Security
Over 60 Hacktivist Groups Target Industrial Systems After Iran-US Escalation, CloudSEK Warns
2026-03-09
More than 60 hacktivist groups mobilized within hours of the February 28 escalation in the Iran-U.S. conflict, raising the risk of cyberattacks targeting industrial control systems (ICS) and other critical infrastructure, according to new research from CloudSEK.
In its latest threat assessment, CloudSEK said the conflict has intensified an already growing cyber threat to operational technology (OT) environments rather than creating a new one. The report examines the threat actors involved, the methods used to compromise industrial systems and the scale of the exposed attack surface.
Researchers said critical infrastructure—including water utilities, energy facilities and fuel systems—has become a primary retaliation target because disruptions can create immediate civilian impact while avoiding direct military engagement.
One of the main risks stems from the large number of internet-exposed ICS devices. CloudSEK cited estimates showing more than 40,000 such devices are reachable online in the United States, many of them using weak or default credentials.
The report also notes that Iranian-linked cyber activity targeting industrial environments is not new. In previous incidents, attackers compromised dozens of ICS devices and infiltrated critical infrastructure networks. Some campaigns have even demonstrated the ability to remain inside systems for extended periods before detection.
Among the advanced threat groups identified as capable of targeting industrial systems is APT33—also known as Elfin—which has historically focused on sectors such as energy, oil and gas, aerospace and defense. The group has been linked to sophisticated industrial malware operations in the past.
CloudSEK said attackers can reach industrial environments through multiple pathways. These include directly exploiting internet-exposed ports, compromising employees through phishing campaigns or gaining access to corporate IT systems that connect to operational technology networks.
The company warned that the scale of the threat is driven less by the sophistication of individual attackers and more by the growing number of motivated actors combined with a large and vulnerable attack surface.
Security analysts say even a single successful disruption—such as shutting down a water treatment plant or power substation—could have significant political and economic consequences, amplifying the strategic impact of cyber operations linked to geopolitical conflicts.
CloudSEK urged organizations operating critical infrastructure to strengthen security around operational technology systems and not wait for specific threat intelligence before implementing protective measures.
The findings highlight growing concerns among cybersecurity researchers that geopolitical tensions are increasingly spilling into cyberspace, where industrial systems represent high-impact targets.
In its latest threat assessment, CloudSEK said the conflict has intensified an already growing cyber threat to operational technology (OT) environments rather than creating a new one. The report examines the threat actors involved, the methods used to compromise industrial systems and the scale of the exposed attack surface.
Researchers said critical infrastructure—including water utilities, energy facilities and fuel systems—has become a primary retaliation target because disruptions can create immediate civilian impact while avoiding direct military engagement.
One of the main risks stems from the large number of internet-exposed ICS devices. CloudSEK cited estimates showing more than 40,000 such devices are reachable online in the United States, many of them using weak or default credentials.
The report also notes that Iranian-linked cyber activity targeting industrial environments is not new. In previous incidents, attackers compromised dozens of ICS devices and infiltrated critical infrastructure networks. Some campaigns have even demonstrated the ability to remain inside systems for extended periods before detection.
Among the advanced threat groups identified as capable of targeting industrial systems is APT33—also known as Elfin—which has historically focused on sectors such as energy, oil and gas, aerospace and defense. The group has been linked to sophisticated industrial malware operations in the past.
CloudSEK said attackers can reach industrial environments through multiple pathways. These include directly exploiting internet-exposed ports, compromising employees through phishing campaigns or gaining access to corporate IT systems that connect to operational technology networks.
The company warned that the scale of the threat is driven less by the sophistication of individual attackers and more by the growing number of motivated actors combined with a large and vulnerable attack surface.
Security analysts say even a single successful disruption—such as shutting down a water treatment plant or power substation—could have significant political and economic consequences, amplifying the strategic impact of cyber operations linked to geopolitical conflicts.
CloudSEK urged organizations operating critical infrastructure to strengthen security around operational technology systems and not wait for specific threat intelligence before implementing protective measures.
The findings highlight growing concerns among cybersecurity researchers that geopolitical tensions are increasingly spilling into cyberspace, where industrial systems represent high-impact targets.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
