Operation Epic Fury: Anticipated Iranian Cyber Counteroffensive Operations Targeting Critical Infrastructure and Government Entities
Following the joint U.S.-Israel military operation designated "Operation Epic Fury," launched on February 28, 2026, Tenable's Research Special Operations team has issued an urgent advisory warning of anticipated cyber counteroffensive activity from Iran-linked threat actors. Iran's primary cyber-offensive organizations — the Islamic Revolutionary Guard Corps (IRGC), the IRGC Cyber-Electronic Command (IRGC-CEC), and the Ministry of Intelligence and Security (MOIS) — are expected to direct a broad array of sophisticated threat actor groups against targets in the United States, Israel, and allied nations. The retaliatory operations are anticipated to span a wide spectrum of offensive cyber techniques, including destructive wiper malware campaigns, ransomware deployment, data theft and leak operations, and direct attacks against operational technology (OT) and industrial control system (ICS) environments.
Iran commands one of the most capable and diverse nation-state cyber programs currently active. Groups attributed to Iranian state sponsors include Banished Kitten (Void Manticore), which deploys wiper malware under hacktivist personas such as Homeland Justice, Karma, and HANDALA; CyberAv3ngers, an IRGC-CEC group with a demonstrated history of targeting programmable logic controllers in water and wastewater infrastructure; Pioneer Kitten (Fox Kitten), which specializes in exploiting internet-facing devices and brokering ransomware access to criminal affiliates; and APT34 (OilRig), an MOIS espionage group targeting energy, telecommunications, and government sectors. These groups collectively employ a broad arsenal of tactics including exploitation of unpatched internet-facing systems, use of commercially available remote monitoring and management (RMM) tools for persistence, credential harvesting via social engineering, hack-and-leak campaigns, and coordinated botnet-driven distributed denial-of-service operations. The recent revival of the ALTOUFAN TEAM persona, tied to Cotton Sandstorm, has already signaled public warnings of "massive cyber attacks in the coming hours," indicating operations may be imminent or already underway.
Iranian threat actors have an established pattern of exploiting known, unpatched vulnerabilities in internet-facing infrastructure — including Log4Shell (CVE-2021-44228, CVSS 10.0), Microsoft Exchange ProxyLogon (CVE-2021-26855, CVSS 9.8), Zerologon (CVE-2020-1472, CVSS 10.0), Fortinet FortiGate SSL VPN (CVE-2018-13379, CVSS 9.8), and Pulse Secure VPN (CVE-2019-11510, CVSS 10.0), among more than 75 documented CVEs historically leveraged in their campaigns. The geopolitical escalation introduced by Operation Epic Fury significantly increases the probability of near-term retaliatory cyber operations, and organizations across critical infrastructure sectors — including energy, water, transportation, and government — should treat this as an active threat requiring immediate defensive action.
Threats and Vulnerabilities
Banished Kitten, also tracked as Void Manticore, Red Sandstorm, and Storm-0842, is an MOIS-affiliated group specializing in destructive operations carried out under hacktivist cover identities including Homeland Justice, Karma, and HANDALA. This group's primary capability involves the deployment of wiper malware — destructive tools designed to permanently destroy data and render systems inoperable — which are often disguised as ransomware to mislead victims and complicate attribution. Banished Kitten has previously conducted destructive campaigns against organizations in Albania and Israel and is assessed as one of the most likely actors to execute near-term destructive operations in retaliation for Operation Epic Fury. Organizations with any Israeli or U.S. government affiliation, or those operating within allied critical infrastructure sectors, should consider this group an immediate and credible threat.
CyberAv3ngers is an IRGC Cyber-Electronic Command group with a documented history of targeting operational technology environments, specifically programmable logic controllers deployed in water and wastewater treatment facilities. The group was the subject of a joint CISA advisory (AA23-335A) following its 2023 attacks on Unitronics PLCs across multiple U.S. water utilities, demonstrating both the capability and willingness to disrupt physical processes with direct public health consequences. In the current threat environment, CyberAv3ngers represents a critical risk to OT operators — particularly those in the water sector — where successful attacks could disrupt treatment processes and endanger public safety. Any utility operating internet-accessible PLCs or HMIs should treat this group as an active near-term threat.
