Iran-Linked Hackers Intensify Attacks on U.S. Critical Infrastructure
Washington | As geopolitical tensions escalate between Iran and Western nations, cybersecurity experts report a significant uptick in activity from a long-standing Iranian hacking group. This group has increasingly targeted digital networks associated with critical infrastructure in both the United States and Canada.
The hacking group, commonly referred to as Seedworm, has been detected infiltrating multiple systems since early February 2026. Threat intelligence researchers indicate that this campaign likely commenced weeks prior to the military conflict that erupted following coordinated strikes by the United States and Israel on February 28, fundamentally shifting the strategic dynamics in the region.
Analysts suggest that the timing of these intrusions indicates a premeditated effort rather than spontaneous reactions. Attackers appear to have established footholds within high-value networks over an extended preparation period.
Seedworm is characterized as an advanced persistent threat group linked to Iran’s Ministry of Intelligence and Security. Over nearly a decade, the group has gained notoriety for conducting espionage operations across various sectors, including government, telecommunications, defense, and energy. Recent findings suggest that their latest activities may now extend to organizations involved in financial services, transportation infrastructure, and the aerospace industry.
Long-Running Cyber Campaign Expands Its Reach
Seedworm has been operational since at least 2017 and is known by several aliases, including MuddyWater, Temp Zagros, and Static Kitten. The group has progressively broadened its targeting beyond the Middle East.
Investigators have identified that Seedworm has compromised or attempted to breach the networks of a U.S. bank, a major airport, a software company with connections to the defense and aerospace sectors, and several non-governmental organizations in North America. In one notable incident, the attackers showed particular interest in the Israeli operations of a multinational software firm. Analysts believe the group may have leveraged this company’s international infrastructure to navigate through interconnected networks.
The intrusions were already in progress before the latest military conflict, indicating that the hackers had embedded themselves within targeted systems well in advance. Cybersecurity specialists assert that this strategy is typical of state-aligned espionage operations, which prioritize long-term access over immediate disruption.
A Digital Battlefield Beyond Iran’s Borders
Despite disruptions to internet connectivity within Iran during the ongoing conflict, Western cybersecurity agencies caution that Iranian-linked cyber operations remain active. The United Kingdom’s National Cyber Security Centre has recently warned that Iranian state-aligned actors still possess the capability to conduct cyber activities, even amid domestic infrastructure challenges.
Experts attribute this resilience to the decentralized nature of contemporary cyber operations. Many groups maintain infrastructure or personnel outside their home countries, enabling them to continue their campaigns even if domestic networks experience outages.
In addition to Seedworm, other actors aligned with Iran’s geopolitical interests have ramped up their online activities. One such group, known as DieNet, emerged in 2025 and has claimed responsibility for distributed denial-of-service attacks targeting sectors such as energy, healthcare, finance, and transportation. These attacks have employed common disruption techniques, including TCP SYN floods, DNS amplification, and NTP amplification, generating traffic surges designed to overwhelm digital systems.
The convergence of espionage campaigns by state-linked groups and disruptive attacks by ideologically aligned hackers has created a complex threat landscape.
New Backdoors and Stealth Techniques
Investigators have noted that the most recent Seedworm campaign introduced several new tools aimed at maintaining persistent access within compromised networks. Among these are two previously identified backdoors, Dindoor and Fakeset.
Dindoor operates through Deno, a runtime environment for JavaScript and TypeScript. This unconventional platform may enable the malware to evade traditional security monitoring systems designed to detect more conventional tools. The second backdoor, Fakeset, is written in Python and has been deployed on networks associated with an airport and a non-profit organization.
Both tools were digitally signed with certificates linked to identities previously associated with Seedworm malware, providing further evidence connecting the activity to the group’s established infrastructure. Other components of the intrusion included a downloader named Stagecomp, which was utilized to deploy a separate malware tool previously attributed to the same hacking operation by major cybersecurity firms.
In at least one instance, attackers attempted to exfiltrate data from a compromised network using Rclone, a legitimate file-transfer program commonly employed for cloud storage synchronization. Researchers suspect the files were intended for a cloud storage service, although it remains uncertain whether the transfer was successful.
Critical Infrastructure Under Pressure
Cybersecurity experts emphasize that the latest wave of activity highlights the vulnerability of interconnected infrastructure systems. Banks, airports, healthcare providers, and energy companies increasingly rely on complex digital environments linked through global supply chains and shared software platforms. A compromise in one organization can potentially create access points into several others.
To mitigate such threats, security specialists recommend implementing a range of protective measures, including multi-factor authentication for remote access, monitoring unusual outbound data transfers, and restricting external cloud storage connections. They also stress the importance of maintaining secure offline backups to facilitate rapid recovery in the event of destructive cyberattacks.
As geopolitical tensions increasingly spill into cyberspace, analysts observe that the line between traditional conflict and digital warfare is becoming increasingly blurred, with critical infrastructure systems often caught in the crossfire.
As reported by the420.in.
