberAv3ngers targeted water control systems and other ICS devices with their custom malware, IOControl, discovered embedded in US and allied OT environments.
    • Fox Kitten evolved into a ransomware-as-a-service operator with an 80% (up from 70%) profit-share for affiliates targeting the US or Israel.

    Alongside collecting information, these actors are also establishing persistence. In many cases, backdoors were quietly planted and left dormant; signaling an intent for future activation should the need arise.

    ActorAffiliationFocusObjective
    MuddyWaterMOISAerospace & Defense, Utilities, Gov, Civil & NGOsEspionage
    APT33IRGCAerospace & Defense, Energy, Gov, HealthcareEspionage and Access
    CyberAv3ngersIRGCWater, ICS, FinanceDisruption
    Fox KittenUnkownIT/OT GatewaysRansomware-as-a-service
    OilRigMOISFinance, GovCredential Theft

    Implications for the US DIB

    Iran’s campaigns are displaying a willingness to target logistics, aerospace, and manufacturing suppliers that support US and Israeli defense sectors. The Defense Industrial Base (DIB) should expect more of this; not only from state-sponsored actors, but from criminal or hacktivist affiliates acting on behalf of Iran’s IRGC or MOIS cyber arms.

    Some immediate implications:

    • DIB contractors should hunt for Iranian TTPs and malware like IOControl and DNSpionage.
    • OT segmentation, remote access policies, and endpoint hygiene are foundational.
    • Incident response (IR) planning must include scenario-based escalation modeling: what happens if the access Iran gains today becomes a wiper event tomorrow?

    US Response: Shields Up

    Initially, the federal response may have felt quieter than prior cyber alerts like those during the Ukraine conflict but the signals were still there.

    On LinkedIn, Jen Easterly, former CISA Director, reactivated the Shields Up mantra within hours of US strikes on Iranian nuclear sites. Her post explicitly warned US critical infrastructure operators to expect:

    • Credential theft and phishing
    • ICS-specific malware
    • Wipers masquerading as ransomware
    • Propaganda-laced hacktivist campaigns

    Easterly urged sectors to segment OT networks, patch internet-facing systems, enforce MFA, rehearse ICS isolation, and actively monitor ISAC channels.

    The various critical infrastructure-related ISACs followed suit. And while no single campaign bannered over the response, the defense posture matched the moment.

    Jen Easterly emphasizes the importance of cybersecurity vigilance for US critical infrastructure in response to recent Iranian cyber activities.

    So What’s Next?

    Iran’s recent activity represents a shift in focus, not necessarily a shift in capability. The targeting of OT environments and critical infrastructure may reflect aspirational doctrine as much as operational readiness. While there’s no conclusive evidence that Iranian actors have staged disruptive payloads in U.S. networks, the direction of their targeting and tooling, particularly the development of ICS and OT-specific malware, suggests a growing interest in operational disruption, and not just information gathering.

    For the US defense and critical infrastructure communities, this creates a clear mandate to prepare for the next phase before it arrives.

    • Monitor beyond the perimeter: Iranian threat actors have historically gained access through default credentials, exposed devices, and lateral movements through flat networks.
    • Expect dual-use operations: Intelligence collection and pre-positioning are not mutually exclusive.
    • Reassess assumptions: Iranian groups are traditionally viewed as less sophisticated than Russian or Chinese APTs, but recent coordination and tooling suggest they’re evolving quickly.

    In short, we’re seeing a doctrinal pivot. Iran is exploring offensive options in OT environments, and testing how far it can go without triggering escalation. This makes detection, attribution, and sector-wide coordination more important than ever.

    References

    https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict

    https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

    https://www.cisa.gov/news-events/news/joint-statement-cisa-fbi-dc3-and-nsa-potential-targeted-cyber-activity-against-us-critical

    https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025

  • US-Led Strikes on Iranian Nuclear Sites: Fallout for China’s Influence and Regional Nuclear Strategy

    US-Led Strikes on Iranian Nuclear Sites: Fallout for China’s Influence and Regional Nuclear Strategy

    Background: Operation Midnight Hammer

    On 13 June 2025, Israel launched a surprise air offensive against Iran, bombing a series of nuclear and military installations after alleging Tehran was on the verge of nuclear weapons capability. Over the next week, intense exchanges ensued: Iran’s IRGC retaliated with hundreds of rockets and drones targeting Israeli cities, while skirmishes flared across Syria and Lebanon via Iran-aligned militias. The conflict escalated dramatically on 21 June 2025 when US President Donald Trump announced Operation Midnight Hammer, a US air and missile strike against three of Iran’s most critical nuclear facilities. All three sites (Fordow, Natanz, and Isfahan) were integral to Iran’s nuclear fuel cycle and their selection was evidence of a sweeping effort to cripple Iran’s ability to produce weapons-grade material.

