Iran Cyber Threat Briefing: Recent Operations in theContext of US-Iran Conflict
On April 7, the FBI, CISA, NSA, EPA, DOE, and Cyber Command issued a joint advisory warning that Iranian APT actors are exploiting programmable logic controllers across US critical infrastructure.
Victims in the energy, water, and government sectors experienced operational disruption and financial loss. The IOC timeframes in that advisory stretch back to January 2025.
That advisory didn't appear in a vacuum. In March, an MOIS-linked group wiped tens of thousands of devices at Stryker Corporation using the company's own device management platform. No malware was involved. Weeks before that, Symantec confirmed Seedworm — another MOIS unit — had been sitting inside the networks of a US bank, an airport, and a defense software contractor since early February. Before the first strike on Iran. And none of this started in 2026. The CyberAv3ngers compromised 75 Unitronics PLCs across US water systems in late 2023. Iran has been running offensive cyber operations against Western targets since Shamoon hit Saudi Aramco in 2012.
The current conflict accelerated the tempo. It didn't create the capability. These are funded programs with institutional mandates, established access, and tooling pipelines that operate on their own timelines. A ceasefire doesn't disband the units. It doesn't revoke the footholds they've already established in US networks.
Jesse Nuese, Head of Business Development at Cracken, will deliver a focused briefing covering what Iranian cyber operations actually look like right now, how the major incidents of the past two months connect, and what the pattern tells us about what comes next.
What this session covers
Iran's three-tier cyber architecture
IRGC units, MOIS APTs, and the hacktivist and proxy layer. Why this structure produces sustained capability independent of any single geopolitical trigger.
The campaign arc
From CyberAv3ngers through Seedworm pre-positioning, the Stryker wiper, and the April 7 PLC advisory. How the operations connect. What the progression reveals about intent and capability.
The TTP shift that matters
MDM weaponization. Legitimate configuration software used to access industrial controllers. Why these campaigns are built to look like normal administrative activity.
The validation gap
The April 7 advisory tells organizations to test their security controls against documented ATT&CK; techniques. Most can't. What closing that gap actually requires.
Who this is for
CISOs, security directors, and OT security engineers at US organizations in energy, water and
wastewater, healthcare, financial services, and defense supply chains.
Presented by
Jesse Nuese
Head of Business Development, Cracken