Pioneer Kitten, also tracked as Fox Kitten, Lemon Sandstorm, and UNC757, is an IRGC-affiliated group that has established a particular niche in exploiting internet-facing network devices, including VPN appliances and firewall gateways running vulnerable firmware. Pioneer Kitten is known to leverage vulnerabilities such as CVE-2019-11510 in Pulse Secure VPN (CVSS 10.0) and CVE-2018-13379 in Fortinet FortiGate SSL VPN (CVSS 9.8) to gain initial access, subsequently brokering that access to ransomware affiliates for financial gain — a convergence of nation-state espionage tradecraft with criminal monetization. This dual role makes Pioneer Kitten a high-probability threat for any organization with internet-exposed perimeter devices running unpatched firmware, regardless of whether the organization considers itself a geopolitical target. The group's ransomware brokering activity means that a Pioneer Kitten intrusion may appear to be a criminal ransomware incident before the state-sponsored dimension is identified.
Agrius, tracked by some vendors as Pink Sandstorm and BlackShadow, is an MOIS-attributed group that deploys wiper malware disguised as ransomware — a deliberate deception designed to cause maximum operational disruption while initially obscuring the destructive intent of the attack. Agrius has historically targeted Israeli companies across financial services, technology, and healthcare sectors and has demonstrated a sustained willingness to deploy destructive capabilities against civilian targets. In the context of anticipated Iranian counteroffensive operations, Agrius represents a significant and credible threat to Israeli-affiliated organizations and their global supply chain partners, particularly those sharing IT infrastructure or data with Israeli entities.
MuddyWater, also known as Mango Sandstorm, Static Kitten, and MERCURY, is an MOIS-affiliated group that specializes in the use of legitimate remote monitoring and management tools — including ScreenConnect and RemoteUtilities — to maintain persistent access within victim environments while blending with authorized IT management traffic. MuddyWater primarily targets telecommunications and government organizations and was the subject of a joint CISA advisory (AA22-055A) documenting its persistent access tradecraft. The group's reliance on legitimate tooling makes its activity exceptionally difficult to detect without behavioral analytics, rigorous RMM software inventory management, and network anomaly detection capable of distinguishing authorized from unauthorized remote access sessions.
APT42, also tracked as Damselfly, UNC788, Yellow Garuda, and Mint Sandstorm, is attributed to the IRGC Intelligence Organization and conducts highly targeted credential harvesting and social engineering campaigns against government, defense, and civil society targets. APT42's operations typically involve the sustained impersonation of journalists, academic researchers, and conference organizers to build rapport with high-value targets before deploying credential-stealing infrastructure or malware delivery mechanisms. In a counteroffensive context, APT42 activity could manifest as a surge in sophisticated spear-phishing campaigns targeting government officials, defense contractors, critical infrastructure executives, and their immediate professional networks.
Client Impact
Organizations operating in sectors historically targeted by Iranian threat actors — including energy, utilities, water and wastewater, telecommunications, government, and financial services — face an elevated and near-term risk of cyberattack across multiple simultaneous vectors. A successful wiper malware deployment by Banished Kitten or Agrius could result in catastrophic, potentially unrecoverable data loss and extended operational downtime measured in days or weeks, while Pioneer Kitten-brokered ransomware attacks could lock critical systems and trigger substantial financial recovery costs and reputational damage. For organizations operating OT and ICS environments, a CyberAv3ngers-style attack targeting programmable logic controllers could directly affect physical processes, creating public safety and public health risks that extend far beyond the digital domain into real-world operational consequences. The breadth and diversity of the Iranian threat actor ecosystem — simultaneously spanning espionage, destructive operations, and criminal ransomware brokering — means that organizations cannot assume their sector or organizational size makes them an unlikely target during a period of active nation-state counteroffensive operations.
From a compliance and regulatory perspective, a successful intrusion or destructive attack could trigger mandatory incident reporting obligations under NERC CIP for electric utilities, the America's Water Infrastructure Act for water systems, and CISA's cross-sector cybersecurity incident reporting requirements. Organizations that have not maintained adequate patch management programs addressing the more than 75 CVEs documented as exploited by Iranian threat actors may face heightened regulatory scrutiny — particularly if a breach is found to trace to a known, publicly disclosed vulnerability for which patches have been available. The convergence of elevated threat posture, active geopolitical escalation, and mandatory reporting obligations makes this advisory period a critical window in which organizations must both act defensively and document that those defensive actions have been taken.