    Israel’s Strike on Iran and the Future of Regional Stability

    Notably, both Fordow and Natanz were under IAEA safeguards at the time of the strikes, meaning they were monitored with cameras, periodic inspections, and seals under the terms of Iran’s Comprehensive Safeguards Agreement. While these facilities had enriched uranium up to 60%, they remained within the bounds of Iran’s NPT obligations, though deeply controversial.

    Iran’s immediate response was militarily limited but symbolically charged. In the early hours of 23 June Tehran fired a volley of ballistic missiles at Al Udeid Air Base in Qatar, the largest U.S. base in the Gulf. The attack was preceded by advance warning and ultimately caused no casualties, a fact President Trump pointed to in calling Iran’s response “weak”. Nevertheless, the message was clear: Iran meant to show it could strike American assets in the region. Simultaneously, Iran’s parliament convened an emergency session in which hardline lawmakers voted to authorize closure of the Strait of Hormuz, a move that, if implemented, would choke off 1/5 of global oil shipments. This vote was largely posturing but it demonstrated Iran’s leverage over global energy markets and signaled how far it might go if fighting continued.

    By 24 June, intensive behind-the-scenes diplomacy, reportedly involving Oman, Russia, and China, yielded a fragile ceasefire. President Trump announced that Israel and Iran had agreed to pause hostilities, with Israel phasing out airstrikes and Iran halting missile fire. Israeli warplanes stood down later that day, ending ten days of open warfare. The truce, however, remained shaky. Within hours of the ceasefire taking effect, Iranian proxies in Gaza and Lebanon launched isolated rocket salvos, and an Iranian missile strike landed in the Israeli city of Beersheba, causing civilian casualties.

    For Iran, the outcome was bittersweet. On one hand, they survived the most concerted US-Israeli military action against it in decades; Iran’s leadership even declared victory once the ceasefire held, with Supreme Leader Ali Khamenei boasting that Iran had “slapped the US in the face” by resisting its demands. On the other hand, the physical damage to Iran’s nuclear program was significant. Post-strike satellite imagery showed heavily damaged buildings at Natanz and Fordow, and Western intelligence assessed that Iran’s enrichment capability had been set back by at least a year or two. US officials characterized the strikes as successful in destroying key infrastructure, while also emphasizing that no strike can destroy the knowledge in Iranian scientists’ heads. As the dust settled, Washington dispatched envoys to rally international support for stricter containment of Iran’s nuclear activities, even as Tehran dug in on its right to peaceful nuclear technology. This set the stage for the strategic implications now unfolding in the region, particularly regarding China’s role and the reactions of Iran’s regional rivals.

    Strategic Insights

    • The US strikes jeopardize China’s investments in Iran and undercut Beijing’s role as regional mediator. While China condemned the attacks, it continues backing Iran economically an diplomatically. Beijing is expected to avoid direct confrontation while reinforcing ties to Tehran via energy trade, technology transfer, and coordinated diplomatic resistance to US pressure.
    Satellite image depicting damage to Iran’s nuclear facility following recent US airstrikes.
    • Iran’s nuclear know-how and stockpiles remain intact despite facility damage. If Tehran resumes covert nuclear work, regional rivals like Saudi Arabia, Turkey, and Egypt may accelerate nuclear “hedging” via civilian programs and dual-use technologies. The strikes risk triggering a latent arms race.
    • Attacking safeguarding facilities raises global legal and strategic concerns. Iran could reduce IAEA cooperation or even withdraw from the NPT. Regional states now question the value of treaty compliance if it doesn’t shield them from military action.
    • The crisis pulls Beijing and Moscow closer to Tehran. Both shielded Iran at the IAEA and could deepen covert cooperation in military tech and trade. China’s Belt and Road Initiative (BRI) ambitions in the region are now tethered to Iran’s resilience and regional stability.
    A detailed map illustrating China’s Belt and Road Initiative, showcasing the global infrastructure network involving railroads, ports, and pipelines.
    • The strikes boost US-Israel deterrence credibility in the short term, but also embolden Iran’s asymmetric response (ie proxy militias, cyber threats, and maritime disruptions). Gulf states remain diplomatically cautious but are reinforcing ties with U.S. defense structures

    Watchlist: Things to Monitor

    IndicatorWhat It Signals
    Iran reduces IAEA access (ie expels inspectors or disables cameras)A move toward clandestine nuclear activity or NPT withdrawal
    Saudi or Turkish announcements on enrichment or reactor projectsStrategic hedging or quiet proliferation intent
    Chinese tech transfers or sanctions-evasion trade with IranStrengthened Iran-China alignment despite Western pressure
    Strait of Hormuz naval activity or proxy mobilizationIranian asymmetric retaliation and escalation risk
    Gulf states request new US air/missile defense assetsDeepening military alignment amid regional insecurity

    Analyst Comment

    From an intelligence perspective, the June 2025 Iran strikes represent a watershed that will reverberate through Middle East geopolitics in the short and mid term. The operation achieved a tactical objective in damaging Iran’s nuclear infrastructure, but it also unleashed a cascade of second-order effects. Chief among them is a likely redoubling of Iran’s determination to obtain a credible deterrent, nuclear or otherwise, to guard against regime-threatening strikes in the future. In turn, this is catalyzing reactions among Iran’s rivals to hedge their bets, potentially ushering the region into a new phase of latent proliferation.

