Executive Summary
This assessment concludes with HIGH confidence (80-90%) that Iranian cyber operations against U.S. critical infrastructure represent a strategic escalation from traditional espionage to active disruption, driven by geopolitical retaliation and asymmetric warfare doctrine. Since March 2026, Iranian-affiliated APT groups have systematically targeted operational technology (OT) devices, particularly programmable logic controllers (PLCs), across multiple critical infrastructure sectors. The operational scope encompasses water systems, energy facilities, and government networks, with attacks causing confirmed "operational disruption and financial loss" through manipulation of industrial control systems. This represents a fundamental shift from Iran's historical cyber playbook, moving beyond intelligence collection to weaponizing critical infrastructure dependencies for coercive signaling.