Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks

Iran has a long track record of using cyber operations to retaliate against perceived political slights. And, increasingly, ransomware is incorporated into escalating operations that blur the line between criminal extortion and state-sponsored sabotage.

As Iran considers its response to US and Israeli military actions, it is likely to consider destructive cyber operations if it believes they can deliver meaningful retaliatory impact.  

How to Defend and Mitigate: Quick Overview

• Patch Public-Facing Devices Immediately (Operating System and Firmware)  

• Implement Immutable Backups and Strong Account and Egress Controls    

• Mandate Strong Multifactor Authentication  

• Monitor Network Devices, Applications, Virtual Infrastructure, Tunneling, and Endpoints  

• Enable Distributed Denial of Service (DDoS) Protection and Response  

• Prepare for Rapid Incident Response  

• Harden Endpoint Defenses by Deploying a Dedicated Anti-Ransomware Solution like Halcyon that Detects Data Exfiltration, Collects Keys, and Has Kernel Guard

Iran’s History of Destructive Cyber Attacks

On July 15, 2022, Iranian state hackers launched a devastating cyberattack on Albanian government networks, destroying data and disrupting critical services. Masquerading as a fictitious hacktivist group, the attackers combined ransomware, extortion, and data-wiping tactics in an apparent act of retribution for Albania’s hosting of an Iranian dissident group.

Iran has a long track record of using cyber operations to retaliate against perceived political slights. From disabling US financial websites between 2011 and 2013, to erasing data from the Las Vegas Sands Casino in 2014, to defacing websites after the death of Iranian military commander Qasem Soleimani and issuing online death threats to US election officials in 2020 and 2021, Tehran’s cyber playbook has been aggressive and evolving.

And, increasingly, ransomware is incorporated into these escalating operations. Just last month, an Iranian national pleaded guilty to ransomware attacks that crippled Baltimore and other US municipalities, causing tens of millions in damages. Since at least 2017, Iranian operators have targeted US critical infrastructure—including a thwarted attempt on Boston Children’s Hospital—with ransomware campaigns that blur the line between criminal extortion and state-sponsored sabotage.

In practice, Iran’s destructive cyber operations often emerge from a murky blend of state sponsorship, personal profiteering, and outright criminal behavior. Hackers may monetize access gained through government-backed campaigns, bringing together espionage and extortion efforts. Tehran has long preferred to turn a blind, or at least indifferent, eye to private cyber operations against targets in the US, Israel, and other allied countries.  

That’s because having access to cyber criminals gives the government options. As Iran considers its response to US and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact.  

What a Destructive Attack Might Look Like Today

The way in which Iran nimbly operationalized long-term access in Albania to serve its political aims provides a poignant example of how they could do the same against US targets. FBI and Microsoft reported that multiple groups of Iranian state-sponsored actors conducted various stages of the attack.  

Starting in May 2021, one Iranian cyber group gained initial access to an Albanian government network. Five months later, this and a second group began exfiltrating mail from the network. Then, in July 2022 (14 months after initial access), a different group deployed ransomware without any intention to restore encrypted systems, followed by wiping out data across the network, and then posting harassing messages about and then releasing stolen information.  

These actions against Albania highlight the ways that Iran could use attempted obfuscation, multiple actors, and destructive tools against US networks in the coming weeks:

• Deploying ransomware before wiping an organization’s data.

• Leveraging long-term espionage access and data exfiltration from different threat actors for destructive attacks.

• Hiding behind fictitious cybercriminal or hacktivist groups.

• Engaging in online harassment of victims, including through the release of stolen data.

Some of the Iranian and hacktivist groups to watch include:

UNC757

Iranian state-sponsored group UNC757—potentially synonymous or connected with Lemon Sandstorm, Pioneer Kitten, and RUBIDIUM—who is actively using Virtual Desktop Infrastructure (VDI, like Citrix), VPNs, and firewall exploits to obtain initial access and establish control over US networks and networks of groups seen as supporting Israel.  

This includes attempting to compromise operational networks for critical infrastructure entities using VDI or VPNs that enable remote access into what are essentially the brains of industrial control systems: Programmable Logic Controllers (PLCs).  

The US Government has previously identified this group as privately conducting ransomware attacks while also working on behalf of the Government of Iran to obtain initial access and steal sensitive data from networks across the US, United Arab Emirates, and other several other countries. This group has also co-existed on networks with groups like Scattered Spider and APT29, eventually leaving the network if the other groups became overactive.  