    The role of great powers has been pretty illuminating. China’s response, in particular, shows the primacy of interests over ideology in its foreign policy. Beijing’s vocal condemnation of US aggression was expected, but more telling is what China does next. So far, China appears committed to quietly propping up Iran’s economy and defense industrial base to ensure Tehran remains a thorn in Washington’s side and a viable participant in China’s Eurasian economic plans while carefully avoiding overt confrontation with the US or alienation of the Gulf states. This dual-track approach will test China’s diplomatic agility and will be a turning point in its Middle East footprint. Either China will emerge as a more assertive power brokering outcomes in regional conflicts, or it will retreat to the sidelines if costs outweigh gains. Early indicators (evacuation of Chinese nationals and calls for talks) seem to suggest a preference for limiting exposure, but Beijing is certainly learning from this crisis and will adjust its long-term strategy (for example, accelerating efforts to settle oil trades in yuan to reduce vulnerability to US sanctions pressure, as hinted by its increased use of RMB in dealings with Iran).

    For the United States and its allies, the near-term requirement is to manage escalation and prevent Iran’s retaliation from sparking a broader war. This will mean hardening bases, improving regional early warning systems and processes, and coordinating closely with partners on contingency responses. Diplomatically, it will be imperative to capitalize on the leverage gained over Iran. If Iran is more isolated or its program set back, now is the time to negotiate firmer limits or at least interim arrangements to remove the most dangerous materials from its soil. The US Special Envoy has already signaled openness to talks focusing on Iran’s enrichment levels and stockpile, which would be a face-saving way for Iran to step back from the nuclear brink in exchange for sanctions relief once it regroups. Whether Iran’s leadership feeling humiliated is willing to engage is uncertain, but the ceasefire offers a narrow window for diplomacy before hardliners on all sides gain the upper hand.

    A final note on non-proliferation: the integrity of the global regime is arguably at its most vulnerable point since the North Korean withdrawals of the early 2000s. If the Middle East heads into a proliferation cascade, the credibility of the NPT will suffer worldwide. To counter this, innovative solutions should be pursued. These would include a US-led initiative for a Middle East security guarantee (a nuclear umbrella covering Israel and key Arab states to negate their need for independent arsenals), or a rejuvenated push for regional disarmament talks that include Israel’s capabilities, a topic long taboo but maybe less so in the face of multiple potential nuclear actors emerging.

    For intelligence terms, we will be watching for the morning after indicators: Does Iran move materiel to secret sites? Do Saudi Arabia or Turkey suddenly announce new “research” reactors or mining projects? Do China and Russia sign new defense deals with Iran? Each of these will tell us how far the dominoes could fall. As of now, the short-term implications are clear: heightened tensions, hedging, and alignment shifts. The mid-term implications, whether this results in a fundamentally more nuclearized and polarized Middle East, or a sobered return to the negotiating table, will depend on the deftness of diplomacy in the weeks ahead and the willingness of regional actors to step back from the precipice.

    Stay tuned for more in-depth analysis on Chinese strategic influence in the Middle East, regional nuclear hedging, diplomatic alignments, and regional deterrence dynamics in a writeup to come.

    Additional Reading

    https://www.reuters.com/world/china/china-says-us-attack-iran-has-damaged-its-credibility-2025-06-22/

    https://www.reuters.com/business/energy/chinas-heavy-reliance-iranian-oil-imports-2025-06-24/

    https://www.al-monitor.com/originals/2025/05/iran-boosts-highly-enriched-uranium-production-iaea

    https://thediplomat.com/2025/06/war-in-iran-chinas-short-and-long-term-strategic-calculations

    https://foreignpolicy.com/2025/06/23/iran-china-gulf-states-strait-hormuz

    https://mei.edu/publications/special-briefing-israel-strikes-irans-nuclear-program

    https://specialeurasia.com/2025/06/24/china-bri-israel-iran-conflict

    https://bloomberg.com/graphics/2025-us-strikes-damage-iran-nuclear-sites-satellite-image/

  • Israel’s Strike on Iran and the Future of Regional Stability

    Israel’s Strike on Iran and the Future of Regional Stability

    In the early hours of 13 June 2025, Israel launched its most significant direct assault on Iran in modern history. Codenamed Operation Rising Lion, the campaign marked a sharp turn in the long-running covert conflict between the two states. Israeli fighter jets struck over 100 targets across Iranian territory, including the nuclear enrichment facility at Natanz, missile depots in Kermanshah, and command nodes in Tehran. Multiple senior Iranian commanders and nuclear scientists were reportedly killed. The operation is a dramatic escalation in regional tensions, with serious implications for Middle East stability and global nuclear nonproliferation efforts.

