Iran-linked cyber activity targets US, allied institutions

Iran-linked cyber operations have increasingly targeted American individuals, companies and institutions using relatively simple hacking techniques powered by stolen credentials and widely available malware, according to a report and statements cited in US media.

The report alleges that operatives connected to Iran’s Islamic Revolutionary Guard Corps (IRGC) moved large sums of cryptocurrency in the aftermath of US and Israeli airstrikes on Iran on February 28, routing funds through multiple wallets linked to proxy groups including Hezbollah and the Houthis, as well as suspected regime-linked accounts. 

The activity was described by cyber intelligence firm RAKIA as part of a broader pattern of financial and cyber operations, US media reports.

In the weeks that followed, Iran-linked hacker groups were accused of escalating cyberattacks against US-linked targets. Among the incidents cited were a reported breach of the email account of FBI Director Kash Patel, the disruption of operations at US medical device manufacturer Stryker, and the defacement of the website of Yeshiva World News, an Orthodox Jewish media outlet in the United States.

The hacker collective Handala, which US authorities have linked in previous assessments to Iran’s Ministry of Intelligence and Security, has claimed responsibility for some of the incidents. The group has also been accused of issuing threats against journalists and dissidents, according to US Justice Department documentation referenced in the report.

Cybersecurity analysts cited in the report say many of the operations relied on stolen login credentials obtained through “infostealer” malware, a widely available type of malicious software that harvests passwords and other data from infected devices. These credentials are often traded on underground online marketplaces, which can be accessed by a range of actors, including state-linked groups.

The report also referenced claims that cyber intrusions may have been used to support military targeting, including allegations that data stolen from a port in Fujairah in the United Arab Emirates was transferred to Iranian-linked missile units prior to a strike. Those claims have not been independently verified, though regional officials have confirmed cyberattack activity targeting critical infrastructure.

The United Arab Emirates has separately reported a significant rise in daily cyberattack attempts, with officials estimating hundreds of thousands of incidents per day in recent months.

US officials and cybersecurity experts have previously warned that Iran-linked actors are increasingly blending cyber espionage, financial activity and disruptive attacks. The Justice Department has pursued sanctions and indictments against individuals and networks allegedly involved in such operations.

By Aghakazim Guliyev