Handala

A self-proclaimed pro-Palestinian hacktivist group called Handala that has targeted Israeli organizations that sprang up a few months after the start of the Gaza conflict in late 2023. Handala uses a mixture of phishing, data theft, extortion, and custom wiper malware.  

The wiper malware specifically targets Windows and Linux environments. Some of Handala’s hacking claims have been disputed by their targets, and we are watching them to determine the potential that they will exploit current military actions to conduct additional activity.  

Most recently this group leaked Israel evacuation shelter locations; such actions—putting lives directly at risk—is atypical for a ransomware group.

Other Hacktivist Groups

A loosely affiliated network of Iranian-aligned hacktivist groups including Mr. Hamza, Team 313, Keymous+, and Cyber Jihad launched coordinated distributed denial of service (DDoS) attacks targeting US military, defense, financial, and political organizations following US airstrikes on Iranian nuclear sites in June 2025.  

In particular, Keymous+ claimed to have conducted the DDoS attack earlier this year against a major US electric automobile manufacturer, and their most recent activity has included targets related to the US Presidential Administration.

These groups rapidly mobilized public DDoS infrastructure and open-source attack tools to disrupt online services across multiple sectors in what appeared to be retaliatory action framed as cyber protest. and Israeli support organizations.  

While the operational impact was limited to temporary service outages, the timing, coordination, and volume of claims suggest the campaigns were designed to send a political message and demonstrate support for Iranian state interests.  

These actors typically lack the technical sophistication of state-sponsored groups but have historically operated in alignment with Iranian geopolitical objectives, focusing on defacements, DDoS, and disinformation.  

Defense and Mitigation

• Patch public-facing devices immediately. Ensure VPNs, Virtual Desktop Infrastructure (VDI), firewalls, and reverse proxies are fully patched (both OS and firmware levels and manually verified), especially for CVE-2024-24919, CVE-2024-3400, CVE-2023-3519, CVE-2022-1388, and CVE-2019-19781.

• Implement strong account controls. Enforce strong multi-factor authentication (MFA) across all entry points. Strong MFA ideally uses hard tokens, number matching or manual code entries with no exceptions (i.e., no SMS text, voice call, email, or push MFA). Audit for unauthorized local or domain accounts and remove suspicious ones. Block enacted exemptions or allowlists requested by attacker-controlled processes.

• Maintain Robust Monitoring for Persistence and Tunneling. Monitor network devices, applications, virtual infrastructure (e.g., Nutanix/ESXi), and endpoints. Specifically, monitor VPN logs for unusual scans or connections. Monitor web directories on VPN and gateway devices where web-shells often reside. Vet scheduled tasks, Windows services, and DLLs to detect side-loaded or hidden persistence. Detect use of tools like ngrok, ligolo, mesh-central, AnyDesk, FRPC, etc. Log and monitor registry exports, credential dumps, and reverse shells. Deploy endpoint detection and response (EDR) tools.  

• Strengthen and harden VDI and VPN configurations, administrative panels, and other controls. Harden VPN and VDI configurations by disabling outdated protocols and enforcing MFA on remote access. Enforce role-based access, minimize and lock down administrative panels, and check for suspicious files or modifications. Enable application whitelisting and restrict new service installations. Block known outbound patterns and implement tight egress controls.

• Maintain defense-in-depth. Deploy a dedicated anti-ransomware solution like Halcyon to harden endpoint defenses against advanced attacker techniques designed to blind, unhook, or bypass traditional endpoint protection (EPP) and EDR tools. Halcyon provides an additional protective layer against data exfiltration and lateral movement, while also delivering early-stage behavioral detection and automated response capabilities.  

• Enable DDoS protection and response. Deploy cloud-based DDoS mitigation. Implement a content delivery network (CDN) like Akamai or Cloudflare for protection. Use on-premises scrubbing appliances for application layer traffic.

• Prepare for incident response. Develop incident response playbooks for VPN/VDI compromise, lateral movement, and ransomware responses. Know who to call if an incident occurs and maintain an active retainer with a third-party incident response firm, external counsel, and cyber insurance company.  

Conclusion

The current military conflict underscores the urgent need for US organizations to harden their cyber defenses. Iran’s dual role as a state sponsor of terrorism and a state sponsor of cybercrime gives it additional malicious tools at its disposal. Its track record of using destructive cyber operations to advance political objectives suggests that any future campaign will blend traditional state-sponsored tactics with criminal tradecraft. If tensions rise, so will the likelihood that Iranian threat actors will turn to cyber operations to influence and exert pressure, making resilience and defense-in-depth essential across all sectors.

‍

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.