Active — Ongoing as of March 13, 2026
Section I
HOW CYBER WARFARE WORKS — THE BASICS FOR NON-TECHNICAL READERS
Plain Language
A cyberattack on infrastructure is not like hacking someone's email. When Iran targets a water treatment plant, a power grid, or an oil pipeline's control system, it is attacking the software that runs physical equipment. Modern infrastructure — power stations, water plants, hospitals, railways, ports — is controlled by computers. Those computers can be accessed remotely. If an attacker gets into those systems, they can manipulate or destroy physical processes: they can open valves, trigger circuit breakers, corrupt dosing systems, or simply lock operators out of their own equipment (this is called ransomware). The damage is not digital — it is physical. The difference between a cyberattack on a water plant and someone manually contaminating a reservoir is the ability to do it remotely, at scale, from another country, with plausible deniability. Iran has done this before. It is doing it now, and the targeting has escalated dramatically since the February 28 strikes.
Iran's cyber doctrine is explicitly asymmetric. Tehran cannot match US and Israeli conventional military power. It can, however, inflict costs on civilian and economic infrastructure in the United States, Israel, and allied Gulf states through cyber operations that carry a much lower threshold for escalation than kinetic attacks. This "below the threshold" strategy — attacking real targets in ways that remain just short of triggering military responses — has been central to IRGC doctrine since at least 2010, when the Stuxnet worm (a joint US-Israeli operation, notably) destroyed Iranian centrifuges and demonstrated that cyber weapons could cause physical destruction. Iran drew the correct lesson from Stuxnet and built its own capability.
The IRGC's Cyber Command and the Ministry of Intelligence and Security (MOIS) each maintain separate cyber units with different specializations. MOIS-affiliated groups like MuddyWater (also tracked as Seedworm) specialize in long-term persistence — getting into networks quietly and staying there, building access over months, waiting. IRGC-affiliated groups like CyberAv3ngers specialize in disruptive attacks on operational technology — the industrial control systems that run critical infrastructure. The 2023 CyberAv3ngers attacks on Unitronics programmable logic controllers in US water systems — documented by CISA and the FBI — demonstrated that Iran was already testing its reach into US civilian infrastructure two years before the current conflict began. Those attacks were practice runs. The current environment is the live exercise.
The key tactical advantage Iran possesses as of March 13 is pre-positioned access. MuddyWater's intrusions into US networks — a US bank, a US airport, a US software company with Israeli operations, and non-profit organizations — began in early February 2026, before the first strike on Iran. The Dindoor backdoor discovered on these networks was planted weeks in advance. This is the standard playbook for a sophisticated state actor: pre-position access during the tension period before conflict, then use that access for intelligence collection, disruption, or destruction once hostilities begin. The question facing US network defenders is not whether MuddyWater and its affiliated groups have access to sensitive US networks. They demonstrably do. The question is what that access will be used for, and when.
Iran Cyber Groups Active Post-Feb. 28
15+
State-sponsored APTs (MuddyWater, Charming Kitten, OilRig, Fox Kitten) plus hacktivist coalitions (Handala, 313 Team, DieNet, Cyber Islamic Resistance). Russian groups also coordinating.
MuddyWater Pre-Positioning Began
Feb. 2026
Backdoor access planted in US bank, airport, defense-adjacent software firm before conflict. "Dindoor" backdoor discovered post-war. Access predates the strikes by weeks.
Iran Internet Connectivity Post-Strike
1–4%
Strikes destroyed Iranian communications infrastructure. Short-term constraint on sophisticated state-coordinated attacks — but pre-positioned and proxy groups operate autonomously outside Iran.
FBI CI-12 Counterintelligence Agents Fired
~12
Days before Feb. 28 strikes, Patel fired Iran-tracking unit. DOJ National Security Division lost 50%+ of staff. Multiple offices dedicated to Iranian threat monitoring decimated (CNN, March 3).
