COMMENTARY: When the United States and Israel launched coordinated strikes against Iran on February 28, the security community mobilized around the visible response.
I’ve watched that response for two weeks: teams tracking hacktivist DDoS campaigns, incident counts climbing, news coverage following close behind. The real story broke quietly on March 5 when Symantec and Carbon Black published findings showing that MuddyWater, an Iran-aligned group operating under the Ministry of Intelligence and Security (MOIS), had already planted Dindoor and Fakeset backdoors inside U.S. banks, airports, and defense supply chain firms.
Those implants were placed before March 1, long before the headlines and incident count started climbing.
The DDoS attacks and website defacements are real and disruptive. But what gets planted in a network before a conflict starts represents something else entirely.
SOCRadar tracked 368 incidents in the first week of March across 12 countries. That volume creates urgency, and urgency shapes where teams look. Security operations centers (SOCs) triaging live DDoS traffic are by definition not hunting for pre-positioned access placed weeks earlier.
Here’s the challenge: Five named advanced persistent threat (APT) groups have persistent access in or adjacent to U.S. critical infrastructure right now.
CyberAv3ngers, the group tied directly to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command, built and deployed IOCONTROL. And, APT33 has spent years pre-positioning in energy sector networks.
On top of all this, MuddyWater’s February implants in U.S. financial and defense-adjacent environments were only disclosed because Symantec happened to publish. APT34/OilRig has documented long-dwell access in energy targets. And, Cotton Sandstorm pre-positioned WezRat and WhiteLock before the February 28 strikes, according to Check Point Research.
None of those disclosures happened because operators found the access themselves. That’s the uncomfortable reality. In the environments we looked at this hasn’t been a monitoring gap. It’s a prioritization gap. DDoS attacks announce themselves. Backdoors don’t.
Security researchers described IOCONTROL as “a cyberweapon used by a nation-state to attack civilian critical infrastructure.” What makes IOCONTROL significant isn’t just what it hits. It’s how it survives.
The malware uses message queuing telemetry transport (MQTT) for command-and-control, a protocol that blends with legitimate IoT traffic. It routes DNS lookups over HTTPS, bypassing the DNS monitoring most OT environments rely on. At the time of disclosure, 0 of 66 antivirus engines on VirusTotal detected it (now 34/62). That initial number tells us something important. It means every organization that ran a standard AV sweep during the window of exposure got a clean result.
It targets PLCs, fuel management systems, IP cameras, routers, firewalls, and industrial devices from multiple vendors. CyberAv3ngers compromised more than 75 devices using nothing more than default credentials. The U.S. Treasury sanctioned six IRGC-CEC officials and the State Department’s Rewards for Justice program put a $10 million bounty on information about their identities and whereabouts. Hundreds of fuel management systems and at least 34 U.S. wastewater PLCs have already been hit. That’s an industrial-scale targeting operation with a custom platform built to survive detection.
On March 11–12, Handala (assessed by Palo Alto Unit 42 and Check Point Research as a front for Void Manticore, a MOIS-affiliated group) used Microsoft Intune’s legitimate remote-wipe functionality to execute an enterprisewide attack on medical devices producer Stryker. The company filed an SEC 8-K and sent more than 5,000 workers home in Ireland. That was an IT-layer attack.
APT33 and MuddyWater have pre-positioned access adjacent to OT networks. The consequence of that access being activated against industrial control systems isn’t people sent home for a day. It’s an operational disruption of a plant going dark.
Dragos 2026 data shows only 46% of assessed organizations have adequate OT network monitoring. Censys puts the count of internet-exposed ICS devices on U.S. networks somewhere between 40,000 and 48,000.
The Cybersecurity and Infrastructure Security Agency (CISA), the primary civilian agency responsible for helping operators close those gaps, entered the conflict in a significantly weakened state. At least 998 employees had quit, been laid off, or been transferred since the start of the second Trump administration, according to an internal agency report entered into the congressional record by the House Homeland Security Committee. CISA’s acting director acknowledged the losses in committee testimony in January 2026. When the recent DHS shutdown began February 14, an additional 62% of remaining staff were furloughed, leaving the agency operating at a fraction of normal capacity at the exact moment Iranian cyber operations escalated.
The tools to find this access already exist. In practice, it shows up in ways that aren’t hard to spot once we look for them: MQTT traffic where it shouldn’t exist, DNS-over-HTTPS coming from devices that have no reason to use it, OT systems still running on default credentials. In every environment we reviewed, some combination of those signals was present. No one had connected them.
The gap almost never lies in the absence of capability. It comes from a lack of attention. The organizations most at risk right now are not the ones hit by DDoS attacks. They’re the ones that haven’t gone looking for pre-positioned access because they’ve been watching the wrong layer.
Audit every internet-exposed OT device: If a device doesn’t need internet connectivity to operate, disconnect it. The exposure surface represents the precondition for everything else. Any directly internet-connected OT device is vulnerable regardless of whether it appears on a known target list.
Implement network monitoring on OT segments for anomalous traffic patterns: Focus on unexpected MQTT traffic, DNS-over-HTTPS queries from devices with no legitimate reason to generate them, and encrypted channels from equipment that should only communicate on known industrial protocols. These are not hypothetical indicators. They are the specific signatures IOCONTROL uses to evade standard detection. If the team lacks baseline visibility into what normal OT network traffic looks like, it cannot detect pre-positioned access.
Change every default credential on every OT device: The No. 1 exploited vulnerability in Iranian OT campaigns isn’t a zero-day. It’s a password that was never changed. CyberAv3ngers used default credentials to compromise fuel management systems, PLCs, IP cameras, and routers from multiple vendors. If the team hasn’t audited credentials across those device categories, start there.
Control and record remote access into OT environments: Identify the highest-risk remote entry points (third-party vendors, remote engineers, and any shared access paths) and ensure those sessions are observable and recorded. If the team lacks visibility into what’s happening inside a remote session, it’s relying on trust at the exact moment adversaries operate. Start by bringing visibility and control to those connections, then expand coverage over time.
In every OT environment we've reviewed in the past six months, the question wasn't whether there was a gap: it was whether anyone had actually looked.
Too many hadn't – and that's the window that makes so many vulnerable.