A joint cybersecurity advisory from United States and United Kingdom authorities has detailed how Iranian government-sponsored advanced persistent threat (APT) actors are leveraging cyber operations to support physical, kinetic military actions. The advisory was co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC).

The report confirms that Iranian threat actors have been actively targeting critical infrastructure organizations within the United States and other nations. The intelligence gathered through these cyber espionage activities is then utilized to inform and plan for potential physical attacks. This marks a significant evolution in the state’s cyber strategy, blending digital intelligence collection directly with conventional military and intelligence operations.

From Digital Intrusion to Physical Targeting

The advisory highlights a clear pattern where cyber activities are directly linked to Iran’s geopolitical and military objectives. Iranian APT groups, such as the one known as MuddyWater (also identified as Mercury or Mango Sandstorm), have been observed targeting sectors including telecommunications, defense, local government, and oil and gas. This group is known to be subordinate to Iran’s Ministry of Intelligence and Security (MOIS).

The information exfiltrated from these networks provides Iranian military planners with valuable intelligence. This data can be used to understand adversary capabilities, identify vulnerabilities, and select targets for kinetic strikes. The agencies report that this activity demonstrates a strategic shift from disruptive cyberattacks to a more integrated cyber-physical warfare doctrine.

Coordinated Efforts by State Intelligence and Military

The report underscores the close collaboration between Iran’s MOIS and the Islamic Revolutionary Guard Corps (IRGC). This synergy enables the IRGC to use cyber capabilities for operational planning. The advisory references past instances where the IRGC has used cyber tools to support its operations, including plots to surveil and assassinate former United States officials and Iranian dissidents abroad.

In response to these documented activities, the allied agencies have provided a list of mitigation strategies for organizations. These recommendations include the enforcement of strong password policies, the implementation of multi-factor authentication (MFA), and the use of network segmentation to limit the lateral movement of intruders. These measures are intended to harden defenses against the specific tactics, techniques, and procedures (TTPs) used by these Iranian APT actors.