Back to Insights
Security

Iranian Cyber Threats and the FBI’s Operation Winter Shield: What Your Organization Needs to Know

Prepared by DP3  ·  Published March 2026

Table of Contents
  1. Why This Matters Now
  2. How These Attacks Work
  3. Operation Winter Shield
  4. Vulnerabilities to Verify
  5. What DP3 Recommends
  6. Ready to Talk?
Share

In January 2026, the FBI launched Operation Winter Shield — a nationwide campaign urging organizations to take ten specific actions to improve their cyber resilience. [1] FBI Operation Winter Shield: Ten Actions to Improve Cyber Resilience View source ↗ The timing was not a coincidence.

Over the past four years, federal agencies have issued a steady drumbeat of advisories about Iranian state-sponsored cyber actors targeting U.S. organizations. These aren’t abstract threats aimed at government agencies or defense contractors. The attackers scan the internet for anyone running unpatched software or using weak passwords — and that includes the kind of mid-market businesses and professional services firms that make up most of the U.S. economy.

This article distills nine federal advisories and enforcement actions into what your organization actually needs to do. We cover how these attacks work, walk through the FBI’s ten-point playbook, and highlight the specific vulnerabilities you should verify are patched.

Why This Matters Now

The pace of federal warnings has accelerated sharply. Between August and October 2024 alone, the FBI and CISA published four separate advisories about Iranian cyber operations — covering ransomware enablement [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗ , brute-force attacks on critical infrastructure [4] FBI / CISA / NSA / CSE / AFP / ACSC Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations View source ↗ , social engineering of personal accounts [5] FBI / CNMF / Treasury / NCSC Iranian Cyber Actors Targeting Personal Accounts to Support Operations View source ↗ , and new tradecraft from the group known as Emennet Pasargad. [3] FBI / CISA New Tradecraft of Iranian Cyber Group Aria Sepehr Ayandehsazan aka Emennet Pasargad View source ↗ In June 2025, a joint fact sheet warned that Iranian actors “may target vulnerable U.S. networks” amid rising geopolitical tensions. [2] FBI / CISA / NSA / DC3 Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest View source ↗

This isn’t new. Iranian cyber operations against the U.S. date back to at least 2011, when IRGC-affiliated actors launched coordinated DDoS attacks against nearly 50 financial institutions — an operation that led to the indictment of seven Iranian nationals in 2016. [9] U.S. Department of Justice Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector View source ↗ In 2022, Iranian actors destroyed government systems in Albania using ransomware and disk-wiping malware, gaining initial access through a vulnerability that had been public for over two years. [7] FBI / CISA Iranian State Actors Conduct Cyber Operations Against the Government of Albania View source ↗

These Aren't Targeted Attacks Against Fortune 500 Companies

Iranian-affiliated cyber actors and aligned hacktivist groups “often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs) or the use of default or common passwords on internet-connected accounts and devices.” [2] FBI / CISA / NSA / DC3 Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest View source ↗ If you have an internet-facing firewall or VPN appliance that’s behind on patches, you are a potential target regardless of your size or industry.

For law firms and professional services organizations, the risk is compounded by the sensitivity of the data you hold. Client files, litigation strategy, financial records, and personally identifiable information are all high-value targets for extortion.

How These Attacks Work

Across all nine advisories, a consistent pattern emerges. These operations follow three phases: getting in, staying in, and cashing out.

Getting In

The most common entry point is exploiting known vulnerabilities in internet-facing devices — VPN appliances, firewalls, and remote access gateways from vendors like Citrix, Palo Alto Networks, Check Point, F5, and Ivanti/Pulse Secure. [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗ The attackers use automated scanning tools like Shodan to identify devices running vulnerable software, then exploit published CVEs that organizations haven’t patched.

When a vulnerability isn’t available, they fall back on brute-force password spraying — systematically trying common passwords against user accounts across an organization. Since October 2023, Iranian actors have targeted healthcare, government, IT, engineering, and energy sectors using this approach. [4] FBI / CISA / NSA / CSE / AFP / ACSC Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations View source ↗

What Is MFA Push Bombing?

When an organization uses push-notification MFA, attackers who already have a stolen password will bombard the user’s phone with repeated approval requests — sometimes dozens — until the user taps “Approve” out of frustration or confusion. Iranian actors have used this technique to bypass MFA protections and then re-register their own devices for persistent access. [4] FBI / CISA / NSA / CSE / AFP / ACSC Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations View source ↗

Staying In

Once inside, the actors establish persistence through webshells (small scripts placed on compromised servers), credential harvesting tools like Mimikatz, and — critically — by modifying MFA registrations so they can maintain access even if passwords are changed. [4] FBI / CISA / NSA / CSE / AFP / ACSC Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations View source ↗ In the Albania operation, attackers maintained access for 14 months before launching their destructive attack, spending that time moving laterally through the network and exfiltrating email data. [7] FBI / CISA Iranian State Actors Conduct Cyber Operations Against the Government of Albania View source ↗

