An Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS) has been embedded in multiple US companies' networks since the beginning of February, including a bank, software firm, and airport, among others, with more activity in the days following the US and Israeli military strikes, according to findings released this week.
This discovery raises a critical infrastructure protection question that should concern policymakers and business leaders alike: how many critical networks remain compromised by state-sponsored actors with pre-positioned access? The findings also highlight a dangerous timing problem. The embedded networks showed increased activity in the days following the US and Israeli military strikes, suggesting the hackers remain active and may be positioning themselves for potential disruptive operations.
Symantec and Carbon Black's threat hunting team uncovered the network activity, plus a previously unknown backdoor, after a third-party shared indicators of compromise linked to MuddyWater (also known as Seedworm or Static Kitten). The Israeli operation appears to be the primary target, and a new backdoor they named Dindoor was found on the Israeli location's networks, plus those belonging to the US bank and a Canadian nonprofit.
The two newly discovered malware variants tell a story of deliberate, careful operational security. Dindoor uses Deno, the secure runtime for JavaScript and TypeScript, to execute and was signed with a certificate issued to "Amy Cherne." A separate Python-based backdoor called Fakeset was found on the airport and a US nonprofit's networks and was signed by certificates issued to "Amy Cherne" and "Donald Gay," with the latter previously used to sign Stagecomp and Darkcomp malware, both linked to MuddyWater.
The centre-right case for concern is straightforward: this reflects institutional failure. The compromised software company supplies its tech to defence and aerospace industries among others, and has a presence in Israel. A software vendor with access to defence contractor systems being compromised is precisely the kind of supply-chain vulnerability that threatens national security and commercial confidence. The fact that this access went undetected for weeks underscores gaps in network monitoring and incident detection across the private sector.
Yet the intelligence community's initial uncertainty about intent is worth acknowledging. When asked about the intent of these intrusions, analysts said "it's difficult to say for sure." "Iranian cyber operations span a range of motives," they noted. "In some cases there's intelligence gathering involved. In others, it's disruption." This ambiguity cuts both ways. It means the networks could be compromised for espionage alone; it also means they could become launching points for destructive attacks.
For the United States, this raises a credible cyber threat to critical infrastructure, particularly sectors that Iran has historically targeted for disruption including financial services, water utilities, and transportation infrastructure, many of which rely on outdated control systems and remain attractive targets for Iranian actors as kinetic conflict intensifies. However, it is worth noting that the US Cybersecurity and Infrastructure Security Agency has not yet seen indications of a coordinated campaign of malicious cyber activity in the US that can be attributed to Iran as of the latest official guidance.
The broader context matters here. In May 2025, MuddyWater compromised a server containing live CCTV streams from Jerusalem, allowing the crew to surveil the city for potential targets, and on June 23, Iran bombed the city. Israeli authorities reported that Iranian forces were exploiting compromised security cameras to collect real-time intelligence and adjust missile targeting. This pattern suggests Iran is willing to weaponise network access when strategic opportunity arises.
The pragmatic conclusion is straightforward: organisations with critical infrastructure responsibilities must assume compromise and operate accordingly. The pre-existing access MuddyWater maintains across multiple US sectors creates genuine risk, but that risk is manageable through disciplined execution of known defences. The fact that these networks were discovered through third-party reporting rather than internal detection is the real problem, not the threat itself. Australian organisations with US supply-chain dependencies or critical infrastructure roles should treat this as a catalyst to audit their own incident detection capabilities.