Iranian state-sponsored or affiliated threat actors may launch cyberattacks, according to U.S. cybersecurity and intelligence agencies. According to the agencies, there is currently no proof that Iran is responsible for a coordinated campaign of malicious cyber activity in the United States.
Particularly in industrial control system (ICS) environments, attackers frequently begin by using reconnaissance tools like Shodan to identify susceptible internet-facing devices. Additionally, the agencies identified Defense Industrial Base (DIB) companies as particularly vulnerable, particularly those with connections to Israeli defense and research companies. Days prior, the Department of Homeland Security (DHS) issued a bulletin urging U.S.
In light of the ongoing geopolitical tensions between Iran and Israel, organizations should be alert for potential "low-level cyber attacks" by pro-Iranian hacktivists. It is recommended that organizations take the following actions. As of June 2025, Censys reported that it had discovered 43,167 internet-exposed devices from Tridium Niagara, 2,639 from Red Lion, 1,697 from Unitronics, and 123 from Orpak SiteOmat.
With 441 attack claims, Israel was the most targeted nation, followed by the United States (69), India (34), and Middle Eastern countries like Saudi Arabia (13) and Jordan (33). According to SOCRadar, the Iran-Israel conflict of 2025 has caused an increase in cyber activity, with over 600 cyber attack claims reported across more than 100 Telegram channels between June 12 and June 27,
2025.
Over 80 different hacktivists are "actively conducting or supporting" offensive cyber operations targeting Israel and its allies, according to Outpost24 KrakenLabs researcher Lidia López Sanz, highlighting the increase in hacktivist activity during the conflict.