Nozomi Networks Labs reported a 133% spike in cyberattacks linked to well-known Iranian threat groups during May and June, coinciding with the latest conflict involving Iran. The researchers observed that U.S. companies were the primary targets, with groups including MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice, focusing their attacks on transportation and manufacturing sectors.
“Industrial and critical infrastructure organizations in the U.S. and abroad are urged to be vigilant and review their security posture,” the researchers detailed in a company blog post. “Nozomi Networks customers can review their Nozomi Threat Intelligence for any signs of activity from these groups. If you subscribe to the Nozomi Networks Threat Intelligence feed (including a separate Mandiant TI Expansion Pack), you’re covered, as signatures have been in place for some time.”
Nozomi Networks Labs observed a total of 28 cyberattacks linked to Iranian threat actors during May and June, a significant increase compared to the 12 incidents recorded in March and April. This represents a 133% rise in activity over the two months. The surge peaked in May, with 18 confirmed Iran-related alerts, before declining to 10 in June.
“Unsurprisingly, the attacks targeted organizations in the US. The most active Iranian threat actor was MuddyWater, which we cover in more detail below. In the last two months, it attacked at least five different U.S. companies, mainly associated with transportation and manufacturing,” the researchers observed. “It was followed by APT33, responsible for attacks against at least three different U.S. companies. Finally, we were able to see OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice associated with attacks against at least two different US companies each, again mainly belonging to the Transportation and Manufacturing sectors.”
Nozomi identified that this time CyberAv3ngers decided to re-use an IP address associated with their previous attack, utilizing infamous OT-focused OrpaCrab aka IOCONTROL malware that was discovered in December last year. “Regardless of whether the OT, IoT, or IT domains are going to be targeted, Nozomi Networks Labs will continue to closely monitor all these actors, making sure our customers are protected.”
Nozomi researchers identified MuddyWater attack infrastructure linked to Iran targeting organizations across multiple continents, including North America, Europe, Asia, and the Middle East. The wide geographic spread points to a coordinated campaign aimed at disrupting critical sectors well beyond Iran’s immediate region. They have been active since 2017, targeting primarily countries in the Middle East, specifically Saudi Arabia, Iraq, and Turkey. Their main focus is on government entities, telecommunications, and the energy sectors.
The U.S. appears to be a primary target, along with countries such as the United Kingdom, Germany, Saudi Arabia, India, and Russia. The concentration of attack lines emanating from Iran underscores the group’s focus on strategic geopolitical rivals and critical regional actors, suggesting a coordinated campaign targeting sectors across diverse geographic regions.
Identifying the global distribution of cyberattacks attributed to APT33, the researchers noted that the attack infrastructure associated with APT33 has been traced to operations targeting countries across North America, Europe, the Middle East, and Asia. Notable targets include the U.S., Germany, France, Italy, Saudi Arabia, South Korea, and Japan. The centralized origin of attack paths in Iran highlights the group’s international reach and its focus on strategically significant nations across multiple regions. This pattern suggests a deliberate effort to gather intelligence and disrupt operations in key geopolitical and economic hubs.
Nozomi found that the cyberattack infrastructure linked to the Iranian threat group OilRig, with operations targeting entities across the Middle East, Europe, and North America. Attack paths originate from Iran and extend to countries including the U.S., Spain, Turkey, Saudi Arabia, the United Arab Emirates, Oman, and Syria. The concentration of targets in the Gulf region highlights OilRig’s continued focus on strategic sectors such as energy, government, and telecommunications. The presence of attack lines reaching the U.S. and Europe suggests a broader campaign with geopolitical and intelligence-gathering objectives.
The researchers also highlighted attack infrastructure attributed to the Iranian-affiliated threat group CyberAv3ngers. The group’s operations appear to originate from Iran and are directed toward multiple countries, including the U.S., Ukraine, Iraq, and Cyprus. The geographic spread of targets suggests a campaign aimed at undermining critical infrastructure and geopolitical rivals, particularly in the energy and industrial sectors. The direct attack path to the U.S. further underscores the group’s transnational reach and growing focus on Western targets.
Nozomi detailed cyberattack infrastructure linked to the Iranian threat group FoxKitten. Attack activity originating from Iran has been observed targeting organizations in Israel, Greece, and North Macedonia. The concentration of attack paths within the Eastern Mediterranean and Middle East regions suggests FoxKitten’s strategic focus on politically sensitive and regionally significant targets. This pattern is consistent with the group’s known interest in espionage and long-term access within critical infrastructure and government networks.
Data showed that the global reach of cyberattacks attributed to the Iranian hacktivist group Homeland Justice originating from Iran has been linked to targeting organizations across North America, the Middle East, South Asia, and the Asia-Pacific region. Notable targets include the U.S., Canada, Saudi Arabia, India, and Australia. The pattern of activity indicates a broad operational scope, suggesting Homeland Justice is pursuing politically motivated disruption across a diverse set of countries and sectors, including critical infrastructure and government entities.
Last week, U.S. security agencies urged critical infrastructure operators to stay alert for possible cyberattacks by Iranian state-sponsored or affiliated threat actors, while also identifying and disconnecting OT (operational technology) and ICS (industrial control system) assets from the public internet. Given current geopolitical tensions, these groups could target U.S. networks and devices in the near term. The agencies also highlighted the heightened risks for defense industrial base (DIB) companies with ties to Israeli research or defense firms.
