Executive Summary

Publication Date: March 2, 2026

The Register’s March 2, 2026 report, “Iran’s cyberwar has begun,” marks a significant escalation in Iranian state-sponsored cyber operations following recent US and Israeli missile strikes. Iranian Advanced Persistent Threat (APT) groups have launched a coordinated campaign targeting Israel, Persian Gulf states, and organizations with US or Israeli ties. The campaign leverages advanced reconnaissance, custom malware, ransomware, distributed denial-of-service (DDoS) attacks, and a sophisticated disinformation apparatus. This advisory synthesizes the latest technical intelligence, threat actor tactics, and mitigation recommendations, providing actionable insights for executive and technical stakeholders.

Technical Information

Strategic Context

The current Iranian cyber offensive is a direct response to kinetic military actions in the region. The campaign is characterized by its multi-vector approach, targeting both critical infrastructure and psychological resilience through information warfare. The Register and corroborating sources report that Iranian APTs, including Cotton Sandstorm (also known as Haywire Kitten and Altoufan Team), CyberAv3ngers, and the Cyber Islamic Resistance, are orchestrating attacks with a focus on operational technology (OT), industrial control systems (ICS), and supply chain vulnerabilities.

Attack Vectors and Tactics

Reconnaissance and Initial Access

Beginning in early February 2026, Iranian actors initiated a surge in reconnaissance against APIs and mobile applications integral to government operations in Israel and the Persian Gulf. According to Approov CEO Ted Miracco, these probes were highly targeted, seeking to enumerate exposed endpoints and identify exploitable vulnerabilities. The activity paused briefly during Iran’s nationwide internet blackout on February 27, then resumed with increased sophistication.

Malware Staging and Delivery

Prior to the missile strikes, threat intelligence from Binary Defense and Check Point Research observed the staging of custom malware, notably the modular infostealer WezRat. Delivered via spearphishing campaigns, WezRat masquerades as urgent software updates, exploiting user trust and leveraging social engineering to gain initial access. The malware is capable of credential harvesting, lateral movement, and establishing persistent command and control (C2) channels.

Ransomware and DDoS Operations

The deployment of WhiteLock ransomware against Israeli targets marks a return to state-sponsored ransomware as a tool for both disruption and financial gain. Iranian actors have also orchestrated DDoS attacks, targeting critical infrastructure and government portals to degrade operational capacity and sow uncertainty. These attacks are often synchronized with disinformation campaigns to maximize psychological impact.

Disinformation and Psychological Operations

Iranian cyber actors have amplified their operations with extensive disinformation campaigns across social media platforms. These campaigns are designed to exaggerate the scale and impact of cyberattacks, erode public trust, and manipulate geopolitical narratives. Many claims of successful attacks remain unverified, underscoring the importance of corroborating incident reports with trusted threat intelligence sources.

Threat Actor Profiles

Cotton Sandstorm (Haywire Kitten, Altoufan Team)

Affiliated with the Islamic Revolutionary Guard Corps (IRGC), Cotton Sandstorm has resumed operations after a period of dormancy. The group specializes in spearphishing, custom malware deployment, and ransomware attacks, with a recent focus on Bahrain and other Gulf states. Their Tactics, Techniques, and Procedures (TTPs) align with MITRE ATT&CK techniques such as Spearphishing (T1566.001) and Data Encrypted for Impact (T1486).

CyberAv3ngers

This group has a documented history of targeting US and Israeli water and fuel management systems, exploiting default credentials on Unitronics programmable logic controllers (PLCs) and human-machine interfaces (HMIs). Their campaigns in 2023 and 2024 demonstrated the ability to remotely manipulate critical infrastructure, with public bragging on Telegram channels serving both operational and psychological objectives.

Cyber Islamic Resistance and APT IRAN

These actors have claimed responsibility for sabotage operations against Jordanian infrastructure and unauthorized access to Israeli routers. While technical details remain sparse, their activities highlight the expanding geographic scope of Iranian cyber operations.