Section II
THE THREAT ACTOR MAP — WHO IS ATTACKING AND HOW
The Iranian cyber ecosystem is not a monolithic state operation. It is a layered ecosystem of state-sponsored APTs (Advanced Persistent Threats — sophisticated hacking groups with long-term access to targets), affiliated hacktivist collectives that operate with varying degrees of Iranian direction, and opportunistic third-party actors (including Russian hackers) who have joined the campaign for their own interests. This layering creates a strategic advantage for Tehran: it allows Iran to claim plausible deniability for the most aggressive operations ("those are independent hacktivists, not state actors") while still benefiting from the disruption they cause. The organizational structure also means that destroying Iran's own internet connectivity — which the US/Israeli strikes effectively did, reducing Iran's connectivity to 1–4% — does not halt the broader campaign. The hacktivist collectives are organized on Telegram and operate globally, outside Iran's borders.
MuddyWater / Seedworm
MOIS — State APT
Iran's Ministry of Intelligence. Long-term persistence specialist — pre-positioned in US bank, airport, software firm, nonprofits by early Feb. Planted "Dindoor" backdoor. Active since 2017. Skilled in phishing, supply chain compromise, remote access tools. Primary espionage and pre-positioning arm.
CRITICAL
Already inside US networks
CyberAv3ngers / IRGC
IRGC — Infrastructure Attack
IRGC-affiliated, specializes in operational technology (OT) attacks on industrial control systems. 2023 campaign compromised US water/wastewater systems (Unitronics PLCs). Claimed access to Israeli power transmission infrastructure. "Mr. Soul" persona linked to this group claims to have disabled Israeli warning sirens.
CRITICAL
Proven OT capability
Handala Hack
Pro-Iran Hacktivist
Wiper malware deployment — hit Stryker (US medical devices) on March 12. Using Starlink for connectivity since mid-January (pre-positioned for post-Iran-internet-shutdown operations). Targets Israeli and Western organizations. Wiper attacks permanently destroy data — not recoverable.
HIGH
Wiper deployment confirmed
NoName057(16)
Pro-Russia / Pro-Iran
Russian hacktivist group that has formally joined Iranian cyber coalition. Claimed attacks on water and telecom systems (March 10). Extensive DDoS capability. CrowdStrike: surge of Russian hackers supporting Tehran since war began. Coordination between Russian and Iranian groups via Telegram.
HIGH
Russia-Iran coordination
313 Team / Cyber Islamic Resistance
Pro-Iran Collective
Umbrella collective coordinating multiple groups. 313 Team hit 26 Kuwaiti government domains in single day (March 6). Claims data manipulation in Jordan's grain storage (temperature falsification, weight underreporting). Targeting expanding from Middle East into NATO-adjacent nations.
MEDIUM–HIGH
OT claim unverified
APT Iran / DieNet / FAD Team
Mixed Pro-Iran
DieNet: DDoS specialist, hit multiple Kuwaiti and Qatari government sites. FAD Team: wiper malware and data destruction focus. APT Iran: claimed month-long Jordan grain storage intrusion with physical process manipulation. Cyber Jihad Movement: new entrant with alleged Taliban-aligned ties.
MEDIUM
Expanding target set
Section III
US CRITICAL INFRASTRUCTURE EXPOSURE — WHAT IS ACTUALLY AT RISK
Plain Language
When security experts talk about "critical infrastructure," they mean the systems that a modern civilization cannot function without: water treatment, power grids, hospitals, financial systems, transportation networks (railways, ports, airports), and communications. The US has 16 federally designated critical infrastructure sectors. The scary truth is that many of these systems are decades old, run on software that hasn't been updated in years, and are connected to the internet in ways that weren't designed with security in mind. A water treatment plant that uses a programmable logic controller from 2004 and has its management interface accessible via a default password is not a theoretical vulnerability — it is the actual state of a significant portion of US water infrastructure. Iran knows this. They have already exploited it. The 2023 attacks on US water systems were not sophisticated. They walked in through the front door because it was unlocked.
The most authoritative statement of near-term US cyber risk came from the AP, citing security researchers and published March 12, 2026: "Going forward, US defense contractors, government vendors and businesses that work with Israel are likely targets, as is critical infrastructure such as hospitals, ports, water plants, power stations and railways." This is not a theoretical projection — it is a compilation of what Iran-affiliated hackers have already announced as targets in their own Telegram channels and on public social media platforms. SITE Intelligence Group documented one user writing: "The datacenters need to be taken out. They host the brains of USA's military communication and targeting systems." This is a strategic communication that is simultaneously a threat statement and a targeting intelligence signal.
