“`html
State-sponsored threat actors from Iran have amplified their cyber offensives against essential infrastructure in the United States, witnessing a staggering 133% rise in malicious activity documented during May and June 2025.
This intensification aligns with increased geopolitical strains related to the recent Iranian conflict, as cybersecurity experts monitor a synchronized initiative aimed primarily at the Transportation and Manufacturing industries within American firms.
The upsurge in assaults indicates a notable alteration in Iranian cyber warfare tactics, with threat intelligence insights unveiling 28 recorded incidents over the two-month duration, a marked increase from merely 12 attacks in the preceding quarter.
This assertive initiative has triggered prompt alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Homeland Security, emphasizing the urgent necessity for improved security protocols across industrial and critical infrastructure entities.
Analysts from Nozomi Networks Labs recognized six notable Iranian Advanced Persistent Threat (APT) groups orchestrating these elaborate attacks: MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice.
The threat actors have shown exceptional determination and technical acumen, utilizing a variety of attack methods specifically designed to compromise operational technology settings and industrial control frameworks.
MuddyWater surfaced as the most active threat actor during this offensive, successfully infiltrating at least five distinct U.S. firms chiefly within the Transportation and Manufacturing domains.
APT33 closely followed, targeting three separate American entities, while OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice each managed to breach no fewer than two U.S. companies within the observed timeframe.
Malware Reutilization and Infrastructure Persistence
A particularly alarming trend involves CyberAv3ngers’ choice to redeploy command and control infrastructure used in earlier campaigns.
Security analysts uncovered that the group intentionally reused an IP address previously associated with the implementation of OrpaCrab, also recognized as IOCONTROL malware, initially detected in December 2024.
This malware, focused on operational technology, poses a severe risk to industrial settings, capable of manipulating programmable logic controllers and other essential industrial systems.
The reutilization of infrastructure signifies a strategic approach to resource management while potentially reflecting confidence in their operational security protocols.
Organizations are urged to keep an eye out for signs of compromise, including the IP addresses 159.100.6[.]69, 169.150.227[.]230, and 95.181.161[.]50, amongst other malicious infrastructures identified in ongoing threat intelligence efforts.
The post Iranian APTs Hackers Actively Attacking Transportation and Manufacturing Sectors appeared first on Cyber Security News.
“`