U.S. companies are on heightened alert for potential state-sponsored cyberattacks — particularly from Iranian government-affiliated actors and pro-Iran hacktivist groups. As a result, U.S. federal authorities, including the Department of Homeland Security (DHS), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), have issued warnings of a significant risk of cyber retaliation from nation-state actors in Iran.
Nation-state cyberattacks are not new. U.S. businesses have been targeted by groups in Russia, China, and other countries for years. But despite ongoing warnings, the level of preparedness among U.S. companies varies significantly. With the current situation between the U.S. and Iran, federal agencies are actively urging organizations, particularly those in privatized critical infrastructure sectors like transportation, energy, and water, to adopt a heightened cyber-defense posture.
Critical infrastructure companies are considered “soft targets” – entities that are easier for cybercriminals to attack because they don’t have strict cybersecurity policies and lack employees with deep cybersecurity skills and expertise. “Hard targets,” on the other hand – banks, government agencies, healthcare, and industrial organizations are also potential targets and should bolster their cyber preparedness.
What Threats are Most Likely to Occur?
In recent years, Iran has significantly expanded its cyber capabilities, adopting a multi-layered, asymmetric warfare strategy. Cyber warfare is a prime example of asymmetric warfare, as nations or non-state actors with limited conventional military capabilities can launch disruptive, damaging cyberattacks against more powerful adversaries by targeting critical infrastructure, stealing sensitive data, or spreading disinformation, all at a relatively low cost and with potentially significant impact.
As the weaker nation, Iran leverages its unique advantages, repeatedly demonstrating a willingness to use cyber tools against adversaries. Their common tactics include password spraying and multi-factor authentication “push bombing” to compromise networks and obtain credentials and Distributed Denial-of-Service (DDoS) attacks aimed at overwhelming websites or services to cause disruption.
Additionally, they commonly launch highly targeted phishing campaigns designed to steal credentials or implant malware, and exploit publicly known vulnerabilities, taking advantage of unpatched systems.
How Can Companies Protect Themselves?
CISOs and government agencies should always overprepare for a dedicated nation-state attack, enabling them to respond rapidly and improve their cybersecurity readiness, whether an attack is realized or not. Below are five critical steps that every company should take immediately to enhance its cyber preparedness and reduce its chances of attack.
Educate and train the workforce to be better prepared. Employees must understand the common tactics employed by nation-state actors, such as sophisticated social engineering techniques like spear-phishing that leverages publicly available information, and emerging threats like deepfake voice or video impersonations designed to elicit sensitive data or unauthorized actions. Employees must also understand the potential for an “inside threat” and the critical role they play as the human firewall. Continuous simulated phishing, smishing (SMS phishing) and vishing (voice phishing) exercises can help test their vigilance and reinforce learned behaviors. It’s crucial to cultivate a strong security culture where reporting suspicious activity is encouraged and celebrated to ensure rapid identification and response to potential incursions.
Protect "low-hanging fruit." Managed Detection and Response (MDR) services, antivirus scanning/Endpoint Detection & Response (EDR), and Dual-Factor Authentication (2FA) for every access point across the organization are critical, as nation-state attackers often seek the easiest path of entry.
MDR services offer 24/7 expert monitoring, proactive threat hunting, and rapid incident response, providing a level of protection that extends beyond what traditional antivirus alone can offer. This ensures continuous vigilance and quick containment of threats that bypass initial defenses.
Antivirus and EDR solutions can be deployed across all corporate devices, including executives’ personal devices. These tools should provide real-time scanning, behavioral analysis, and automated threat blocking, with regular updates to counter evolving malware.
2FA or Multi-Factor Authentication (MFA) must be enforced for every single access point into the company's infrastructure. This includes email accounts, VPNs, cloud applications, internal systems, remote access tools, and even privileged accounts. MFA effectively neutralizes the threat of stolen passwords, a common tactic for initial access, by requiring a second verification method.
Install the latest patches in a timely fashion. Unpatched software vulnerabilities are a primary vector for nation-state attacks. Organizations must implement a rigorous and timely patch management program, with processes to identify newly disclosed vulnerabilities and prioritize and deploy patches, especially for critical systems and internet-facing applications, as soon as they’re available. Automating patch deployment where feasible and maintaining accurate inventories of all software and hardware assets are essential components of this defense.
Continuously scan entire IT infrastructures, applications, and devices for any known vulnerabilities. Beyond timely patching, organizations need an active and ongoing vulnerability management program.
Regular vulnerability scanning of networks, applications, cloud environments, and connected devices is necessary to identify misconfigurations, vulnerabilities and unpatched software. These scans should be comprehensive, covering internal and external-facing assets.
Periodic penetration testing, conducted by independent third parties, simulates real-world attack scenarios to uncover exploitable vulnerabilities that automated scans might miss. This includes testing web applications, APIs, wireless networks, and even social engineering resilience.
Attack surface management involves continuously mapping and understanding all digital assets accessible from the internet, identifying and closing unnecessary ports and services, and minimizing exposed attack vectors.
Implement higher levels of scanning for incoming emails for phishing and smishing attacks. Email and messaging are the primary initial access vectors for nation-state actors. Organizations must deploy advanced threat protection beyond basic spam filters.
Advanced email scanning services should be configured to include sandboxing of attachments, URL rewriting and analysis for malicious links, and behavioral analysis to detect highly targeted spear-phishing attempts.
Robust email authentication protocols like DMARC, SPF, and DKIM must be examined and implemented to prevent email spoofing and ensure only legitimate senders can use your domain.
Threat intelligence feeds should be integrated to provide real-time updates on emerging phishing campaigns and known malicious indicators.
Protection must extend to smishing and vishing, as attackers increasingly diversify their communication channels. User training should cover these vectors, and, where possible, technical controls should extend to mobile devices.
Streamlined user reporting mechanisms for suspicious messages are crucial, allowing security teams to quickly analyze and block new threats.
Whether an attack originates from a state-sponsored group or the broader cybercriminal underworld, the time for U.S. companies to raise their defenses and prepare is now. While we’re currently under heightened alert, cybercriminals work diligently every day to cause disruption and financial harm. Taking the above actions is an investment in an organization’s overall cyber readiness, which will significantly improve its chances of avoiding a cyberattack today and in the future.
Dr. Chris Pierson is the Founder & CEO of digital executive protection firm, BlackCloak. Prior to BlackCloak, Chris served for over a decade on the Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee, and is a Distinguished Fellow of the Ponemon Institute.