The water sector is historically the most exposed. The 2023 CISA advisory documented IRGC-affiliated actors compromising Unitronics Vision Series PLCs — the programmable logic controllers that run water and wastewater systems in hundreds of US municipalities. The attackers renamed devices to forestall owner access, reset software versions, disabled upload/download functions, and changed default ports. They did not destroy anything. They demonstrated they could. The implication is clear: Iran has already mapped significant portions of US water infrastructure OT systems, established the attack pathways, and chosen not to use them destructively — until now, when the strategic calculus has changed entirely.
The financial sector is on its own elevated alert. US banks issued heightened security warnings internally within hours of the February 28 strikes. DieNet has claimed DDoS attacks against financial institutions. More concerning than DDoS — which causes temporary outages but not lasting damage — is the risk that MuddyWater's pre-positioned access inside at least one confirmed US bank could be used for more sophisticated operations: fund transfer fraud, data destruction, or the kind of destructive wiper attack that Handala used against Stryker on March 12. A wiper attack on a major financial institution would not just disrupt banking operations — it would destroy records, triggering a financial system integrity crisis that is qualitatively different from any prior cyber incident.
The critical institutional context is the FBI CI-12 hollowing. CNN reported on March 3 that Director Kash Patel fired approximately a dozen agents and staff from CI-12 — the counterintelligence unit specifically tasked with tracking Iranian threats on US soil — in the days immediately before the strikes on Iran. The stated reason was that the fired agents had been involved in the Trump classified documents investigation at Mar-a-Lago. The operational consequence is that the unit most skilled in tracking Iranian cyber operations, mapping their networks, and disrupting their pre-positioned access was degraded at precisely the moment it was most needed. The DOJ's National Security Division has lost more than half its employees to firings and resignations since January 2025. Senior officials overseeing counterintelligence and international terrorism have been pushed out.
Early Feb. 2026
MuddyWater Pre-Positioning ConfirmedSymantec/Broadcom and Carbon Black Threat Hunter Team discover MuddyWater (Seedworm) already embedded in US bank, airport, defense-adjacent software firm. Dindoor backdoor planted. Campaign began weeks before first strike.
Feb. 28, 2026
"Electronic Operations Room" Forms Within HoursPro-Iranian groups announce coordinated coalition. NoName, Handala, 313 Team, Fatemiyoun Electronic Team organize on Telegram. Iran's internet drops to 1–4% — but external proxies operate independently. IRGC targets Amazon data center in Bahrain.
Mar. 1, 2026
Hacktivist Coalitions Target Gulf GovernmentsKuwait, Jordan, Bahrain government sites first in line. DieNet targets Qatari media. 313 Team begins coordinated DDoS across multiple government domains. Intel 471: Israel most impacted, followed by Kuwait and Jordan in first week.
Mar. 2, 2026
Critical Infrastructure Targeting EscalatesZ-Pentest (pro-Russia) claims compromise of US ICS/SCADA systems and CCTV networks. Industrial control systems in Israel targeted. Ransomware operators enter conflict opportunistically. DHS issues bulletin warning of potential cyber retaliation.
Mar. 4, 2026
OT Claims Surge — Grain Storage, Water SystemsAPT Iran claims month-long Jordan grain storage intrusion with physical process manipulation (temperature falsification). Water and grain OT targeting confirms expansion beyond IT networks to physical control systems.
Mar. 6, 2026
MuddyWater Backdoors Discovered; Kuwait's "Worst Day"Full scope of Feb. pre-positioned backdoors in US bank, airport, firms revealed. 313 Team hits 26 Kuwaiti government domains simultaneously — defense, health, civil infrastructure. Most coordinated single-group assault of the conflict to this point.
Mar. 10, 2026
NoName Hits US Water and TelecomRussian hacktivist group NoName claims attacks on US water infrastructure and telecommunications systems. FSociety issues 42-hour deadline on unnamed US targets. Targeting now explicitly in continental United States.
Mar. 12, 2026
Handala Wiper Attack on Stryker MedicalHandala deploys wiper malware against US medical device giant Stryker. Wiper attacks destroy data permanently — not recoverable without offline backups. First confirmed destructive cyber attack on a major US corporation in this conflict.
