A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict AND THE SCALE OF THE RISK

MITRE Techniques

• [T1110.003 ] Password Spraying – High‑volume password spraying against Office 365 and Azure accounts used for initial access (‘High-volume password spraying against Office 365 and Azure accounts’).
• [T1566.001 ] Spearphishing Attachment – Malicious Office macro attachments and Excel macros used to deliver initial payloads (‘Spearphishing with malicious Office macro attachments’).
• [T1566.002 ] Spearphishing Link – Phishing sites cloning Google Login/Google Meet to harvest credentials via fraudulent links (‘Phishing sites cloning Google Login and Google Meet’).
• [T1078 ] Valid Accounts – Abuse of legitimate accounts and timed valid‑account activity to blend with business hours for stealthy access (‘Valid account abuse, timed to business hours to blend with legitimate traffic’).
• [T1003 ] Credential Dumping – Use of LaZagne and Mimikatz for credential theft from compromised hosts (‘credential theft via LaZagne and Mimikatz’).
• [T1574.001 ] DLL Side‑Loading – PowGoop DLL side‑loader disguised as Google Update used to load malicious code (‘PowGoop DLL side-loader disguised as Google Update’).
• [T1102 ] Web Service – Use of web services and APIs (e.g., Telegram Bot API) for command and control (‘Small Sieve backdoor: Telegram Bot API for C2’).
• [T1071.004 ] Application Layer Protocol: DNS – DNS tunneling used for covert C2 and exfiltration (‘Mori backdoor: DNS tunneling for covert C2 exfiltration’).
• [T1190 ] Exploit Public‑Facing Application – Exploitation of internet‑facing appliances and Exchange ProxyShell to gain persistent access (‘ProxyShell exploitation against Microsoft Exchange servers’).
• [T1505.003 ] Server Software Component: Web Shell – Deployment of ASPX webshells on internet‑facing Exchange servers for persistent access (‘ASPX webshells on internet-facing Exchange servers’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Living‑off‑the‑land execution using PowerShell and native OS tools in OT‑adjacent environments (‘Exclusive living-off-the-land execution: netsh, wmic, ntdsutil, PowerShell only’).
• [T1112 ] Modify Registry – Registry changes for persistence and proxying (PortProxy registry modifications; Run key persistence) (‘PortProxy registry modifications’ / ‘persists via Run key named SharePoint.exe’).
• [T1595 ] Active Scanning – Use of Shodan, Censys, and internet scanning to discover exposed ICS devices and services (‘Shodan and Censys scanning for exposed devices’).
• [T1195 ] Supply Chain Compromise – Compromise of MSPs and downstream supply‑chain access via RMM tools to reach multiple industrial clients (‘Supply chain compromise via MSPs for simultaneous downstream industrial operator access’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 domains mimicking legitimate cloud services used for command and control (‘RustyWater: new Rust-based RAT, C2 via domains mimicking Dropbox and WordPress’).
• [T1218 ] Signed Binary Proxy Execution (LOTL) – Use of legitimate signed binaries and system tools (AnyDesk, native Windows utilities) to execute and persist without custom malware (‘AnyDesk deployed for persistent remote access without IT authorisation’ / ‘exclusive living-off-the-land execution’).
• [T1204.002 ] User Execution: Malicious Shortcut – Malicious LNK files delivered in password‑protected archives to trick targets into execution (‘Password-protected archives containing malicious LNK files delivered after trust is established’).