Astaara on Iranian cyber capability - 12 March 2026
ASTAARA is West P&I's cyber security partner, providing specialist cyber risk intelligence, advisory and insurance solutions to the maritime and energy sectors.
Introduction
In this report we seek to put the cyber threat posed by Iran and its proxies into context. There is a concern that even if peace breaks out, the cyber threat from Iran will remain. We offer some guidance as to the steps our clients should take against some of the known capabilities. For the more technically minded, the latter half of this report will be of most interest; for readers with a purer geopolitical interest, the first half should suffice.
The beatings continue
The US military continues to pound Iran; Israel is hammering Hezbollah in Lebanon. Iran is responding with drones and missiles around the Gulf. The Straits of Hormuz are effectively blocked; vessels are idle and some national producers are declaring ‘force majeure’ as they cannot meet their contractual obligations. Prices of Brent and other crude are see-sawing; VLCC charter costs have increased steeply; restrictions on Russian Crude may be eased temporarily in a Faustian bargain possibly being struck between Presidents Trump and Putin.
Threat and Truth
While many call for peace, the White House continues to claim that a victory/ surrender/ ceasefire will be achieved soon, even though an ‘injured’ Mojtaba Khamenei remains unacceptable to the Trump Administration. For their part, the Iranians insist that surrender is not in their lexicon. The IRGC have stated that any – particularly US – vessels transiting the Straits will be welcomed with open fire (read arms, pun intended) and while the Iranian Government have apologised for bombing their neighbours, the inference was that the bombing was a predictable outcome and served them right for allowing the Great Satan to roam at will in their midst.
The Cyber dog isn’t barking…yet
The low volume of cyber activity is notable. Iran’s internet usage is down to 1% of pre-bombing levels. There has been some pro-Iranian activity on websites globally. But some observers have noted that the major threat actors aligned with Iran, principally APTs 34,33 and 42 have been quiet. Too quiet. Either their operatives have been bombed out and killed along with their IRGC/MOIS paymasters; or their paymasters have been killed; or the leadership is not thinking about cyber at this moment; preferring to focus on staying alive. But if one considers that these APTs are a manifestation of a nation state’s will, they will return: are they down and out, or just waiting?
But the puppies are loose – and out of control?
One indication might be gleaned from what is happening at the lower level. There are a number of significant Tier 2 players, with serious pro-Tehran form, who remain active. The Top 4 are:
1. MuddyWater / Mercury / Mango Sandstorm (MOIS)
2. Cotton Sandstorm / Haywire Kitten (IRGC)
3. Pioneer Kitten / Parisite / Fox Kitten / Lemon Sandstorm
4. Void Manticore / Handala Hack Team (MOIS-linked)
These have been prepositioning in sectors of interest e.g. Infrastructure in the US, Oil and Gas in the Gulf; Starlink access and are known to have evinced intent immediately prior to the US attacks. Void Manticore is based outside Iran. Pioneer Kitten group is known to be a prime assault vector on oil and gas. Cotton Sandstorm appears to target Israel. MuddyWater is a key and highly capable group which targets US infrastructure.
The concern is that these Tier 2 groups may have already been permitted to act autonomously in the absence of any central Command and Control (C2) from Tehran, and are readying to attack targets on their own recognisance. The currently very limited Iranian internet connectivity suggests that the C2 servers may be offline and that the groups will have to act alone. Although there is some element of plausible deniability, the launch by a proxy of a significant attack on US or allied infrastructure once the bombing had stopped would clearly damage Iran’s credibility and negotiating position. It is highly questionable that Tehran could turn off the Tier 2 groups even if it wanted to absent a pax Tehrania. So, the concern of unilateral pro-Iranian cyber activity is real, long lasting and requires action.
What should you, our clients, be thinking?
Be prepared! There is a lot of capability in these groups; and if/when this escalates, more activity will be required. But in the immediate term, we recommend at the very least that IT and OT teams should be doing the following:
• Hunting for MuddyWater Remote Monitoring and Management (RMM) tool abuse: Audit all Atera, AnyDesk, Syncro, SimpleHelp, and NetBird installations. Any unauthorised RMM agent is a potential MuddyWater implant. Correlate with IOCs from Trellix and Symantec advisories.
• Validating OT/ICS segmentation: IT and Security to coordinate with vessel engineers to identify protect ALL internet-facing OT systems. [if you deploy Unitronics PLCs, verify their passwords have been changed from default]. Isolate vessel OT and shoreside HVAC, water, and building automation from IT networks.
• Activating DDoS mitigation: Ensure upstream DDoS protections are pre-configured and tested. Do not wait for an attack to discover your mitigation is misconfigured.
• Blocking known IOCs: Deploy - or ensure you have already deployed - signatures in particular for WezRat, WhiteLock, IOCONTROL, BugSleep, UDPGangster, BellaCPP, and RedAlert APK. CISA joint advisory AA23-335A provides specific TTPs and detection guidance for CyberAv3ngers.
• Monitoring attempted spearphishing: NCSC and CISA have both issued detailed guidance about IRGC spearphishing attempts here.
• Monitoring for IP camera access: Audit all internet-connected camera systems, particularly Hikvision and Dahua devices. Iranian actors are using these for battlefield intelligence collection - both targeting and battle damage assessments (e.g. in shopping malls, airports, bus, train or ferry terminals where large numbers of civilians or armed forces personnel may be congregating, or materiel is being stockpiled prior to onward shipment.)