Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based Community
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Topics
  3. Cyber Threats and Advisories
  4. Advanced Persistent Threats
Share:
Generic coding language design with red background

Iran Cyber Threat Overview and Advisories

Advanced Persistent Threats

  • China Cyber Threat Overview and Advisories
  • Russia Cyber Threat Overview and Advisories
  • North Korea Cyber Threat Overview and Advisories
  • Iran Cyber Threat Overview and Advisories
Iran country illustration

The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states that Iran remains a major cyber threat: “Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks and data. Iran’s opportunistic approach to cyber attacks makes critical infrastructure owners in the United States susceptible to being targeted…”

Recent Iranian state-sponsored activity has included destructive malware and ransomware operations. Keeping software up to date and prioritizing patching of known exploited vulnerabilities is key to strengthening operational resilience against this threat.

CISA and our partners in the U.S. government and around the world provide timely and actionable information about the Iranian state-sponsored cyber threat to help organizations prioritize the most effective cybersecurity measures. As a starting point, organizations should:

  • Prioritize mitigation of known exploited vulnerabilities.
  • Implement the Cyber Performance Goals, which are a baseline set of broadly applicable cybersecurity practices with known risk-reduction value.  
  • Urgently report potential malicious activity to CISA or the FBI:
    • The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.  
    • You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
    • Contact your local FBI field office or IC3.gov.
  • Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review advisories on Iranian state-sponsored cyber threats outlined in the table below. CISA particularly recommends reviewing the following advisories:
    • Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
    • Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester  
    • Iranian State Actors Conduct Cyber Operations Against the Government of Albania  
    • Protecting Against Malicious Use of Remote Monitoring and Management Software, which outlines steps to help organizations harden networks against malicious use of remote monitoring and management software.
    • Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
  • Visit the Industry Alerts section of the FBI’s Iran Threat website for accounts of recent Iranian state-sponsored cybercrimes.
  • Sign up for CISA’s free Vulnerability Scanning service to receive alerts when the service identifies vulnerabilities known to be exploited by Iranian state-sponsored cyber actors. 
  • Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance. 

 

Table 1: CISA and Joint CISA Publications

Publication Date

Title

Description
November 16, 2022

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester

MAR 10387061-1.v1 XMRig Cryptocurrency Mining Software

CISA and FBI released a joint CSA about an incident at an FCEB organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in an unpatched VMware Horizon server. This advisory includes a MAR on the mining software that the APT actors used against the compromised FCEB network.

September 23, 2022

Iranian State Actors Conduct Cyber Operations Against the Government of Albania

FBI and CISA have released this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September, 2022. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. 

September 14, 2022

Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

FBI, CISA, NSA, USCC, CNMF, the Treasury, ACSC, CCCS, and the NCSC highlights continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). 

February 24, 2022

CISA, FBI, CNMF, NCSC-UK, NSA Malware Analysis Report: MAR–10369127–1.v1 – MuddyWater

CISA, FBI, FNMF, NCSC-UK, and NSA have released a joint MAR providing detailed analysis of 23 files identified as MuddyWater tools. 

February 24, 2022

CISA-FBI-CNMF-NCSC-UK-NSA Joint Cybersecurity Advisory: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

CISA, FBI, CNMF, NCSC-UK, and NSA have released a joint Cybersecurity Advisory highlighting a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America.

November 17, 2021

CISA-FBI-ACSC-NCSC Joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

CISA, FBI, ACSC, and NCSC have released a joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities to gain initial access in advance of follow-on operations. The Iranian government-sponsored APT actors are actively targeting a broad range of multiple U.S. critical infrastructure sectors as well as Australian organizations.

July 20, 2021

JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B)

U.S. Government attributed previously published activity targeting industrial control systems to Iranian nation-state cyber actors.

October 30, 2020

CISA and FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data

CISA and FBI released a Joint CSA on an Iranian APT actor targeting U.S. state websites, including elections websites, to obtain voter registration data. The Advisory provides indicators of compromise (IOCs) and recommended mitigations for affected entities.

October 22, 2020

CISA-FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actors Threaten Election-Related System

CISA and FBI released an Advisory warning about Iranian APT actors likely intent on influencing and interfering with the 2020 U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process.

September 15, 2020

CISA-FBI Joint Cybersecurity Advisory: Iran-Based Threat Actor Exploits VPN Vulnerabilities

MAR-10297887-1.v2 – Iranian Web Shells

CISA and FBI released a Joint CSA on an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. The Advisory analyzes the threat actor’s tactics, techniques, and procedures (TTPs); IOCs; and exploited Common Vulnerabilities and Exposures.

The MAR details the functionality of malicious files—including multiple components of the China Chopper Web Shell—used by Iranian-based malicious cyber actors.

January 06, 2020

CISA Alert: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad

CISA Insights: Increased Geopolitical Tensions and Threats

In light of heightened tensions between the United States and Iran, CISA released an Alert and an “Insights” analysis providing Iranian government and affiliated cyber threat actor TTPs and an overview of Iran’s cyber threat profile, respectively.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback