The FBI has issued stark warnings that Iranian cyber attacks against American infrastructure are not a hypothetical threat but an active and escalating reality. In August 2025, FBI Assistant Director Brett Leatherman, who heads the bureau’s cyber operations division, declared at George Washington University that a destructive Iranian cyber attack on U.S. infrastructure would constitute a “red line” and likely an act of war. His warning came after a joint statement from CISA, the FBI, the NSA, and the Department of Defense Cyber Crime Center on June 30, 2025, urging critical infrastructure organizations to brace for targeted cyber activity from Iranian actors following U.S. military strikes on Iranian nuclear facilities. The threat is already materializing in measurable ways.
Researchers tracked 28 Iran-linked attacks on critical infrastructure customers in the May-June 2025 period alone, a 133 percent increase over the prior two months. Iranian state-backed hacking groups have targeted everything from municipal water systems to hospitals, and they have forged partnerships with ransomware gangs to amplify their reach. This article covers the timeline of escalation between the U.S. and Iran, the specific threat groups behind these attacks, what infrastructure sectors face the greatest risk, and what the FBI’s “red line” framework means for American national security. The stakes are not abstract. When IRGC-linked hackers known as CyberAv3ngers breached a U.S. municipal water authority by exploiting default passwords on industrial control systems, they demonstrated that even small-town utilities are fair game in a geopolitical conflict most Americans experience only through headlines.
Table of Contents
- Why Is the FBI Warning Americans About Iranian Cyber Attacks on U.S. Infrastructure?
- Which Iranian Hacking Groups Are Targeting American Infrastructure?
- What U.S. Infrastructure Sectors Face the Greatest Risk From Iranian Cyber Operations?
- How Are Iranian Hackers Actually Getting Into U.S. Systems?
- What Does the FBI’s “Red Line” Warning Actually Mean for U.S. Policy?
- What Should Critical Infrastructure Operators Do Right Now?
- Where Is the U.S.-Iran Cyber Conflict Headed?
- Conclusion
- Frequently Asked Questions
Why Is the FBI Warning Americans About Iranian Cyber Attacks on U.S. Infrastructure?
The FBI’s warnings stem directly from a sharp escalation in U.S.-iran tensions that began with Operation Midnight Hammer on June 21, 2025, when American forces struck three Iranian nuclear facilities — Fordow, Natanz, and Isfahan — with 14 GBU-57 bunker-busting bombs. Pentagon assessments estimated the strikes set back Iran’s nuclear program by approximately two years, with reconstitution projected around mid-2027. Two days later, Iran retaliated with missiles fired at Al Udeid airbase in Qatar, where U.S. soldiers are stationed. All missiles were intercepted and no casualties were reported, but the exchange made clear that both nations had crossed into open hostility. Within 24 hours of the strikes, the Department of Homeland Security issued a National Terrorism Advisory System Bulletin on June 22, 2025, explicitly warning of heightened cyber threats from Iran with specific risks flagged for power and water systems. By June 30, a joint fact sheet from CISA, the FBI, the NSA, and DC3 warned that Iranian cyber actors may target vulnerable U.S.
networks and entities of interest. Notably, the agencies stated at the time that they had not yet seen indications of a coordinated cyber campaign attributable to Iran — a caveat that made the preventive nature of the warning all the more pointed. The FBI’s posture shifted further when Assistant Director Leatherman spoke publicly in August 2025, framing the threat in terms of deterrence rather than mere defense. “If you use cyber weapons to destroy infrastructure, you’re now destroying information that a sovereign nation depends on. That tends to be a red line,” Leatherman said. He also acknowledged what he called an “unspoken understanding” of mutually assured destruction in cyberspace, stating bluntly: “If they hit us they know that we can hit them back and can hit them back a lot harder.” That kind of language from a senior FBI official is not routine. It signals that the U.S. government views Iranian cyber operations as a domain where kinetic-level consequences are on the table.
Which Iranian Hacking Groups Are Targeting American Infrastructure?
Multiple Iranian state-sponsored and state-aligned groups are actively operating against U.S. targets, each with distinct capabilities and methods. CyberAv3ngers, operatives linked to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command, have specifically targeted U.S. water and wastewater systems. They gained notoriety for compromising a municipal water authority by exploiting default passwords on programmable logic controllers — an attack vector that is embarrassingly simple but devastatingly effective against underfunded utilities. The U.S. Treasury Department has sanctioned members of this group. Pioneer Kitten, also tracked as Fox Kitten and Lemon Sandstorm, operates as an initial access broker — meaning they break into networks and then sell or share that access with ransomware operators.
