Banks face heightened cyber threat after U.S. bombs Iran

Following U.S. airstrikes against Iranian nuclear and military infrastructure over the weekend, the United States faces an escalated cyber threat environment, with warnings issued for potential attacks against U.S. networks, including financial institutions.

U.S. Defense Secretary Pete Hegseth and General Dan Caine, chairman of the Joint Chiefs of Staff, confirmed the attacks targeted Iran's two major uranium enrichment centers at Fordo and Natanz, and a third site near Isfahan where near-bomb-grade enriched uranium is believed to be stored.

Iran's foreign minister, Abbas Araghchi, called the strikes "outrageous" and stated Iran had "a legitimate right to respond to defend its sovereignty and people," according to news reports.

Iran's history of cyber operations against the U.S. financial sector

This heightened alert echoes previous periods of tension where Iran-affiliated actors targeted U.S. financial institutions.

From late 2011 to mid-2013, Iranian individuals working on behalf of the Iranian government, specifically the Islamic Revolutionary Guard Corps, or IRGC, launched a systematic campaign of distributed denial of service, or DDoS, attacks against nearly 50 institutions in the U.S. financial sector, including Bank of America and JPMorganChase.

These attacks, known as "Operation Ababil," flooded bank servers with junk traffic, preventing customers from accessing online banking services and costing tens of millions of dollars to mitigate. A 2016 U.S. Department of Justice indictment eventually charged seven Iranian individuals for their involvement, noting that one hacker even received credit for his computer intrusion work toward his mandatory military service in Iran.

Beyond financial targets, Iranian hackers also demonstrated the potential to compromise critical infrastructure, with one defendant repeatedly gaining access to computer systems of the Bowman Dam in Rye, New York, in 2013, according to the FBI. While the hacker never gained control, the access allowed him to learn critical information about the dam's operation.

The U.S. has issued warnings about heightened cyber threats in the wake of acts of war by the U.S. against Iran. For example, in 2020, after a U.S. military strike killed senior Iranian military commander Qassem Soleimani, the Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency said in a joint bulletin that financial institutions faced a "heightened risk" environment, though the bulletin did not cite Iran by name.

Current threats and Iranian tactics

Prior to this weekend, federal agencies had consistently warned about ongoing Iranian cyber activities.

Iranian cyber actors have used brute force and multifactor authentication, or MFA, "push bombing" since October 2023 to compromise user accounts and gain access to organizations across multiple critical infrastructure sectors, including health care, government, information technology, engineering and energy, according to an October 2024 joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency and National Security Agency.

In MFA push bombing attacks, hackers repeatedly push second-factor authentication requests to the target victim's email, phone or registered devices. Push bombing relies on workers re-authenticating into applications and desktops numerous times daily, creating muscle memory that can cause them to approve errant MFA notifications.

These Iranian actors then reportedly sell the acquired credentials and network information on cybercriminal forums to other cybercriminals. Once inside, they frequently register their own devices with MFA to maintain persistent access.

An August 2024 joint advisory from the FBI, CISA and the Department of Defense Cyber Crime Center further highlighted a group of Iran-based cyber actors, known by monikers such as Pioneer Kitten and xplfinder, actively exploiting U.S. and foreign organizations across sectors including education, finance, health care and defense.

Cyber security

Trump rolls back some Biden cyber and fraud directives

A new executive order reverses digital ID initiatives, fraud alerts and federal data-sharing plans from which banks stood to benefit.

By Carter Pape

June 9

According to the FBI, this group typically aims to gain network access and then collaborate directly with ransomware affiliates like NoEscape, Ransomhouse and ALPHV, aka BlackCat, to deploy ransomware, according to the August advisory.

These actors "lock victim networks and strategize on approaches to extort victims," while intentionally keeping their Iran-based location vague from their ransomware partners, according to the advisory. The group also conducts separate computer network exploitation, or CNE, activities to steal sensitive technical data in support of the Iranian government.

They capture login credentials using webshells, create new accounts on victim networks and use tools like Remote Desktop Protocol, or RDP, for lateral movement. They also employ living off the land, or LOTL, techniques to gather information about target systems and internal networks. In a living-off-the-land attack, the cybercriminal uses native, legitimate tools within the victim's system to deploy malware.

Moreover, Iranian threat actors are increasingly leveraging generative AI and large language models to enhance their influence and cyber operations, according to Crowdstrike's 2025 Global Threat Report, released in February.

This includes creating highly convincing fake IT job candidates to infiltrate organizations and using AI-driven disinformation campaigns to disrupt elections.

Iranian internal measures amidst conflict

Amidst the conflict, Iran has also taken steps to control its own internet infrastructure. On Tuesday, the New York Times reported severe internet disruptions across Iran, with Iranian officials and cybersecurity experts suggesting the government was restricting access to limit information spread about the strikes and in fear of Israeli cyberattacks.

Iranian authorities notably restricted access to foreign news sites and blocked many international calls, urging citizens to use the National Internet Service. One Iranian official stated the restrictions would reduce bandwidth by 80% to combat "Israeli operatives trying to carry out covert operations," according to the Times.

An Iranian government spokeswoman claimed the internet speed reduction was "temporary" and "targeted" to "defend against enemy cyberattacks," according to the Times report.

However, the Iranian Cyber Police attributed the disruptions to "severe cyberattacks."

Protecting against the threat

The Department of Homeland Security issued a bulletin on Sunday, affirming that "low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks." Iranian hacktivists routinely target poorly secured U.S. networks and internet-connected devices, according to the bulletin.

CISA and FBI have not recommended specific countermeasures against Iranian threats. Rather, they recommend organizations implement basic cybersecurity hygiene practices to mitigate these risks. These practices include:

• Applying patches and mitigations for known vulnerabilities.
• Implementing phishing-resistant multifactor authentication, or MFA, such as hardware security keys.
• Ensuring all accounts use strong passwords and register a second form of authentication.
• Reviewing IT helpdesk password management and disabling user accounts for departing staff.
• Providing basic cybersecurity training to users, covering concepts like detecting unsuccessful login attempts and denying MFA requests they have not generated.
• Continuously reviewing MFA settings to ensure coverage over all active, internet-facing protocols.