Section IV
THE INSTITUTIONAL GAP — DEGRADED DEFENSES AT THE WORST POSSIBLE MOMENT
The intersection of the Iran war's cyber dimension with the deliberate dismantling of US counterintelligence capacity is the most structurally dangerous feature of the current threat environment. Iran's cyber capability is real, escalating, and pre-positioned. The institutions that exist to detect, track, and disrupt Iranian cyber operations inside the United States have been systematically weakened over the past 14 months — not by Iran, but by the same administration that ordered the strikes that triggered the cyber retaliation.
The CI-12 firings are the most documented instance. The DOJ National Security Division — which prosecutes terrorism and foreign intelligence cases — has lost more than half its staff. CISA, the agency responsible for protecting civilian critical infrastructure from cyber threats, has been the subject of budget reduction discussions throughout 2025. The DHS, responsible for coordinating whole-of-government domestic security, was partially shut down in a budget standoff and is operating under constraints that "raise resource concerns" (cited in multiple intelligence community assessments). The FBI's Joint Terrorism Task Forces — the primary field-level mechanism for detecting and disrupting foreign-directed threats in major US cities — depend on the same senior counterintelligence officers who have been pushed out.
The compounding risk is straightforward: MuddyWater has access to networks it planted backdoors in before the war. Handala has already used wiper malware against a US corporation. Iranian-linked groups have publicly stated their intent to attack US power stations, water plants, ports, and hospitals. And the institutional capacity to detect and disrupt those attacks before they cause physical harm has been substantially reduced. This is the cyber equivalent of opening a front door that used to be guarded, at the same moment the adversary has published their intent to walk through it. The next significant cyber incident affecting US critical infrastructure is not a hypothetical risk to be monitored. It is an expected event whose timing and severity are the only open variables.
Why Wiper Attacks Are Different
Ransomware encrypts data and demands payment — it's recoverable if you have backups. Wiper malware destroys data permanently. Handala's March 12 attack on Stryker used wiper technique. A wiper attack on hospital records, financial system ledgers, or grid control systems is not a disruption event. It is a destruction event. Recovery requires rebuilding from offline backups — a process measured in days or weeks, not hours.
OT vs. IT — Why Infrastructure Attacks Are Worse
IT attacks target data and communications. OT (operational technology) attacks target physical control systems. When Iran compromised US water plant PLCs in 2023, they accessed the systems that add chlorine to drinking water. Too much or too little causes mass casualties. The 2021 Oldsmar, FL water plant hack (unrelated to Iran) showed the real-world risk: an attacker raised sodium hydroxide levels 100x. An employee caught it in time. That catch may not always happen.
The Pre-Positioning Risk
The most dangerous moment in the cyber conflict is not when Iran attacks — it is when Iran decides to use access it has already established. MuddyWater's backdoors in US networks are currently being used for intelligence collection. The same access path used to read files can be used to deploy a wiper. The transition from "watching" to "destroying" takes seconds. Network defenders cannot distinguish access for espionage from access for destruction until the destructive payload is deployed.
The Proxy Deniability Problem
Iran benefits from a multi-tier structure: state APTs do the sophisticated pre-positioning; hacktivist proxies do the visible, noisy attacks. This makes attribution difficult and escalation thresholds ambiguous. If NoName (Russian) attacks a US water plant and claims to be acting "in solidarity with Iran," does that trigger a US response against Iran? Against Russia? Against both? The ambiguity is intentional. It creates response paralysis that is tactically beneficial to the attacker.
⚠ The Core Risk of Section 22
Iran has pre-positioned cyber access inside US critical infrastructure networks. Multiple Iranian-affiliated groups have escalated from DDoS disruption to wiper malware deployment within two weeks of the war's start. State APTs are operating concurrently with hacktivist proxies, creating a layered threat that cannot be attributed and contained by standard response protocols. The US institutions most responsible for detecting and disrupting Iranian cyber operations inside the United States have been deliberately weakened — CI-12 hollowed, DOJ National Security Division depleted, senior counterintelligence officers removed. The Stryker attack on March 12 is the first confirmed destructive wiper attack on a major US corporation in this conflict. It is unlikely to be the last. The most consequential cyber incidents — those targeting power grid OT systems, water infrastructure, or major financial institution data integrity — have not yet occurred. The question is whether the institutional capacity to stop them has been sufficiently preserved.