Iranian APTs increased activity against US industries in late spring, researchers say

Iranian state-backed hackers appeared to step up their attacks on U.S. industries over the past two months, according to new research.

Nozomi Networks — which specializes in securing operational technology (OT) for critical infrastructure — reported that it spotted 28 Iran-linked attacks on customers in May and June, up from 12 in the previous two-month period, a bump of 133%.

The emphasis was on the transportation and manufacturing sectors, the report said. 

Nozomi’s researchers did not specify which companies were affected, nor did it detail the nature of any attacks. “We receive anonymized telemetry from participating customers which allows us to publicly share current trends related to the attacks associated with these actors,” the report said.  

The company said it identified threats from the well-known Iranian advanced persistent threat (APT) groups MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten and Homeland Justice.

The most active group was MuddyWater, which targeted at least five U.S. companies, Nozomi Networks said. It was followed by APT33, which hit at least three firms.

MuddyWater, active since at least 2017, is known for targeting government agencies and energy organizations across the Middle East. APT33 has operated since 2013 and is believed to focus on cyber-espionage targeting the aerospace, energy and petrochemical sectors.

The report comes amid growing concern over Iranian cyber activity following recent military escalation between Iran and Israel. Earlier this year, U.S. federal agencies warned critical infrastructure operators and defense contractors about potential retaliatory cyberattacks after Washington reportedly targeted Iranian nuclear facilities.

In a separate report published earlier this week, cybersecurity firm Morphisec said the Fox Kitten threat group is encouraging affiliates to launch ransomware attacks against Iran’s adversaries, including Israel and the U.S. 

The group, which has previously conducted cyber-espionage campaigns targeting Israeli and U.S. organizations, is now offering affiliates an 80% share of ransom proceeds — up from 70% — for attacks aligned with Tehran’s interests.

Last year, U.S. officials accused Tehran of collaborating with ransomware gangs to target entities in the U.S., Israel, Azerbaijan, and the UAE, citing Fox Kitten as one of the key actors behind those campaigns.