Threat Research

AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK

CloudSek
AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK

A rapid post-strike activation of 60+ Iranian-aligned hacktivist groups combined with AI-assisted reconnaissance has turned a large, persistent US ICS/OT internet-exposure into an immediately exploitable attack surface. The report traces a decade-long escalation (Shamoon, TRITON/TRISIS, IOCONTROL) and shows how AI-generated Shodan queries, default credentials (e.g., Unitronics “1111”), and exposed HMI/web portals enable mass targeting at scale. #CyberAv3ngers #Unitronics

Keypoints

  • On 28 Feb 2026, coordinated US-Israel strikes triggered the activation of 60+ Iranian-aligned hacktivist groups via a Telegram Electronic Operations Room.
  • AI platforms are being used to generate Shodan/Google-dork queries, passive assessments of exposed ICS web interfaces, and automation scripts that compress reconnaissance from weeks to minutes.
  • Historical nation-state ICS capabilities (Shamoon, TRITON/TRISIS, IOCONTROL) have been replicated or made accessible to lower-tier actors through default credentials and internet-exposed ICS devices.
  • Concrete compromises (e.g., Aliquippa water plant) demonstrate that default credentials and internet-facing ports (Unitronics on TCP/20256) enable destructive or disruptive outcomes without advanced ICS expertise.
  • Commercial platform policy controls slow but do not prevent misuse; adversaries migrate to unconstrained or fine-tuned AI variants for automation, persistence, and obfuscation techniques.
  • Defensive actions that would have prevented the Aliquippa incident: remove ICS management interfaces from the internet, change vendor default credentials (Unitronics “1111”), and block ICS protocol ports at the network perimeter.
  • The convergence of expanding exposed attack surface, AI-assisted reconnaissance, and broad actor activation represents the defining cyber threat in the current conflict environment.

MITRE Techniques

  • [T1110.002 ] Password Spraying – Used against US utilities and operators: ‘Password spray against US electric utilities and oil/gas operators; TRITON/TRISIS SIS targeting’
  • [T1110.003 ] Credential Stuffing – Bulk testing of known defaults across Shodan-returned device lists: ‘Iterate a list of Unitronics devices on port 20256 returned by a Shodan query, attempt the default password, log successes.’
  • [T1595 ] Active Scanning – AI-generated queries to discover internet-exposed ICS assets via Shodan and Google dorks: ‘AI-generated Shodan and Google Dork Queries’
  • [T1190 ] Exploit Public-Facing Application – Passive analysis revealed unauthenticated ICS web interfaces and editable controls: ‘Module Access Protection: Not locked’ (Siemens SIMATIC CP 343-1 web interface)
  • [T1485 ] Data Destruction – Historical destructive attacks against infrastructure: ‘Shamoon wiper destroys 30,000 Saudi Aramco endpoints.’
  • [T1195 ] Supply Chain Compromise – Attackers leverage MSP/supply-chain vectors to reach infrastructure: ‘supply chain via MSP providers’
  • [T1547 ] Boot or Logon Autostart Execution (Persistence) – Adversarial model variants advise persistence techniques for long-term ICS access: ‘Detailing persistence mechanisms within ICS environments’
  • [T1071 ] Application Layer Protocol – Use of Modbus/TCP interaction and scripting for direct process manipulation: ‘Requesting guidance on creating Modbus TCP/IP clients for protocol interaction’

Indicators of Compromise

  • [Malware ] Iranian-targeting and destructive tooling – IOCONTROL, Shamoon, and 2 more items (TRITON/TRISIS, RustyWater)
  • [Device/Model ] Internet-exposed ICS hardware and HMIs – Unitronics PLCs, Siemens SIMATIC CP 343-1 (unauthenticated web interface), and other exposed HMI portals
  • [Open Ports ] ICS protocol and vendor ports used for discovery/attack – TCP/20256 (Unitronics), TCP/502 (Modbus), and other 4 ports (TCP/102, TCP/44818, TCP/1911, UDP/47808)
  • [Credentials ] Default credentials used for initial access – Unitronics default password “1111” (documented in vendor manual and CISA AA23-335A)
  • [Affected Organizations/Systems ] Real-world victim and victim class – Municipal Water Authority of Aliquippa (compromised water plant), and multiple US ICS devices (75+ devices reported compromised in prior campaigns)
  • [Threat Actors ] Named groups linked to activity – CyberAv3ngers, APT33 (Elfin), MuddyWater (MERCURY), and 60+ hacktivist groups activated on Telegram

Read more: https://www.cloudsek.com/blog/ai-the-iran-us-conflict-and-the-threat-to-us-critical-infrastructure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint