The hacking campaign serves as a warning to many US critical infrastructure operators who have struggled to secure their systems despite years of federal exhortations. Iranian hacking groups have long looked for low-hanging fruit-critical US computer systems sitting online that interact with oil and gas sites and water systems. This pattern of behavior was evident after Hamas attacked Israel on October 7, 2023, when US officials blamed hackers affiliated with Iran’s Islamic Revolutionary Guard Corps for a series of attacks on US water utilities that displayed an anti-Israel message on equipment used to manage water pressure.

Cybersecurity researchers have been warning about internet-facing ATGs for over a decade. In 2015, security firm Trend Micro put mock ATG systems online to see what kind of hackers would target them, and a pro-Iran group was quick to surface. A 2021 report from Sky News cited internal documents from the Islamic Revolutionary Guard Corps that singled out ATGs as a potential target for a disruptive cyberattack on gas stations, confirming long-standing intelligence regarding these specific vulnerabilities.

Iran’s cyber operations are accelerating. US intelligence agencies have long considered Iran’s cyber capabilities inferior to those of China or Russia. However, a string of opportunistic hacks of key US assets during the war suggests Iran is a capable and unpredictable adversary. Since the war began in late February, Tehran-linked hackers have caused disruptions at multiple US oil and gas and water sites, shipping delays at Stryker, a major US medical device maker, and have leaked the private emails of FBI Director Kash Patel.

Israeli organizations and citizens have also been heavily targeted by Tehran’s hackers during the latest war, while the US and Israeli military have used cyber operations to make their kinetic strikes more lethal. Yossi Karadi, head of Israel’s cyber defense agency, the National Cyber Directorate, told CNN that Iran’s cyber activity during the war has shown a significant increase in the scale, speed, and integration between cyber operations and psychological campaigns.

Although the Israel Defense Forces in March claimed to have struck a compound housing Iran’s Cyber Warfare headquarters, it is unclear how many Iranian cyber operatives, if any, were killed in that strike. Karadi, citing his agency’s mandate limited to cyber defense, would not comment on the matter but noted, from a defensive perspective, that in recent months, they are seeing some degradation in parts of the hostile cyber activity. He stated, "The bottom line is that Iranian actors are under pressure and are trying to strike wherever they find an opening in cyberspace."

Allison Wikoff, a director on PwC’s threat intelligence team with over a decade of experience tracking Iran-based threats, told CNN that the last 18 months have shown that Iran’s cyber operations in general "are now accelerating with faster iteration, more layered hacktivist personas, and likely AI-driven scaling for reconnaissance and phishing." She noted, "What’s notably new in their cyber playbook is the swift creation of ‘good-enough’ malware, including the destructive wiping types, complemented by assertive hack-and-leak campaigns against media, dissidents, and key US civilian infrastructure."

Part of that Iranian playbook is capitalizing on the wartime footing of an American media quick to pounce on claims made by all sides. Hackers associated with Iran’s intelligence ministry and paramilitary arm maintain a number of "hacktivist" personas through which they use Telegram to exaggerate their exploits, publish stolen material, and release promotional videos spliced to catchy music. One of the groups, calling itself Handala after a Palestinian cartoon character, taunted Patel while claiming it had breached the FBI’s "impenetrable" computer systems. In reality, the hackers got into Patel’s years-old Gmail emails.

"The fact that every Handala claim leads to people freaking out demonstrates that the operational reality of the threat Iran poses is something that both government agencies and vendors don’t seem to be able to articulate," said Alex Orleans, a cybersecurity researcher who has tracked Iran-linked hackers for years and leads threat intelligence at security firm Sublime Security.

Despite the string of hacks from Iran during the war, Orleans offered two reasons there haven’t been more. "The first is that Iran appears to have lacked the lines of access to deliver sustained effects, or we likely would’ve seen more incidents like Stryker," he told CNN. "The second is that the regime has clearly demonstrated its intention to endure, which further disincentivizes wanton cyber effects operations."

US Infrastructure Faces Heightened Cyber Risks

For some current and former US officials, the aggressive and unpredictable nature of Iranian cyber operations takes on added significance ahead of the midterm elections. In the 2020 election, federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), blamed Iran for a scheme that impersonated the far-right Proud Boys to try to intimidate voters. During the 2024 US presidential election, Iranian hackers breached the Trump campaign and sent internal documents from it to news organizations. Now, for the first election cycle in years, US military and intelligence officials have yet to activate a specialized team dedicated to detecting and thwarting foreign threats to elections.

The current situation suggests that while physical infrastructure like gas tanks may not suffer catastrophic failure, the strategic goal of Iran is to create psychological and economic pressure. Chris Krebs, who as CISA director in 2020 stood beside then-Director of National Intelligence John Ratcliffe as they warned the American public about Iranian and Russian influence operations, stated, "Between what we’ve watched Iran do in this war and what they ran in 2020, I’d be surprised if they sat the midterms out." He added, "My bet is on information operations, not attacks on election systems. That’s where the Russians and Chinese have gone, and for good reason. It’s cheap, it’s easy to scale with AI, and nobody’s paying a price for it." This trend indicates that future threats will likely focus on scalable, low-cost information campaigns rather than direct, disruptive physical attacks, leaving critical infrastructure operators to grapple with the uncertainty of evolving cyber threats without the immediate leverage of severe consequences for the perpetrators.