AI-Powered Hacktivists Target US Infrastructure Amid Iran-Israel Conflict
AI Hacktivists Target US Infrastructure in Iran-Israel Conflict

AI-Powered Hacktivists Target US Infrastructure Amid Iran-Israel Conflict

Within hours of US and Israeli strikes hitting Iran on February 28, a significant cyber mobilization occurred. Over 50 hacktivist groups aligned with Iranian interests activated on Telegram, many with no background in industrial control systems and no state direction. What they possessed was an internet connection and an AI tool capable of providing them with a working map of vulnerable US infrastructure.

This combination—motivated actors, accessible artificial intelligence, and a growing attack surface—forms the central argument of a new report from cybersecurity firm CloudSEK. The report highlights how AI is democratizing cyber threats, enabling less sophisticated actors to target critical national infrastructure.

Mapping the Threat Actors

CloudSEK's lead researcher Ibrahim Saify explained that the team began by mapping threat actors targeting industrial control systems: the energy grids, water plants, and traffic infrastructure that underpin national ecosystems. One group consistently surfaced during their investigation.

Wide Pickt banner — collaborative shopping lists app for Telegram, phone mockup with grocery list

"We came across CyberAv3ngers," Saifi stated, adding: "Not all threat actor groups have a very complex TTP or are technically sophisticated. And yet they were using AI Large Language Models, ChatGPT, for their reconnaissance phase."

Decade of Escalation in Iranian Cyber Operations

The report traces Iranian cyber operations back to 2012, when the Shamoon wiper destroyed 30,000 endpoints at Saudi Aramco—an operation requiring nation-state resources and industrial expertise. In 2017, the TRITON malware targeted safety systems at a Saudi petrochemical plant, representing the only malware confirmed to attack industrial safety instrumented systems. Both incidents reflected years of capability building.

By late 2023, the pattern shifted dramatically. The Iranian group CyberAv3ngers began targeting Israel's Unitronics programmable logic controllers. On November 25, 2023, they breached the Municipal Water Authority of Aliquippa, Pennsylvania using the default password "1111," which was listed in manuals and prior CISA advisories. The Cybersecurity and Infrastructure Security Agency later confirmed breaches in 75 or more US industrial control system devices.

How Artificial Intelligence Changed the Game

In October 2024, OpenAI disclosed that CyberAv3ngers accounts had used ChatGPT during reconnaissance operations. Queries in its threat intelligence report sought default credentials for industrial routers, methods to scan networks for ICS devices, guidance on Modbus scripts, and techniques to obfuscate post-compromise tools. While OpenAI stated the responses offered little beyond standard web search results, CloudSEK researchers argue the significance lies elsewhere.

"The significance is not that AI created new attack capabilities," the report notes. "It is that AI eliminated the research phase." A single AI session can produce the right Shodan query, confirm default credentials, and explain unfamiliar protocols, compressing weeks of background work into minutes.

To illustrate this phenomenon, CloudSEK replicated the CyberAv3ngers approach as a passive exercise. Using AI-generated Shodan queries, researchers located live industrial systems in the United States. "Submitting one public URL to an AI system produced a threat profile: a Siemens SIMATIC CP 343-1 device, operating in RUN mode, not locked, with accessible management pages and a plain-language explanation of potential attacker actions," according to the report. Another device discovered was a Schneider Electric power meter with an unauthenticated interface.

The Expanding Threat Pool

The current conflict has triggered the largest single activation of Iranian-aligned cyber actors on record, according to Palo Alto's Unit 42, which assessed a Telegram mobilization on March 2. At the top of this hierarchy are established state-linked groups such as:

Pickt after-article banner — collaborative shopping lists app with family illustration
  • APT33, known for password-spray attacks on US energy firms
  • MuddyWater, active with updated tools
  • APT34, believed to be quietly pre-positioning in energy and finance networks

Below these sophisticated actors are groups like Handala Hack Team, linked to Iran's MOIS and known for wipers, ransomware, and supply-chain intrusions. At the bottom are more than 60 newly activated groups since February 28, often less skilled and more likely to rely on AI assistance for their operations.

The Growing Attack Surface

The report cites alarming data from ReliaQuest showing that OT and ICS internet exposure rose 35% year-over-year in the first half of 2025. Unitronics port 20256 exposure specifically surged 160% over the same period—despite two years of CISA advisories explicitly naming that port and vendor following the Aliquippa attack. The security advisories exist, yet the exposure grew anyway.

The attack that compromised Aliquippa can potentially be scripted in under 50 lines of Python code: pull a list of Unitronics devices on port 20256 from a Shodan query, attempt the default credential, and log results. This represents a scenario where one operator with no industrial knowledge can target multiple systems simultaneously.