Cashing Out

Here is where things have evolved most dangerously. Rather than conducting ransomware attacks themselves, Iranian actors increasingly act as initial access brokers — selling network access to ransomware affiliate groups who handle the encryption and extortion. [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗

A State-Sponsored Ransomware Supply Chain

The FBI assesses that Iranian actors connected to the government of Iran are collaborating with ransomware affiliates including NoEscape, Ransomhouse, and ALPHV (BlackCat). The Iranian actors provide network access in exchange for a percentage of the ransom payment. This means a vulnerability in your firewall could lead to a full ransomware event carried out by a criminal group you’ve never heard of, enabled by a state-sponsored actor on the other side of the world. [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗

Other operations focus on espionage and influence. The group Emennet Pasargad (operating as Aria Sepehr Ayandehsazan) has used AI tools and fake personas to conduct information operations, including attempts targeting the 2024 Summer Olympics. [3] FBI / CISA New Tradecraft of Iranian Cyber Group Aria Sepehr Ayandehsazan aka Emennet Pasargad View source ↗ Separately, IRGC actors target the personal email and social media accounts of government officials, journalists, and political campaign staff through carefully crafted social engineering. [5] FBI / CNMF / Treasury / NCSC Iranian Cyber Actors Targeting Personal Accounts to Support Operations View source ↗

Operation Winter Shield: The FBI’s 10-Point Playbook

Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense) was developed by the FBI in partnership with domestic and international agencies, drawing on real-world investigations to identify the ten most impactful actions organizations can take right now. [1] FBI Operation Winter Shield: Ten Actions to Improve Cyber Resilience View source ↗ Below, we explain each action and what it looks like in practice for a 20–200 person organization. We’ve grouped the FBI’s original ten items by priority area rather than their published order — the original numbering is preserved for easy cross-reference.

Priority 1: Authentication and Access

1. Adopt phishing-resistant authentication

Push-notification MFA is better than nothing, but it’s vulnerable to the push-bombing attacks described above. Phishing-resistant options like FIDO2 security keys or passkeys eliminate this risk entirely. Start with your IT administrators and executives — the accounts attackers target first — and expand from there.

9. Reduce administrator privileges

Every account with admin rights is a high-value target. Audit who has domain admin, global admin, and local admin access. Remove privileges that aren’t actively needed. Use separate admin accounts for administrative tasks — don’t let your IT team browse the web and manage Active Directory from the same account.

Priority 2: Patch and Retire

2. Implement a risk-based vulnerability management program

You don’t need to patch everything instantly — but you do need a process for identifying which vulnerabilities matter most and addressing them promptly. Internet-facing systems (firewalls, VPNs, email gateways) should be patched within days of a critical advisory, not weeks. CISA’s Known Exploited Vulnerabilities catalog is a good starting point.

3. Track and retire end-of-life technology on a defined schedule

End-of-life software no longer receives security patches. If you’re running Windows Server 2012, an unsupported firewall firmware, or any device the vendor has stopped updating, it’s a liability. Maintain a list of all hardware and software with their end-of-life dates, and plan replacements before they expire.

7. Identify, inventory, and protect internet-facing systems and services

You can’t patch what you don’t know about. Many organizations have forgotten appliances, test servers, or legacy remote-access tools exposed to the internet. Run a scan of your public IP addresses and compare against what you expect to find. Anything you don’t recognize or no longer need should be taken offline immediately.

Priority 3: Detection, Backup, and Recovery

5. Protect security logs and preserve for an appropriate time period

When an incident occurs, logs are the first thing investigators need — and the first thing attackers try to delete. Forward logs to a central location that regular admin accounts can’t modify. Retain them for at least 90 days, ideally a year. This includes firewall logs, authentication logs, and VPN connection records.

6. Maintain offline immutable backups and test restoration

Ransomware operators specifically target backup systems to maximize pressure. Your backups should be stored in a location that can’t be reached through your primary network — whether that’s air-gapped media, immutable cloud storage, or both. More importantly, test your restoration process regularly. A backup you’ve never tested is a hope, not a plan.

10. Exercise incident response plans with all stakeholders

Having a written incident response plan matters, but only if people know how to execute it under pressure. Run a tabletop exercise at least annually. Include leadership, legal counsel, and your IT team. Walk through scenarios like “It’s 2 AM and your file server is encrypted — who do you call first?”

Priority 4: Supply Chain and Email

4. Manage third-party risk

Your security is only as strong as your weakest vendor connection. Know which third parties have access to your network or data, what level of access they have, and whether they follow reasonable security practices. Ask your vendors about their patching cadence, MFA requirements, and incident response capabilities.