They have been documented collaborating with NoEscape and ALPHV/BlackCat, two of the most prolific ransomware gangs in recent years. This business model is particularly dangerous because it blurs the line between state espionage and criminal extortion, making attribution harder and consequences more diffuse. Additional groups including APT33, MuddyWater, OilRig, and Homeland Justice have all been identified by researchers and government agencies as active against U.S. critical infrastructure through the spring of 2025. However, it would be a mistake to view these groups as a monolithic, centrally coordinated force. Iranian cyber operations are spread across multiple government agencies and proxy networks, which means their targeting can be opportunistic as much as strategic. A hospital hit with ransomware by a Pioneer Kitten affiliate may be collateral damage in a revenue operation rather than a deliberate infrastructure strike. That distinction matters for defenders: the threat is not limited to high-profile targets, because Iranian actors operating in criminal ecosystems will hit whoever is vulnerable, regardless of whether the target has strategic significance.
What U.S. Infrastructure Sectors Face the Greatest Risk From Iranian Cyber Operations?
The joint warnings from CISA, the FBI, and NSA have identified several priority targets. Defense industrial base companies, particularly those with ties to Israeli research and defense firms, sit at the top of the list. Energy, healthcare, finance, and water and wastewater systems are all explicitly named as at-risk critical infrastructure sectors. Operational technology and industrial control systems connected to the public internet are singled out as especially vulnerable, because many of these systems were designed decades ago without cybersecurity in mind and are now exposed to threat actors who know exactly how to exploit them. The healthcare sector deserves particular attention. The FBI previously warned U.S. hospitals in 2024 that Iranian actors were actively seeking to compromise health providers through ransomware deployment.
A ransomware attack on a hospital is not just a data breach — it can force emergency room diversions, delay surgeries, and directly endanger patients. When Pioneer Kitten partners with ransomware gangs like ALPHV/BlackCat, the operational impact on a hospital network can be catastrophic, and the ransom demands create a financial crisis on top of the clinical one. U.S. democratic institutions also remain in the crosshairs. CISA and the FBI have issued warnings about Iranian-backed cyber activity aimed at undermining American democratic institutions, including election infrastructure and political campaigns. After Israel’s military strikes on Iran in 2025, researchers documented a 700 percent increase in cyberattacks targeting Israel within just two days. That kind of surge capacity — leveraging hacktivist proxies for website defacements, data leaks, and distributed denial-of-service campaigns — could be redirected toward American targets if tensions escalate further.
How Are Iranian Hackers Actually Getting Into U.S. Systems?
The methods Iranian threat groups use are, for the most part, not exotic zero-day exploits. They rely heavily on exploiting known vulnerabilities in unpatched or outdated software, compromising accounts that use default or weak passwords, and deploying brute-force credential attacks. The CyberAv3ngers breach of a water authority through default passwords is a case study in how basic security hygiene failures can have outsized consequences. These are not sophisticated nation-state techniques; they are the cybersecurity equivalent of walking through an unlocked door. The more sophisticated element of Iranian operations lies in their organizational model rather than their technical tools. By partnering with ransomware affiliates, groups like Pioneer Kitten gain access to criminal infrastructure — encryption tools, negotiation platforms, cryptocurrency laundering networks — that would take years to build independently.
This creates a tradeoff for defenders: hardening against ransomware and hardening against state-sponsored espionage are increasingly the same problem, which means the same investments in patching, multifactor authentication, and network segmentation address both threats simultaneously. The downside is that organizations which assumed they were too small or insignificant to attract state-level attention may find themselves targeted anyway, simply because a criminal affiliate scanning the internet found their unpatched VPN appliance. For destructive operations, Iran has also demonstrated willingness to deploy wiper malware — software designed not to extort but to destroy data and render systems inoperable. The Homeland Justice group used wiper attacks against Albanian government systems in 2022, an operation the U.S. attributed to Iran. If the conflict between the U.S. and Iran escalates beyond the current equilibrium, wiper attacks against American infrastructure represent one of the most dangerous scenarios on the table.
What Does the FBI’s “Red Line” Warning Actually Mean for U.S. Policy?
FBI Assistant Director Leatherman’s characterization of destructive cyber attacks as a potential act of war reflects a policy framework that the U.S. government has been developing for over a decade but has rarely articulated so directly. The implication is that a cyber attack causing physical destruction or loss of life — such as sabotaging a power grid, contaminating a water supply, or disabling hospital systems during a crisis — could trigger a military response, not just a diplomatic one. But there are significant limitations to this framework. The “red line” concept depends on attribution, and attribution in cyberspace remains inherently difficult even when intelligence agencies have high confidence. Iran’s use of proxy hacktivist groups and criminal ransomware affiliates creates deliberate ambiguity. If a ransomware gang with loose Iranian ties hits a power utility, does that cross the red line? What if the Iranian government claims the actors were freelancers? These questions do not have clean answers, and the deterrence value of Leatherman’s statement depends partly on how much ambiguity the U.S.
is willing to tolerate before responding. The “mutually assured destruction” framing also has limits. Leatherman’s acknowledgment that the U.S. can “hit them back a lot harder” is credible — U.S. Cyber Command has demonstrated offensive capabilities against Iranian targets in the past. However, deterrence only works against rational actors who calculate costs and benefits. It does nothing to restrain hacktivist groups operating with ideological motivation, or criminal affiliates who may not know or care that their access was provided by a state-sponsored broker.
