Important note: This blog was written on June 27, 2025. Threat intelligence and geopolitical circumstances may have evolved since publication.
As tensions escalate in the Middle East, particularly involving Iran, the U.S., and Israel, state and local government security teams are being urged by CISA, the FBI, and CIS to “go shields up.” Fortunately, this doesn't necessitate deploying new technologies; reinforcing fundamental cybersecurity practices remains the most effective defense.
Who you’re up against: Persistent, patient, and targeting government
Iranian-aligned cyber actors are not your typical ransomware groups. They are methodical, patient, and experienced in maintaining undetected access across long timelines. These adversaries have successfully targeted critical infrastructure, government networks, and service providers in past campaigns, using stealth over speed and persistence over noise.
They rely on well-rehearsed playbooks to establish footholds and move laterally, often without triggering alerts. The most valuable lesson: they succeed when identity controls fail.
What they target and why
Several advanced persistent threat groups operating on behalf of or aligned with the Iranian government are actively targeting U.S. systems:
- APT33 uses custom malware to infiltrate communications and industrial systems.
- APT34 affiliated with the Iranian Ministry of Intelligence and Security, has targeted financial institutions, government agencies, and the energy sector with credential harvesting and reconnaissance campaigns.
- APT35 conducts credential phishing and social engineering campaigns targeting U.S. political and policy figures.
- UNC757 acts as an access broker, collaborating with ransomware groups like ALPHV and BlackCat.
- CyberAv3ngers recently compromised over 75 U.S. water infrastructure devices, defacing control panels with anti-Israel messaging.
These groups focus on critical systems like programmable logic controllers and public sector infrastructure. They rely on credential-based access, not advanced zero-days, and show particular interest in environments using Israeli-manufactured equipment, often driven by geopolitical motives.
The entry point they exploit: your credentials
These threat groups are not breaking down the door, they are logging in. Their preferred method is credential harvesting and brute force login attempts targeting Microsoft 365, VPNs, and on-prem Windows environments.
While these actors often prefer credential-based access, several Iranian APTs—including APT35—have quickly exploited high-profile vulnerabilities like Log4Shell and ProxyShell. This dual approach makes layered defenses essential.
The emphasis on identity gives defenders a critical advantage: if you can harden access and reduce exposed credentials, you significantly reduce their ability to operate.
What you should do now: Eight high-impact defensive moves
These are the same tactical moves we’re recommending across state and local government environments today. They don’t require a new stack, just focused attention on the right pressure points:
- Tighten login security: Block and alert on multiple failed login attempts. Yes, the volume of alerts can be overwhelming, but temporarily tuning to catch brute force or credential stuffing activity can make all the difference.
- Implement conditional access for sensitive accounts: Require access only from managed or trusted devices. This approach creates layered authentication without disrupting workflows.
- Strengthen VPN access controls: Restrict which IP ranges can be accessed when on VPN. Consider excluding credentialing assets, but test carefully.
- Clean up and harden service accounts: Move to service principals where possible (reduces credential exposure). Review all service applications and remove anything suspicious.
- Test identity detection capabilities: Validate your ability to alert on key identity events: creation of new admin accounts, privilege escalation, and changes to existing admin roles.
- Prioritize Windows vulnerability patching: Update Windows servers—especially versions 2016 and earlier—as operationally feasible. Patch high-risk vulnerabilities actively exploited by Iranian threat actors, including CVE-2021-44228 (Log4Shell), CVE-2021-34473/34523/31207 (ProxyShell), CVE-2019-0604, CVE-2024-24919, and CVE-2024-3400.
- Segment ICS and OT networks: Use VLANs and firewall rules to enforce segmentation in your operational technology environment. Implement where it won’t disrupt ongoing operations.
- Harden against phishing and impersonation attacks: Train users to recognize spear-phishing attempts, especially those themed around current geopolitical events or impersonating government entities. Use email authentication protocols (SPF, DKIM, DMARC) and advanced threat protection.
The defensive advantage: Identity security is the battlefield
Nation-state attackers do not need malware when they can log in. If your credentials are exposed, your identity perimeter becomes the attack surface. That includes your access policies, login protections, and monitoring. This is your true first line of defense.
Locking down identity does more than reduce risk. It forces attackers to work harder, and when they work harder, they make mistakes. That is when you detect them and that is how you win.
If you're assessing your readiness or need help identifying exposed identity assets or gaps in segmentation, NuHarbor can help. From advisory to hands-on validation, our team supports security programs with pragmatic, expert-led strategies.
Don't miss another article. Subscribe to our blog now.
