Fortress Intelligence analysts break down the Iranian APT landscape, active malware campaigns, ICS vulnerabilities, and supply chain risks threatening U.S. critical infrastructure right now.
Since U.S. and Israeli forces launched airstrikes against Iran on February 28, 2026, the conflict has extended well beyond the battlefield. Iranian state-sponsored threat actors and pro-Iranian hacktivist groups are actively targeting U.S. critical infrastructure — including energy grids, water systems, fuel networks, and defense industrial base contractors. DDoS attacks, ransomware deployments, ICS intrusions, and supply chain exploitation are already underway. This is not a future risk. It is a present one. The Fortress Iran Conflict Report delivers the threat intelligence critical infrastructure operators and federal agencies need to understand what they are up against and how to respond.
The Fortress Iran Conflict Threat Report provides a comprehensive assessment of the cyber and kinetic threats stemming from the ongoing U.S.-Iran conflict, with a direct focus on risks to U.S. critical infrastructure, the defense industrial base, and global supply chains.
The report profiles the most active Iranian advanced persistent threat groups operating today, including APT33 (Peach Sandstorm), APT34 (OilRig), MuddyWater, CyberAv3ngers, Fox Kitten, UNC1549, and Imperial Kitten. Each group's tactics, techniques, procedures, and known malware families are documented — from the Tickler backdoor and IOCONTROL ICS cyberweapon to DROPSHOT/SHAPESHIFT wipers and the RustyWater Rust-based implant introduced in early 2026.
CyberAv3ngers' documented attack methodology relies on internet-exposed industrial control systems running default or weak credentials — not zero-day exploits. Thousands of Unitronics PLCs, Red Lion HMIs, and Orpak fuel automation systems remain publicly accessible. For energy, water, and fuel sector operators, this is the most immediate and actionable vulnerability in the current threat environment.
APT34's silence since the start of the conflict is the most significant intelligence signal in this report. The group's primary methodology is compromise through trusted third-party vendors, subcontractors, and partner relationships. For defense sector organizations, the risk is that a tier-2 or tier-3 supplier in their network is already a compromised beachhead. UNC1549 has similarly surged its supply chain exploitation campaigns since mid-2024, targeting defense contractors through compromised vendors and abusing Citrix, VMware, and Azure Virtual Desktop environments.
The conflict's impact extends to physical supply chains. Tanker avoidance of the Strait of Hormuz — through which approximately 20% of the world's LNG passes — has already caused WTI crude to jump from $67 to $71 per barrel, with analysts warning of prices exceeding $100 per barrel if disruption continues. Downstream impacts include increased costs for natural gas power generation, semiconductor manufacturing, and polymer-dependent products across global supply chains.
The report includes ten actionable mitigation strategies tailored to the Iranian threat landscape, covering DNS sinkholing, VPN hardening, OT/ICS network segmentation, patch management automation, behavioral analytics, email security enforcement, and incident response automation with pre-configured YARA rules for known Iranian malware families.