Full Report
One hundred days into the war, Iran is doing what U.S. intelligence officials feared it would. Since the February start of the war with Iran, the country and its proxies have “inspired lone wolf actors in several instances that resulted in attacks against critical infrastructure and US citizens,” according to a state homeland security intelligence bulletin reviewed…
Analysis Summary
# Threat Actor: State-Sponsored Iranian Groups & Proxies
## Attribution & Identity
- **Primary Actor:** State-sponsored actors from Iran.
- **Aliases & Associated Groups:**
- Iranian proxy groups (unnamed in report).
- Inspired "Lone Wolf" actors.
- Cyber actors aligned with Iranian state interests.
## Activity Summary
According to a Department of Homeland Security (DHS) bulletin from June 2026, Iran and its proxies have conducted or threatened at least 14 attacks since the start of a conflict on February 28, 2026. These operations include a mix of kinetic violence and high-impact cyber operations conducted by both organized units and inspired individuals.
## Tactics, Techniques & Procedures
- **Data Destruction/Wiping:** Wiping servers, mobile devices, and systems.
- **Large-scale Data Exfiltration:** Theft of massive datasets (5 terabytes) for intelligence or leverage.
- **Inspirational Radicalization:** Leveraging propaganda to inspire "lone wolf" kinetic attacks.
- **Kinetic Operations:** Physical attacks including vehicle rammings and mass shootings.
- **MITRE ATT&CK Mapping (Inferred):**
- **T1561.002:** Disk Content Wipe
- **T1020:** Automated Exfiltration
- **T1566:** Phishing (Commonly associated with Iranian precursors, though not explicitly detailed here).
## Targeting
- **Sectors:** Critical Infrastructure, Healthcare/Medical Technology, Government, and Religious Institutions.
- **Geography:** United States (specifically Texas, Michigan, and Washington D.C.).
- **Victims:**
- An unnamed Medical Technology company.
- Temple Israel (Michigan).
- The White House Correspondents’ Dinner (threatened/attacked).
- U.S. Citizens.
## Tools & Infrastructure
- **Malware:** Wiping software capable of targeting servers and mobile devices.
- **Exfiltration Infrastructure:** Capacity to extract and store up to 50 terabytes of data.
- **Infrastructure:** Specific C2 domains or IPs were not provided in the summary article.
## Implications
Iran is actively executing a "hybrid warfare" strategy. By combining traditional proxy kinetic attacks with destructive cyber operations, they aim to overwhelm domestic U.S. security services. The targeting of medical technology and large-scale data theft suggests an intent to cause significant societal disruption and potentially leverage stolen data for future targeting or blackmail.
## Mitigations
- **Network Segmentation:** Isolate critical servers and mobile device management (MDM) platforms from public-facing infrastructure to prevent widespread wiping.
- **Data Loss Prevention (DLP):** Implement rigorous monitoring for large-scale data transfers (e.g., terabyte-level movement).
- **Physical Security:** Heightened vigilance and protective barriers for religious institutions and high-profile government events.
- **Backup & Recovery:** Ensure offline, immutable backups are maintained to recover from destructive wiping attacks.