8. Strengthen email authentication and malicious content protections

Configure SPF, DKIM, and DMARC for your email domain to prevent spoofing. Enable advanced threat filtering to catch phishing emails before they reach inboxes. Given that Iranian actors specifically target individuals through spear-phishing and social engineering [5] FBI / CNMF / Treasury / NCSC Iranian Cyber Actors Targeting Personal Accounts to Support Operations View source ↗ , email is a critical control point.

Vulnerabilities to Verify

The following vulnerabilities have been specifically cited in the federal advisories referenced in this article. If your organization uses any of these products, verify that you are running a patched version.

Check These Now

If you run any of the products listed below, confirm with your IT team or MSP that the relevant patches have been applied. Several of these vulnerabilities have been actively exploited by Iranian actors for over a year.

CVE Product Impact Advisory
CVE-2024-3400 Palo Alto Networks PAN-OS Remote code execution [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗
CVE-2024-24919 Check Point Security Gateways Information disclosure [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗
CVE-2024-21887 Ivanti Connect Secure / Pulse Secure VPN Remote code execution [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗
CVE-2023-3519 Citrix NetScaler ADC / Gateway Remote code execution [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗
CVE-2022-1388 F5 BIG-IP Remote code execution [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗
CVE-2020-1472 Microsoft Netlogon (ZeroLogon) Privilege escalation to domain admin [4] FBI / CISA / NSA / CSE / AFP / ACSC Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations View source ↗
CVE-2019-19781 Citrix ADC / Gateway Remote code execution [6] FBI / CISA / DC3 Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations View source ↗
CVE-2019-0604 Microsoft SharePoint Remote code execution [7] FBI / CISA Iranian State Actors Conduct Cyber Operations Against the Government of Albania View source ↗
CVE-2021-44228 Apache Log4j (Log4Shell) Remote code execution [8] CISA / FBI / NSA / USCC / Treasury / ACSC / CCCS / NCSC Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations View source ↗

This is not an exhaustive list — it covers only the vulnerabilities specifically mentioned in the advisories cited here. Your organization’s vulnerability management program should cover all internet-facing systems, not just those on this table.

What DP3 Recommends

The FBI’s ten actions are all important, but if you need to prioritize, here is where we would start for a typical professional services organization:

DP3's Top 5 for Professional Services Firms

  1. Audit your internet-facing attack surface. Know every device and service exposed to the internet. Patch or decommission anything that’s behind on updates or no longer needed. This single step addresses the #1 way Iranian actors get in.
  2. Deploy phishing-resistant MFA on all admin and remote-access accounts. Push-notification MFA is vulnerable to fatigue attacks. FIDO2 keys or passkeys are not. Protect your most privileged accounts first, then extend to all users.
  3. Verify your backups are truly offline and test recovery. If ransomware can reach your backups through the same network, they’re not real backups. Test a full restore at least once a quarter.
  4. Implement email authentication (SPF, DKIM, DMARC). These are free to configure and prevent attackers from spoofing your domain in phishing campaigns. They also protect your firm’s reputation.
  5. Review admin account inventory and enforce least privilege. Remove admin rights from any account that doesn’t actively need them. Require separate accounts for administrative tasks.

If you’re already working with a managed IT provider, ask them specifically about each of the FBI’s ten actions. A good provider should be able to show you exactly how each one is addressed in your environment — or have a plan to get there.

Ready to Talk?

Cybersecurity can feel overwhelming, but the steps outlined above are concrete and achievable. If you want to walk through how your organization stacks up against the FBI’s ten-point playbook, or if you need help prioritizing where to start, we’re happy to have that conversation.

Schedule a Consultation

References

  1. [1] FBI, "Operation Winter Shield: Ten Actions to Improve Cyber Resilience," 2026. Link
  2. [2] FBI / CISA / NSA / DC3, "Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest," 2025. Link
  3. [3] FBI / CISA, "New Tradecraft of Iranian Cyber Group Aria Sepehr Ayandehsazan aka Emennet Pasargad," 2024. Link
  4. [4] FBI / CISA / NSA / CSE / AFP / ACSC, "Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations," 2024. Link
  5. [5] FBI / CNMF / Treasury / NCSC, "Iranian Cyber Actors Targeting Personal Accounts to Support Operations," 2024. Link
  6. [6] FBI / CISA / DC3, "Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations," 2024. Link
  7. [7] FBI / CISA, "Iranian State Actors Conduct Cyber Operations Against the Government of Albania," 2022. Link
  8. [8] CISA / FBI / NSA / USCC / Treasury / ACSC / CCCS / NCSC, "Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations," 2022. Link
  9. [9] U.S. Department of Justice, "Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector," 2016. Link

© 2026 DP3. All rights reserved. This article is provided for informational purposes and does not constitute legal advice or a binding recommendation. Verify all security guidance with your IT provider and legal counsel before implementation.