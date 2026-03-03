APTs and Industrial Cybersecurity in the Wake of the Attack on Iran

For the unfamiliar, advanced persistent threat groups, or APTs, are typically well-funded groups—in many cases funded by nation-states—that have the capability to conduct sophisticated attacks against complex infrastructure. You may have seen the names of certain APTs in relation to their advanced attacks; for example, the group called ELECTRUM targeted the Ukrainian power grid infrastructure in 2015 and 2016. Different cybersecurity companies also give these groups different names. For example, while Dragos has classified this group under the name ELECTRUM, Mandiant calls the same group Sandworm.

Regardless of what you call them, APTs are well resourced, they have extremely advanced capabilities, they are increasingly working together, and it is very difficult to stop an APT once they have you in their sights. I’ve been to many conferences and meetings where people have said that if an APT really wants to get you, there is very little you can do to stop it. But is that really true? End users are developing more sophisticated cyber resilience strategies that are certainly making life harder for these attackers, but as I read in the recent Dragos annual threat report for OT cybersecurity, Dragos estimates that only about 10 percent of industrial and critical infrastructure facilities have the continuous monitoring capabilities needed to guard against cyber threats, not just APTs.

Another concerning thing about APTs is that because they tend to be funded by nation-states, their cyber campaigns are often the prelude to a kinetic attack or an attack by conventional military forces. This was the case in Ukraine, where Russia-backed APTs launched preemptive attacks against Ukrainian power, financial, governmental, and other critical infrastructure systems.

The Threat from Iran

Iranian-backed APTs have already been targeting oil and gas, manufacturing, power, and critical infrastructure in the US, Israel, and the Middle East. These threat actors operate under a coordinated strategy that combines state-sponsored Advanced Persistent Threats (APTs) with hacktivist proxies, often focusing on Operational Technology (OT) and Industrial Control Systems (ICS) to cause disruption and economic damage. For example, following a trend established in late 2023, IRGC-affiliated actors have continued to target Unitronics Programmable Logic Controllers (PLCs) in US water and wastewater systems. In early 2026, reports emerged of hackers attempting to breach water utility systems, forcing them to rely on manual operations.

Actors like CyberAv3ngers and Charming Kitten are actively seeking “low-hanging fruit,” such as internet-exposed Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs). They frequently exploit default manufacturer credentials and unpatched vulnerabilities in industrial hardware. As of Monday, an Iranian-backed ransomware group known as Handala reportedly successfully attacked an Israeli oil and gas exploration firm known as Israel Opportunity Energy, but there is no confirmation of this as of yet aside from a post from the Handala group on X.

What End Users Should Do

The world of manufacturing and critical infrastructure, from upstream oil and gas to discrete manufacturing, still has a long way to go to develop true cyber resilience across all industry sectors. End users must continue to invest in monitoring and response solutions, conduct comprehensive cybersecurity assessments, and implement strong supply chain cybersecurity policies to ensure that their third-party partners across the software supply chain are also secure.

This also means following the recommendations outlined in the ISA 99/ISA 62443 series of standards, as well as staying on top of the latest threat information from organizations like CISA, , Infragard, the various Information Sharing and Analysis Centers (ISACs), and other sources. As geopolitical tensions continue to heat up, manufacturing and critical infrastructure must take OT cybersecurity more seriously. It should also be noted that many IT-level attacks also result in OT-level shutdowns, and the boundaries between IT and OT are fading, so we are also urging users to take a more holistic view of cybersecurity in their organizations to ensure that IT-level attacks do not result in OT-level shutdowns.