Mitigations
To mitigate the heightened risks associated with anticipated Iranian cyber counteroffensive operations, clients should consider the following actions:
1. Immediately audit and remediate internet-facing systems for known vulnerabilities historically exploited by Iranian threat actors, prioritizing VPN appliances and firewall gateways affected by CVE-2019-11510 (Pulse Secure VPN, CVSS 10.0), CVE-2018-13379 (Fortinet FortiGate SSL VPN, CVSS 9.8), and CVE-2019-19781 (Citrix NetScaler ADC, CVSS 9.8), as these represent the primary initial access vectors exploited by Pioneer Kitten and affiliated groups.
2. Audit all remote monitoring and management (RMM) software deployed in your environment, immediately removing any unauthorized installations and implementing allowlisting policies to prevent MuddyWater from leveraging legitimate remote access tools for undetected persistence and lateral movement.
3. Verify, test, and if necessary restore offline and air-gapped backups for all critical systems — including OT historian and SCADA configurations — ensuring that recovery procedures are documented and that backup media is physically isolated from network-accessible systems as a direct countermeasure to wiper malware deployed by Banished Kitten and Agrius.
4. Enhance monitoring on operational technology networks, particularly for water, wastewater, and energy utilities, to detect unauthorized access or anomalous commands directed at programmable logic controllers and human-machine interfaces; implement CISA advisory AA23-335A guidance specific to CyberAv3ngers' known PLC targeting techniques.
5. Deploy heightened phishing awareness communications to all staff, enforce multi-factor authentication across all remote access and email systems, and implement email security controls capable of detecting impersonation of academic, media, and conference personas used by APT42 in credential harvesting campaigns.
6. Activate sector-appropriate threat intelligence sharing through ISACs (E-ISAC, WaterISAC, MS-ISAC, FS-ISAC) and subscribe to CISA's automated indicator sharing feeds to receive and act on near-real-time IOCs associated with active Iranian threat actor campaigns.
By implementing these measures with urgency and treating this threat period as equivalent to a declared heightened security posture, organizations can substantially reduce their attack surface and improve their capacity to detect, contain, and recover from Iranian-attributed cyber activity.
1898 & Co. Response
1898 & Co. is actively monitoring the threat landscape associated with Operation Epic Fury and the anticipated Iranian cyber counteroffensive, providing clients with timely, actionable intelligence and targeted defensive support. Our cybersecurity practice offers comprehensive threat exposure assessments that evaluate client environments against the more than 75 CVEs documented as exploited by Iranian threat actor groups, enabling prioritized remediation of the vulnerabilities most likely to be leveraged in near-term attacks. We are prepared to immediately support clients in conducting emergency vulnerability sweeps, implementing compensating controls for systems where patching timelines are constrained, and establishing enhanced network monitoring baselines appropriate to the current threat posture.
Our threat intelligence team is actively tracking the activities of Iranian-attributed groups — including Banished Kitten, CyberAv3ngers, Pioneer Kitten, Agrius, MuddyWater, and APT42 — through collaboration with government agencies, sector ISACs, and trusted industry partners. We are continuously correlating public and private threat intelligence sources to provide clients with the earliest possible warning of imminent campaigns, and our OT and ICS security specialists are focused specifically on the elevated risk to critical infrastructure operators from CyberAv3ngers and similar groups with demonstrated intent to compromise industrial control systems. Our team is positioned to deploy detection content, review OT network segmentation, and advise on hardening configurations tailored to the specific equipment and protocols in use within client environments.
Our experience supporting critical infrastructure organizations through previous Iranian-attributed campaigns — including the 2023 CyberAv3ngers attacks on U.S. water utilities — has equipped our practice with deep institutional knowledge of Iranian threat actor tradecraft and the defensive countermeasures proven effective against their techniques. Clients can engage our incident response, OT security, threat intelligence, and compliance teams to conduct rapid assessments, develop sector-appropriate response plans, and ensure that regulatory reporting obligations are understood and met. We remain committed to helping our clients navigate this elevated threat environment with the confidence, preparation, and resilience that the current geopolitical moment demands.
Sources
2. U.S. Forces Launch Operation Epic Fury — U.S. Central Command Press Release
3. What Defenders Need to Know About Iran's Cyber Capabilities — Checkpoint Research
4. APT42: Crooked Charms, Cons and Compromises — Google Threat Intelligence
8. Government of Canada Rapid Response Mechanism: Iranian Hack-and-Leak Operations