Blumira Identifies 824 Iranian Cyber Incidents Over 21 Months
Security operations platform provider Blumira today released an intelligence assessment that tracked 824 security incidents attributed to Iranian threat actors over 21 months, providing insights into recent Iranian threat activity. Blumira serves roughly 18,000 organizations, and its observations closely align with recent government assessments.
Blumira provider documented 383 brute force Remote Desktop Protocol attempts, 27 Secure Shell protocol (used for remote access) attacks and 414 web application scans. These incidents all originated from 67 unique Iranian IP addresses. Zoe Lindsey, a director at Blumira, explained in an interview with Security Boulevard that they’re observing a wide range of attacks.
“We’re seeing a full court press, everything from disruption and publicity-grabbing headlines to, increasingly, their attacks narrowing and getting strategic about their targets. They’re targeting logistics, communications infrastructure and more often targeting [organizations] down the supply chain and hitting vendor partners that may be 200 or 300 people in size, who have a much smaller budget and lower levels of expertise to defend against these attacks,” Lindsey said.
Increasingly, Iranian cyber operations are closely tied to geopolitical tensions and the government’s strategic objectives. Tel Aviv University’s Institute for National Strategic Studies noted that Iranian cyber operations closely adjust to evolving geopolitical developments, with notable increases during periods of heightened tension.
For instance, recent operational surges followed U.S. sanctions on Iranian IRGC officials in February 2025 and military strikes on Iranian nuclear facilities. Check Point Software Technologies documented a 44% increase in global cyberattacks in 2024, with Iranian hackers specifically utilizing AI-enhanced disinformation campaigns during the U.S. presidential election.
This correlation demonstrates Iran’s integration of cyber operations into broader strategic planning, using digital capabilities to project power beyond conventional military limitations while maintaining plausible deniability, Blumira stated in its report.
Blumira’s security research lab has monitored Iranian reconnaissance patterns since June 2024, the company stated, and the correlation between cyberactivity spikes and geopolitical events is unmistakable:
- March 18-19, 2025: Blumira cited these dates as the highest-ever Iranian activity they recorded, with over 25,000 connections in a single day. This activity coincided with the DieNet hacktivist campaign that successfully targeted 61 U.S. organizations.
- February 6, 2025: Blumira witnessed a 30-times increase in baseline activity following U.S. sanctions on Iranian IRGC officials.
- January 30, 2025: The first significant spike of 2025, aligned with new administration policy changes.
The Iranian cyberthreat has evolved significantly in recent years, becoming a substantial challenge. U.S. government agencies report that 120 hacktivist groups are active as of June 2025, with Iranian-affiliated threat actors conducting sustained campaigns against U.S. critical infrastructure. The Cybersecurity and Infrastructure Security Agency, the FBI, the Department of Defense Cyber Crime Center and the National Security Agency recently issued joint warnings about “increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events.”
Iranian threat actors have demonstrated capabilities that span destructive attacks, cyber espionage, influence operations and targeting of critical infrastructure. Recent operations have included 29 confirmed intrusions into U.S. industrial control systems between November 2023 and April 2024, as well as the targeting of 75 Unitronics PLC devices across multiple U.S. critical infrastructure sectors.
Operational Techniques and Capabilities Assessments
Iranian cyber operations demonstrate sophisticated technical capabilities adapted to exploit specific vulnerabilities in U.S. critical infrastructure. Current techniques include:
Industrial Control System Targeting: Iranian actors demonstrate proven capabilities to compromise programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems. CyberAv3ngers’ targeting of water utilities exploited Israeli-made Unitronics PLCs using default passwords and direct internet connections.
AI-Enhanced Social Engineering: APT35’s recent operations have incorporated artificial intelligence tools to generate convincing phishing messages and social engineering campaigns. These AI-enhanced techniques represent a significant evolution in Iranian social engineering capabilities.
Supply Chain Exploitation: Iranian groups target IT service providers to access downstream customers, leveraging trusted relationships to bypass security controls. This approach provides access to multiple victims through single compromise points.
Credential Harvesting and MFA Bypass: Current operations focus extensively on credential theft and multi-factor authentication bypass techniques. Iranian actors employ automated password-guessing tools, hash-cracking software and default manufacturer passwords to gain initial access.
Emerging Iranian Hacktivist Ops
Iranian-aligned hacktivist groups have demonstrated increased operational coordination and technical sophistication. DieNet, for instance, emerging in March 2025, claimed 61 attacks against 19 U.S. organizations between March 11-17, targeting critical infrastructure sectors including finance, energy, transportation and telecommunications. The group’s operations correlate with geopolitical events, demonstrating strategic coordination with broader Iranian objectives.
Cyber Fattah has expanded operations beyond traditional Israel-centric targeting toward broader anti-U.S. and anti-Saudi messaging. The group’s activities align with wider regional tensions, suggesting coordination within Iran’s broader cyberwarfare strategy.
Intelligence assessments have identified more than 600 claims of cyberattacks within 100 Telegram channels from mid to late June, 2025. Unsurprisingly, Israel emerged as the most targeted country (441 attack claims), trailed by the United States with 69 claims of attacks. This represents an escalation in the tempo of hacktivist operations, coordinated with kinetic military operations.
Companies must prepare themselves by conducting essential security hygiene, including patching outdated systems, hardening configurations, shutting down unnecessary services, performing regular backups and protecting those backups, among other measures. “It’s important for organizations to understand that beyond the scary headlines, there are practical things they can do. The best step is to focus on their operational resilience and assess their risk, rather than just focusing on the threats out there. Address those risks early and catch issues before they become problems. That’s going to help defend against ransomware, as well as whatever else you’re seeing,” Lindsey said.
