A dramatic escalation in Middle Eastern tensions began last week with Operation Lion’s Roar, a joint U.S.-Israeli military strike on Iranian nuclear and military sites.
Iran retaliated with missiles and drones, disrupting energy, air travel, and diplomatic stability across the Gulf. Amid this kinetic conflict, Iranian state-affiliated advanced persistent threats (APTs) have ramped up cyber operations targeting critical infrastructure worldwide.
Nozomi Networks reports a spike in Iran-linked APT alerts, with the manufacturing and transportation sectors prioritized.
Telemetry shows systematic increases in attacks during the conflict’s early days, echoing a 133% rise in prior escalations. Groups like MuddyWater, OilRig, APT33, and UNC1549 lead the surge, focusing on espionage and disruption.
MuddyWater (aka APT34, Seedworm), tied to Iran’s Ministry of Intelligence and Security (MOIS), uses spear-phishing, credential theft, and living-off-the-land techniques for persistence. It recently targeted MENA organizations in Operation Olalampo with custom malware like GhostFetch.
Iranian APT Groups
OilRig (APT34, Helix Kitten) employs phishing, web shells, and PowerShell for espionage against energy and telecom in the Middle East.
APT33 (Elfin, Refined Kitten) hits aerospace, energy, and government via supply chain attacks and password spraying. UNC1549, active in 2H 2025, targets defense and telecom aligned with Iranian priorities.
| Threat Actor | Aliases | Primary Targets | Key TTPs nozominetworks |
|---|---|---|---|
| MuddyWater | APT34, OilRig | Energy, Telecom, Government | Spear-phishing, LOLBins |
| OilRig | APT34, Helix Kitten | Financial, Defense | Web shells, Credential harvesting |
| APT33 | Elfin | Aerospace, Energy | Password spraying, Supply chain |
| UNC1549 | CURIUM | Defense, Telecom | Espionage, Disruption |
Middle East Attack Surface Vulnerabilities
Middle Eastern organizations show high vulnerability exposure: 61% of 2025-discovered flaws have high/critical CVSS scores, vs. global 48%. EPSS scores >1% affect 8% of vulns, double the global average. Air-gapping alone fails; efficient patching is essential.
Top MITRE ATT&CK TTPs in recent Middle East detections include default credential abuse (T1110), valid account use (T1078), brute force (T1110.001), and scanning (T1595). These signal early reconnaissance for future disruption.
Activate continuous OT monitoring with heightened alert sensitivity for Iranian TTPs. Update threat intelligence signatures Nozomi customers should enable real-time feeds.
Patch vulnerabilities, change default credentials, and reassess IT/OT segmentation. Baseline industrial protocols and validate detections against groups like MuddyWater.
Hunt for low-and-slow activity in network traffic. Prepare incident response for hybrid threats blending cyber and physical risks.Organizations blending visibility, segmentation, and tested plans best withstand these campaigns.