What Should Critical Infrastructure Operators Do Right Now?
CISA’s guidance to critical infrastructure organizations has been consistent and specific: patch known vulnerabilities immediately, eliminate default passwords on all internet-facing systems, implement multifactor authentication, segment operational technology networks from IT networks, and monitor for indicators of compromise published in joint advisories. The June 30, 2025, joint fact sheet from CISA, FBI, DC3, and NSA included specific technical guidance that infrastructure operators should treat as a minimum baseline.
For smaller utilities and municipal systems — the kind of organizations that CyberAv3ngers have already successfully compromised — the challenge is resources. Many water utilities and rural hospitals lack dedicated cybersecurity staff or budgets for the kind of continuous monitoring that federal agencies recommend. CISA offers free vulnerability scanning and technical assistance to critical infrastructure operators, but awareness of these programs remains uneven, and the gap between what agencies recommend and what small organizations can implement remains one of the most significant vulnerabilities in America’s cyber defense posture.
Where Is the U.S.-Iran Cyber Conflict Headed?
The trajectory of this conflict depends heavily on whether the broader geopolitical standoff between the U.S. and Iran stabilizes or escalates. The Pentagon’s estimate that Iran’s nuclear reconstitution will take until approximately mid-2027 creates a window during which Iran may view cyber operations as one of its most effective tools for asymmetric retaliation — low cost, deniable, and difficult to deter. The 133 percent increase in Iran-linked attacks on critical infrastructure during May-June 2025 suggests that this calculus is already in play.
Looking ahead, the most dangerous scenario is not a single dramatic attack but a sustained campaign of lower-level disruptions — ransomware incidents, data leaks, defacements, and DDoS attacks — that individually fall below the “red line” but collectively degrade public confidence in critical services and impose real economic costs. Iranian-aligned hacktivists have already demonstrated this approach against Israeli targets, and there is no technical barrier to redirecting those operations toward the United States. For American businesses, government agencies, and infrastructure operators, the FBI’s warning is not a prediction of something that might happen. It is a description of something that has already begun.
Conclusion
The FBI’s warnings about Iranian cyber attacks on U.S. infrastructure reflect a threat environment that has shifted from theoretical to operational. Following the U.S. strikes on Iranian nuclear facilities in June 2025, multiple federal agencies issued coordinated warnings, researchers documented a 133 percent increase in Iran-linked attacks on critical infrastructure, and FBI leadership publicly framed destructive cyber attacks as a potential act of war.
Iranian threat groups including CyberAv3ngers, Pioneer Kitten, APT33, and others are actively targeting water systems, hospitals, defense contractors, and energy infrastructure using methods that range from exploiting default passwords to partnering with ransomware gangs. The practical takeaway for infrastructure operators, businesses, and ordinary Americans is that this is not a crisis that will be resolved by government action alone. Patching systems, eliminating default credentials, implementing multifactor authentication, and monitoring for known threat indicators are not optional hardening measures — they are the baseline requirements for operating in a contested cyber environment. The FBI has drawn its red line. Whether that line holds depends as much on the resilience of American networks as on the calculations of Iranian decision-makers.
Frequently Asked Questions
Has Iran actually launched a major cyber attack on U.S. infrastructure?
Iranian-linked groups have conducted numerous attacks on U.S. infrastructure, including compromising a municipal water authority and targeting hospitals with ransomware. However, as of the June 30, 2025, joint statement, agencies said they had not yet seen indications of a coordinated cyber campaign attributable to Iran in direct retaliation for the military strikes. The concern is that such a campaign could emerge as tensions persist.
What did the FBI mean by calling a destructive cyber attack a “red line”?
FBI Assistant Director Brett Leatherman stated that using cyber weapons to destroy infrastructure a sovereign nation depends on “tends to be a red line,” implying it could be treated as an act of war warranting a military response. He also noted the U.S. has the capability to retaliate harder than any attack it might receive.
Which Iranian hacking groups pose the biggest threat to U.S. infrastructure?
CyberAv3ngers, linked to the IRGC, have targeted water systems and have been sanctioned by the U.S. Treasury. Pioneer Kitten acts as an initial access broker partnering with ransomware gangs like ALPHV/BlackCat. APT33, MuddyWater, OilRig, and Homeland Justice are also active against U.S. critical infrastructure.
What can individuals and small organizations do to protect themselves?
CISA recommends patching known vulnerabilities, eliminating default passwords, implementing multifactor authentication, and segmenting operational technology from IT networks. CISA also offers free vulnerability scanning services to critical infrastructure operators. The most common Iranian attack methods exploit basic security failures rather than advanced techniques.
Could Iranian cyber attacks affect everyday Americans, not just government targets?
Yes. Attacks on water treatment facilities, hospitals, and energy systems directly affect the public. Iranian actors have also targeted election infrastructure and political campaigns. The partnership between state-sponsored hackers and criminal ransomware gangs means that any organization with weak security could become a target, regardless of its strategic importance.