Update: Iranian-U.S./Israeli Hostilities Lead to Increased Threat Landscape
Overview
This is an update to the Cyber Heads-up we posted back on March 4, 2026, with detailed information about Iranian threat activity tied to ongoing U.S./Israeli operations.
Analysis
At the start of hostilities with Iran, we at Assura took proactive steps to identify and create alerts for known Iranian-sponsored Indicators of Compromise (IOC). We did not want to wait for CISA or other threat intelligence sources to create the rules that would eventually make it into our Threat Intelligence Platform (TIP). It has long been known that Iran has been highly active and targeting U.S. and allied interests, and we felt that it was imperative that we get ahead of this potential threat.
Our Security Operations Center (SOC) team began conducting renewed research into known Iranian hacktivist groups, including Educated Manticore, Void Manticore, Mango Sandstorm, Charming Kitten, Static Kitten, MuddyWater, and others. Using several research tools, we compiled a list of additional known IP addresses and exploits that Iran is known to use.
We continued to add to the list as new information was found or provided by our intelligence-sharing partners and clients, including details on two attacks on US airports attributed to MuddyWater in early February and March 2026. Once these CIDR blocks were entered into our TIP, our detection platform automatically conducted a retrospective analysis, and our team received alerts within minutes. The alerts were for attempted connections on several high-numbered IP ports, ranging from 4436 to 60205. Fortunately, none of the connection attempts were successful, and we were able to get the associated networks to blacklist the CIDR blocks to prevent any potential successful connections.
We are also sharing what we found in Open Threat eXchange (OTX) so the community can benefit from knowledge about these IoCs.
Assura’s Continued Actions
Assura continues to actively operationalize intelligence on Iranian tactics, infrastructure, and malware to build tailored detections, conduct proactive threat hunting, and prepare incident response playbooks across endpoint, network, and identity layers.
Assura’s Recommendations
Assura continues to recommend that organizations take the following actions:
-
Identity & access hardening
-
Ensure MFA is enforced wherever possible for remote access and key applications.
-
Provide your security team with information about any high‑value accounts, systems, or new remote access pathways so they can prioritize detections around them.
-
-
External exposure review
-
Confirm that your security team has visibility into your internet‑facing systems (VPNs, portals, web apps, email gateways).
-
Share any recent changes (new sites, new SaaS, new OT/ICS exposure) so your security teams can align coverage.
-
-
Phishing & user vigilance
-
Reinforce phishing awareness internally. When in doubt, have your users escalate suspicious emails to your security team for investigation and, if needed, remove messages and check for account compromise.
-
-
Incident response readiness
-
Validate who your internal incident decision‑makers are and how to reach them quickly.
-
Your security team can help you review or test IR runbooks for ransomware/wipers, account compromise, and social media/communication hijacks.
-
Conclusion
If you are an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura Concierge if you have questions about this vulnerability or how you can better defend against it. Otherwise, please contact us using the Contact form on our website.
*** This is a Security Bloggers Network syndicated blog from Assura, Inc. authored by Assura Team. Read the original post at: https://www.assurainc.com/blog/update-iranian-u-s-israeli-hostilities-lead-to-increased-threat-landscape/
