Jen Easterly, former head of the US Cybersecurity and Infrastructure Security Agency (CISA), on Monday posted an alert directed at US critical infrastructure operators to be on high alert for cyberattacks after this weekend’s US air strikes on Iranian nuclear facilities.
“US critical infrastructure owners & operators should be vigilant for malicious cyber activity,” the nation’s former cybersecurity chief warned in a post on LinkedIn, using a #ShieldsUp to get the point across.
Easterly’s post comes a day after the US Department of Homeland Security released its own National Terrorism Advisory warning about the threat of “low-level cyberattacks.”
The ex-CISA director stressed the Iranian government’s previous track record of “retaliatory cyber operations targeting civilian infrastructure” in the wake of US strikes carried out on Iran’s nuclear targets on Saturday (Eastern Time).
Easterly also noted that it was still unclear whether Israel’s week-long bombing campaign had successfully eroded any of Iran’s cyber capabilities, leading to more uncertainty.
Listing several examples of critical infrastructure targets, including water systems, financial institutions, energy pipelines, and government networks, Easterly said to expect attackers to target US infrastructure both abroad and at home using:
- Credential theft & phishing campaigns
- Wipers disguised as ransomware
- Hacktivist fronts and false-flag ops
- Targeting of ICS/OT systems
“In cyberspace, proximity doesn’t matter—intent, capability, and access do. And Iran checks all three boxes. Stay Vigilant,” she added.
Expect resurgence in coordinated and/or opportunistic attacks
Gabrielle Hempel, Security Operations Strategist at Exabeam, explained that “some of the key players when it comes to APTs that may target US infrastructure have really well-established cyber doctrine that favors indirect retaliation.”
Hempel reiterated that Iranian threat actors have been known to go after “third-party suppliers, private infrastructure, and civil systems,” noting two major breaches disclosed within days of each other this week in both steel/manufacturing and healthcare (Nucor and McLaren Healthcare), although at this time, there is no connection to any pro-Iranian cyber threat group.
“With increasingly heightened international tensions, these incidents signal what many of us in cyber threat strategy and intelligence have been anticipating,” Hempel said.
“We’re going to see a resurgence in coordinated and/or opportunistic attacks on soft critical infrastructure targets, cross-sector supply chain disruption as a tactic for geopolitical influence, and persistent gaps in segmentation, resilience, and downtime-preparedness in sectors that are already resource-constrained,” the cyber strategist stated.
Furthermore, in her post, Easterly additionally linked to a December 2024 CISA advisory warning of Iranian-backed hacktivists targeting municipal water systems in the US.
The advisory focused on one Iranian hacking group known as the “CyberAv3ngers.” The hacktivists were found exploiting the Israel-manufactured Unitronics programmable logic controllers (PLCs) commonly used in water and wastewater systems (WWS), as well as other industrial facilities.
The group which had claimed responsibility for multiple attacks across the US and worldwide – including the water authority of two Pennsylvania townships in 2023 – have been known for "defacements, distributed denial-of-service (DDoS) attacks, and targeting specific critical infrastructures" for over a decade," Alex Heid, VP of Threat Intelligence at SecurityScorecard said at the time.
The CyberAv3ngers, which boasted of its conquests on Telegram and X, appeared to have dropped off the grid last April after announcing their Telegram account was apparently sold to the Israelis.
Other targeted industries have included energy, food and beverage manufacturing, transportation systems, and healthcare, the CISA advisory stated.
On Sunday, NBC News reported Iran had sent a message to President Donald Trump during the G7 summit last week, threatening to green-light sleeper cells in the US if Trump ordered strikes on Iran’s nuclear facilities.
“This is consistent with previous post-kinetic cyber responses,” Hempel said, citing the 2012 Shamoon info wiper attacks, considered retaliation for the 2007 US deployment of the Stuxnet worm, which destroyed at lesat a thousand Iranian nuclear centrifuges, and other cyber attack groups that popped up following the 2020 assassination of Iranian Islamic Revolutionary Guard Corps (IRGC) leader Qasem Soleimani.
Several Iranian Advanced Persistent Threats are currently operating and pose a credible threat to the US infrastructure, including APT33 (Elfin Team), APT34 (OilRig/Helix Kitten), and APT35 (Charming Kitten/Mint Sandstorm).
Steps for critical infrastructure operators
Hempel believes it is “an important time to be revalidating incident playbooks, especially in critical infrastructure sectors.”
“It’s also important at this point for organizations to assume early-stage compromises are already underway, and to be prioritizing identity hygiene, external surface recognition, and visibility into third-party risk," he said.
Easterly put forth actionable steps critical infrastructure facilities should be taking to beef up security and protect themselves.
“The playbook is known. So is the response, and it’s not rocket science,” Easterly said.
- Enforce multi-factor authentication (MFA) across all cloud, IT, and Operational Technology (OT) systems
- Patch every Internet-facing asset
- Segment networks & elevate detection on OT traffic
- Conduct tabletop cybersecurity drills, in particular with Industrial Control System (ICS) scenarios
The former CISA chief also suggested operators subscribe to ISAC, the non-profit US cyber Information Sharing and Analysis (ISAC) platform, for alerts and real-time intelligence, and to always report suspicious activity to CISA or the FBI.
On June 13th, ISAC’s Information Technology and Food and Agriculture info sharing platforms (IT-ISAC, Ag-ISAC) also put out its own alert just after the Israeli strikes recommending companies take “immediate steps to proactively assess their cyber preparedness, enhance their defenses, and prepare for a range of cyber activity, some of which could potentially be disruptive.”
“Given the interconnectedness of networks, it is possible that cyber attacks targeting Israel itself could cause collateral damage to US companies, even if the US companies themselves are not the intended target,” it said.
Your email address will not be published. Required fields are markedmarked