Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations

Blog / Cyber Exposure Alerts Subscribe Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations Research Special Operations March 3, 2026 4 Min Read Following the joint military operation known as Operation Epic Fury, the Tenable Research Special Operations (RSO) team is providing an update regarding potential cyber counteroffensive operations conducted by Iran-linked threat actors. Key takeaways: Following Operation Epic Fury, Iran-linked threat actors are expected to launch counteroffensive operations against critical infrastructure and opportunistic targets.   Several Iranian-linked threat groups are affiliated with organizations including the IRGC and MOIS, including the revived Altoufan Team and HANDALA.   Review and patch the known vulnerabilities exploited by these threat actors and prepare for heightened DDoS and botnet activity in the near term.   Background On February 28, 2026, the United States and Israel launched Operation Epic Fury, a series of military operations against Iran. As a result, Iran-linked threat actors are expected to launch cyber counteroffensive operations against the United States, Israel and other countries. Critical infrastructure providers as well as other opportunistic targets are likely at risk. Analysis Over the last several years, Iranian-nexus threat groups have shifted from stealthy espionage activity to destructive and retaliatory attacks as geopolitical tensions have risen. Wiper malware and ransomware attacks have ramped up in frequency and destructive capabilities as attackers have pivoted to targeting critical infrastructure, including those in Western countries. Iranian Threat Actor Affiliations Iranian state-sponsored cyber operations span across multiple groups, from advanced persistent threat (APT) actors to hacktivist fronts linked to both military and civilian agencies. These groups operate under, or maintain ties to, the following organizations: Islamic Revolutionary Guard Corps (IRGC): Parallel military force separate from Iran's regular armed forces IRGC Intelligence Organization (IRGC-IO): The intelligence arm within the IRGC, focused on surveillance and counterintelligence IRGC Cyber-Electronic Command (IRGC-CEC): The IRGC's dedicated cyberwarfare unit Ministry of Intelligence and Security (MOIS): Iran's civilian intelligence ministry, combining roles analogous to the CIA and FBI Group Aliases Affiliation Operational Focus Banished Kitten Void Manticore, Red Sandstorm, Storm-0842, Dune MOIS Conducts destructive operations under hacktivist-style personas including HomeLand Justice, Karma, and HANDALA CyberAv3ngers - IRGC-CEC Targets operational technology (OT) and programmable logic controllers (PLCs) in water and wastewater systems APT34 OilRig, Helix Kitten, Hazel Sandstorm, Earth Simnavaz, COBALT GYPSY, Crambus, TA452, Evasive Serpens, ITG13 MOIS Exploits internet-facing infrastructure to conduct espionage against energy, telecommunications and government targets MuddyWater Mango Sandstorm, Static Kitten, Seedworm, Earth Vetala, MERCURY, TEMP.Zagros, TA450 MOIS Uses legitimate remote monitoring and management (RMM) tools to target telecommunications and government organizations APT42 Damselfly, UNC788, Yellow Garuda, CharmingCypress, Educated Manticore, Mint Sandstorm* IRGC-IO Harvests credentials from journalists, academics, activists and policy researchers through social engineering Cotton Sandstorm Haywire Kitten, Marnanbridge, NEPTUNIUM IRGC-CEC Conducts hack-and-leak campaigns and influence operations under personas including Altoufan Team APT35 Charming Kitten, Mint Sandstorm*, TA453, ITG18, Newscaster, COBALT ILLUSION, Agent Serpens IRGC Conducts espionage campaigns targeting government, defense and energy organizations Pioneer Kitten Fox Kitten, Lemon Sandstorm, UNC757, Parisite, RUBIDIUM, Br0k3r, xplfinder IRGC Exploits internet-facing devices and brokers access to ransomware affiliates Agrius Pink Sandstorm, Agonizing Serpens, AMERICIUM, BlackShadow, Spectral Kitten MOIS Deploys wiper malware disguised as ransomware against Israeli organizations Imperial Kitten Tortoiseshell, Crimson Sandstorm, TA456, Yellow Liderc, CURIUM IRGC Uses social engineering to target Israeli transportation and logistics organizations CyberToufan - Unknown Targets Israeli corporations with data theft and leak operations * Note: Mint Sandstorm is a composite label spanning both APT35 and APT42 Recent reports of Iranian cyber-operations activity Following the military operations on February 28, researchers have reported probing and staging activities linked to Iranian threat actors, including the revival of the ALTOUFAN TEAM persona tied to Cotton Sandstorm. There have been reports on social media from Iran government-linked hackers warning of “massive cyber attacks in the coming hours.” It’s unclear if successful attacks have taken place. Cyber-analysts should expect increased botnet and distributed denial-of-service (DDoS) activity. Ongoing monitoring Tenable’s RSO continues to monitor for new intelligence on counteroffensive attacks by Iran-linked threat actors. We will publish updates as these developments are confirmed. Identifying affected systems Iranian threat actors have historically exploited known vulnerabilities in internet-facing devices and applications. A list of Tenable plugins for the vulnerabilities known to be associated with Iranian threat actors can be found here. Get more information Frequently Asked Questions About Iranian Cyber Operations Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Research Special Operations The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures. Related articles March 16, 2026 Don't confuse asset inventory with exposure management Asset discovery tells you what IT exists in your environment. Exposure management tells you what will get you breached. If your platform can't connect vulnerabilities, identities, misconfigurations, and AI systems into real attack paths, you don't have exposure management. You have inventory. By Nathan Dyer March 11, 2026 Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat… Research Special Operations March 10, 2026 Microsoft’s March 2026 Patch Tuesday Addresses 83 CVEs (CVE-2026-21262, CVE-2026-26127) Microsoft addresses 83 CVEs including two vulnerabilities that were publicly disclosed prior to a patch being released. Research Special Operations Exposure Management Vulnerability Management Tenable Attack Surface Management Tenable Cloud Security Tenable Identity Exposure Tenable Lumin Tenable Nessus Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management Cybersecurity news you can use Enter your email and never miss timely alerts and security guidance from the experts at Tenable. Email Address Submit