    Striking the Core

    Israel’s operation was expansive and precise. It targeted critical military infrastructure and nuclear development facilities, including hardened underground sites. Among the dead are reported high-ranking IRGC figures and prominent nuclear experts like Hossein Salami, Ali Shamkhani, and Mohammad Bagheri, a dual strategy of infrastructure disruption and leadership decapitation.

    Key Iranian military and political figures following the Israeli strikes during Operation Rising Lion.

    The strikes hit deep into Iran, including Tehran itself, a rare and provocative step. Civilian areas adjacent to some targets were also impacted, compounding the psychological effect and raising the stakes for potential retaliation.

    Map detailing the locations of Israeli airstrikes in Iran on June 13, 2025, highlighting key targets including Tehran and Kermanshah.

    Iran’s Response

    Iran responded with over 100 drones launched toward Israel with most being intercepted. While less escalatory than a ballistic missile barrage, the drone response shows Iran’s intent to retaliate while avoiding immediate full-scale war. Tehran has declared the attack a “declaration of war” and vowed further action.

    Iranian leaders are faced with a strategic dilemma. They must respond forcefully enough to maintain domestic and regional credibility but avoid a retaliation so severe that it draws Israel (and potentially the US) into a broader war. Whether Iran resorts to cyberattacks, asymmetric proxy warfare, or more direct missile retaliation remains to be seen.

    Crowds gather in front of damaged residential buildings following the Israeli airstrikes in Tehran.

    Regional Reverberations

    This confrontation is already straining alliances and heightening regional volatility. Countries like Jordan and Iraq, whose airspace has been overflown by drones and missiles, find themselves increasingly entangled. Gulf states that recently normalized relations with Israel now face diplomatic whiplash, caught between their security partnerships and regional solidarity.

    Oil prices have surged. International flight paths have shifted. And diplomatic channels, particularly around Iran’s nuclear program, have gone dark.

    Most notably, this exchange shifts the regional deterrence calculus. Israel has shown it will not wait for diplomacy or rely on allies to neutralize existential threats. Iran, meanwhile, may reevaluate the value of nuclear ambiguity and instead pursue a more overt deterrent capability.

    A Blow to Nonproliferation

    The Israeli strikes have likely derailed any remaining diplomatic momentum around the Iran nuclear deal. Ongoing negotiations now appear suspended, and Iranian hardliners are almost certain to push for more aggressive nuclear development in response.

    This crisis could have a ripple effect beyond Iran. Regional powers like Saudi Arabia and Turkey, long watching Iran’s trajectory with caution, may feel renewed pressure to pursue nuclear hedging strategies. If Tehran exits the NPT or halts IAEA inspections, it could trigger a broader crisis of confidence in the global nonproliferation regime.

    The strategic irony here is that an operation intended on delaying or halting Iran’s nuclear progress may instead accelerate regional proliferation.

    Aerial view of the Natanz Enrichment Complex in Iran, showing significant damage from Israeli airstrikes during Operation Rising Lion on June 13, 2025.

    Strategic Outlook

    Israel’s strikes have brought an enduring conflict into the open. Whether this confrontation stabilizes the region through deterrence or unleashes a cycle of retaliation depends on what comes next. For now, the situation remains volatile. What’s certain is that this event has reshaped the security landscape of the Middle East. The strike on Natanz seeks to redraw redline, testing thresholds, and redefining the future of deterrence in a region already teetering on the edge.

    Let me know your thoughts.

    Sources

    https://www.aljazeera.com/news/2025/6/13/israel-attacksiran-what-we-know-so-far

    https://www.theguardian.com/world/2025/jun/13/iran-vows-revenge-for-israeli-strikes-saying-it-will-write-end-of-this-story

    https://www.npr.org/2025/06/13/nx-s1-5432437/israel-attacks-iran-retaliation-nuclear

    https://www.aljazeera.com/news/2023/2/2/iran-blames-israel-for-isfahan-drone-attack

    https://carnegieendowment.org/middle-east/diwan/2024/10/what-are-irans-options-after-the-israeli-attack

    https://www.bloomberg.com/news/articles/2025-06-13/israel-iran-conflict-triggers-fear-of-death-spiral-analysts

    https://www.reuters.com/world/middle-east/blast-heard-military-plant-irans-central-city-isfahan-state-media-2023-01-28

    https://x.com/IDF