Iranian Cyber Actors May Target “Entities of Interest” in US, Warns CISA

The Cybersecurity & Infrastructure Security Agency (CISA), in conjunction with the Department of Defense Cyber Crime Center (DC3) and the National Security Agency (NSA), have issued a warning regarding Iranian cyber actors. 

According to the notice, it is possible that Iranian cyber actors may target networks in the United States, including “entities of interest.” The organization encourages U.S. entities (especially those involved with critical infrastructure) to bolster security against Iranian state-sponsored or associated actors. Furthermore, CISA believes that Defense Industrial Base organizations, especially those possessing relationships with Israeli defense and research firms, are at higher risk. 

However, as of June 30, 2025, CISA has not observed evidence of a coordinated campaign against the U.S. that is attributable to Iran. Nevertheless, organizations are urged to be proactive in security measures.  

Security Leaders Weigh In

James Maude, Field CTO at BeyondTrust:

Securing remote access remains one of the top priorities for many organizations especially in high risk, OT and ICS environments which need to be kept well away from the public internet. Organizations need to think about how to securely manage privileged access into their critical environments. Ensuring that employees, vendors and third parties have just the access and permissions needed to do their job without additional risk exposure. This can be combined with real time monitoring and controls to audit and terminate access in the event of identity compromise. Relying on VPNs or Remote Desktop alone is not enough and risks introducing additional attack vectors.

Beyond remote access an important defense is to reduce standing privileges in the environment so that in the event an identity is compromised the ‘blast radius’ is limited. This is especially important in the age of identity attacks and hybrid environments where one compromised identity can open up paths to privileged access on dozens of systems on-prem and in the cloud that organizations weren’t aware of.

Organizations need to look beyond siloed views of obviously privileged identities in individual systems and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage. The identity security debt accumulated by many organizations represents a far great risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment.

Understanding and reducing your identity attack surface should be at to forefront of every organization thinking when it comes to cyber defense in 2025.

Bryan Cunningham, President at Liberty Defense:

The Iranian regime may be battered, but they’re not defeated.

There are at least two scenarios in which they might lash out at the West, and the U.S. in particular:

1. To retaliate for U.S. strikes on their nuclear infrastructure and try to show their allies (Russia and China) they are still able to fight. In this scenario, cruise missile, suicide bombings, or other kinetic attacks are likely to be directed at military facilities and other U.S. interests in the Middle East; and cyber-attacks against U.S. infrastructure at home; OR
2. If they feel their survival is threatened, they could activate “sleeper cells” in the U.S. and/or try to inspire “lone wolf” actors here. We do not know how prevalent these cells or actors might be or whether sleeper cells would sacrifice themselves for a possibly dying regime

In either case, the risk — cyber and physical — is higher today than at any recent time. Americans, at home and abroad, should be acutely aware of their surroundings and be especially vigilant at public gathering places, e.g., synagogues, churches, government events, and large entertainment or sports venues. 

Randolph Barr, Chief Information Security Officer at Cequence Security:

We live in a time where cyberattacks are no longer isolated to the countries directly involved in geopolitical conflict. In the case of Iran, it’s not just about their known cyber capabilities, it’s about the broader network of proxy actors and aligned nations who may view recent U.S. actions as justification for retaliation. This dramatically increases the likelihood that the U.S. and its allies will become targets of cyberwarfare, especially from adversaries seeking to exploit regional instability.

Iran has historically demonstrated a strong capability in cyber operations, often leveraging credential theft, social engineering, and access via federated identity systems. What makes their tactics especially dangerous is their tendency to abuse federated and third-party access, essentially exploiting trusted relationships and integrations to move laterally and persist undetected.

In light of the recent warnings, companies should focus on the following priorities:

• Review federation controls and third-party integrations: Ensure identity federation (SSO, SAML, OAuth) is hardened and validate that third-party applications only have the minimal access required
• Implement MCP-style continuous session validation: Move beyond one-time authentication and continuously verify trust throughout a session
• Simulate geopolitical threat scenarios: Test your incident response and business continuity plans against scenarios involving nation-state tactics, particularly those aligned with Iran’s known behaviors

Shane McGee, General Counsel and Chief Privacy Officer at Deepwatch:

There is a need for increased vigilance against potential cyber-attacks by Iran and Iran-aligned proxies and interests. Iran is a formidable cyber adversary that has been successfully attacking governments and private interests all over the world for well over a decade. Known to actively support and cooperate closely with groups such as Hezbollah and Hamas, each with separate offensive cyber capabilities, Iran’s ability to launch damaging attacks should not be underestimated. Other groups sympathetic to Iran, or even unaligned opportunists, could also take advantage of the current conflict to launch their own attacks.

With the recent outbreak of hostilities, Iran is likely to be less concerned about the consequences of its actions in the cyber realm, increasing the danger of large-scale attacks. The prospect of Iran combining cyber-action with physical attacks makes the situation even more unpredictable. We encourage our customers to enhance their cybersecurity posture and, if in a vulnerable geography or associated with a targeted group, to also consider taking physical precautions.