Exploitation in the Wild

Industrial Control Systems (ICS) and Operational Technology (OT)

Multiple Iranian-aligned groups have claimed successful compromises of ICS and OT assets in Israel, Poland, Turkey, Jordan, and Gulf countries. The exploitation of Unitronics PLCs and HMIs, particularly those exposed to the internet with default credentials, remains a critical vulnerability. The CyberAv3ngers campaign, detailed in a December 2023 CISA alert, underscores the persistent risk to organizations utilizing Israeli-origin OT/ICS equipment.

Supply Chain and Third-Party Risks

Organizations with Israeli technology in their supply chain, even if not directly connected to Israel, face elevated risk. The targeting of APIs and mobile applications used by regional governments further expands the attack surface, necessitating rigorous third-party risk management and continuous monitoring.

Ransomware and DDoS Impact

The deployment of WhiteLock ransomware and coordinated DDoS attacks has resulted in operational disruptions for several Israeli entities. While the full extent of the impact is still being assessed, these attacks demonstrate the adversaries’ capability to blend destructive and disruptive tactics.

Technical Indicators and MITRE ATT&CK Mapping

Spearphishing (T1566.001): Delivery of WezRat and other malware via email lures mimicking urgent software updates.

Command and Control (T1071): Establishment of persistent C2 channels for remote access and lateral movement within compromised networks.

Data Encrypted for Impact (T1486): Deployment of WhiteLock ransomware to encrypt critical data and demand ransom payments.

Impair Process Control (T0813): Manipulation of PLCs and HMIs in water and fuel management systems, potentially leading to physical process disruption.

Disinformation (T1582): Orchestration of social media campaigns to spread fear, uncertainty, and doubt regarding the scope and success of cyber operations.

Indicators of Compromise (IOCs)

Malware:WezRat (modular infostealer), WhiteLock ransomware, custom ICS/OT malware attributed to CyberAv3ngers.

Infrastructure: Internet-accessible Unitronics PLCs and HMIs with default credentials, Telegram channels used for operational bragging and coordination.

Targeted Products:Unitronics Vision Series PLCs and HMIs (all versions with default credentials), unspecified government APIs and mobile applications in Israel and the Persian Gulf, Israeli-origin OT/ICS equipment, and internet routers in Israel.

Impact Assessment

The current Iranian cyber campaign represents a significant escalation in both scale and sophistication. The blending of technical attacks with psychological operations increases the challenge for defenders, as organizations must contend with both tangible disruptions and the intangible effects of disinformation. The targeting of critical infrastructure, particularly ICS and OT assets, raises the potential for real-world consequences beyond data loss or financial impact.

Recommendations

Organizations operating in or with ties to Israel, the Persian Gulf, or the United States—especially those in critical infrastructure sectors—should immediately review their exposure to the following risks:

Monitor for spearphishing campaigns leveraging urgent software update lures, and ensure robust email filtering and user awareness training are in place. Audit and secure ICS/OT systems, with particular attention to Unitronics PLCs and HMIs; change default credentials, restrict internet exposure, and apply available security patches. Implement continuous monitoring for ransomware and DDoS activity, and establish incident response protocols tailored to blended cyber-physical threats. Validate all claims of cyberattacks through trusted threat intelligence sources to avoid falling victim to disinformation campaigns. Strengthen third-party risk management processes, focusing on suppliers and partners utilizing Israeli-origin technology.

References

The Register: Iran's cyberwar has begunCheck Point Research: Cotton Sandstorm/Altoufan TeamBinary Defense Threat IntelligenceApproov SecurityMITRE ATT&CK: APT33 (Cotton Sandstorm)NVD: ICS/OT vulnerabilitiesCISA Alert: CyberAv3ngers Targeting Unitronics PLCsPOLITICO: The cyber war in IranThe Register on X (Twitter)LinkedIn: The Register - Iran's cyberwar has begun

Rescana is here for you

Rescana’s Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire supply chain. Our advanced analytics and threat intelligence capabilities provide actionable insights, enabling proactive defense against emerging threats. Whether you are concerned about supply chain vulnerabilities, critical infrastructure exposure, or the evolving tactics of state-sponsored actors, Rescana delivers the visibility and control you need to stay secure. We are happy to answer questions at ops@rescana.com.