Epic Fury Abroad, Cyber Blowback at Home: Don’t Let Iran Retaliate Through Our Networks
Ask who never gets charged.
When I served at the Cybersecurity and Infrastructure Security Agency, we never treated “over there” and “over here” as separate maps. In cyberspace, the map is one sheet of glass. If the United States hits a regime hard overseas, that regime looks for the fastest way to hit back without meeting us tank-for-tank or plane-for-plane. For Iran, that shortcut has a familiar shape: disruption, deniability, and psychological impact delivered through networks Americans rely on every day.
Operation Epic Fury began in the early hours of February 28, 2026, at the direction of the president, with U.S. and partner forces striking Iranian targets intended to reduce imminent threats to the United States, our forces, and our allies. Those targets included Islamic Revolutionary Guard Corpscommand-and-control facilities, Iranian air defenses, and missile and drone launch infrastructure. The White House has framed the operation as a decisive effort to end the nuclear threat and degrade the regime’s ability to project violence through missiles, proxies, and maritime forces.
That goal matters, and it should be accomplished. But strategic success abroad does not automatically translate into safety at home. Epic Fury raises the odds that Iran will try to impose costs on the American homeland in the one domain where distance is meaningless: cyber.
The good news is we do not have to guess what Iran will do. The playbook is already written, and much of it depends on basic, preventable weaknesses. In a joint fact sheet, CISA, the FBI, the NSA, and the Department of Defense Cyber Crime Center warned that Iranian cyber actors may target U.S. networks for near-term operations and that Defense Industrial Base firms face heightened risk, especially those with ties to Israeli research and defense organizations. The same warning lays out Iran’s repeatable methods: exploiting unpatched, internet-facing systems and using default or common passwords, including automated password guessing.
Iran’s advantage is not elegance. It is reach. They scan constantly for the doors we leave unlocked.
The clearest reminder is operational technology, the industrial control systems that keep water clean, power stable, and manufacturing lines running. The joint fact sheet documents a campaign from November 2023 through January 2024 in which actors affiliated with IRGC targeted internet-exposed programmable logic controllers and human-machine interfaces, and that the campaign included dozens of U.S. victims across water and wastewater; energy, food and beverage manufacturing; and healthcare and public health. The access vector was painfully familiar: public-facing control systems protected by factory-default passwords or no passwords at all.
We have also seen Iran use blunt-force disruption to create public pressure. In 2016, the Department of Justice announced charges against Iranian nationals tied to IRGC-affiliated entities for a coordinated distributed denial-of-service (DDoS) campaign that targeted U.S. financial institutions and for unauthorized access into a New York dam’s control systems. That case is a decade old, but its lesson is current: Iran does not need a perfect cyber …
Ask who never gets charged.
When I served at the Cybersecurity and Infrastructure Security Agency, we never treated “over there” and “over here” as separate maps. In cyberspace, the map is one sheet of glass. If the United States hits a regime hard overseas, that regime looks for the fastest way to hit back without meeting us tank-for-tank or plane-for-plane. For Iran, that shortcut has a familiar shape: disruption, deniability, and psychological impact delivered through networks Americans rely on every day.
Operation Epic Fury began in the early hours of February 28, 2026, at the direction of the president, with U.S. and partner forces striking Iranian targets intended to reduce imminent threats to the United States, our forces, and our allies. Those targets included Islamic Revolutionary Guard Corpscommand-and-control facilities, Iranian air defenses, and missile and drone launch infrastructure. The White House has framed the operation as a decisive effort to end the nuclear threat and degrade the regime’s ability to project violence through missiles, proxies, and maritime forces.
That goal matters, and it should be accomplished. But strategic success abroad does not automatically translate into safety at home. Epic Fury raises the odds that Iran will try to impose costs on the American homeland in the one domain where distance is meaningless: cyber.
The good news is we do not have to guess what Iran will do. The playbook is already written, and much of it depends on basic, preventable weaknesses. In a joint fact sheet, CISA, the FBI, the NSA, and the Department of Defense Cyber Crime Center warned that Iranian cyber actors may target U.S. networks for near-term operations and that Defense Industrial Base firms face heightened risk, especially those with ties to Israeli research and defense organizations. The same warning lays out Iran’s repeatable methods: exploiting unpatched, internet-facing systems and using default or common passwords, including automated password guessing.
Iran’s advantage is not elegance. It is reach. They scan constantly for the doors we leave unlocked.
The clearest reminder is operational technology, the industrial control systems that keep water clean, power stable, and manufacturing lines running. The joint fact sheet documents a campaign from November 2023 through January 2024 in which actors affiliated with IRGC targeted internet-exposed programmable logic controllers and human-machine interfaces, and that the campaign included dozens of U.S. victims across water and wastewater; energy, food and beverage manufacturing; and healthcare and public health. The access vector was painfully familiar: public-facing control systems protected by factory-default passwords or no passwords at all.
We have also seen Iran use blunt-force disruption to create public pressure. In 2016, the Department of Justice announced charges against Iranian nationals tied to IRGC-affiliated entities for a coordinated distributed denial-of-service (DDoS) campaign that targeted U.S. financial institutions and for unauthorized access into a New York dam’s control systems. That case is a decade old, but its lesson is current: Iran does not need a perfect cyber …
Epic Fury Abroad, Cyber Blowback at Home: Don’t Let Iran Retaliate Through Our Networks
Ask who never gets charged.
When I served at the Cybersecurity and Infrastructure Security Agency, we never treated “over there” and “over here” as separate maps. In cyberspace, the map is one sheet of glass. If the United States hits a regime hard overseas, that regime looks for the fastest way to hit back without meeting us tank-for-tank or plane-for-plane. For Iran, that shortcut has a familiar shape: disruption, deniability, and psychological impact delivered through networks Americans rely on every day.
Operation Epic Fury began in the early hours of February 28, 2026, at the direction of the president, with U.S. and partner forces striking Iranian targets intended to reduce imminent threats to the United States, our forces, and our allies. Those targets included Islamic Revolutionary Guard Corpscommand-and-control facilities, Iranian air defenses, and missile and drone launch infrastructure. The White House has framed the operation as a decisive effort to end the nuclear threat and degrade the regime’s ability to project violence through missiles, proxies, and maritime forces.
That goal matters, and it should be accomplished. But strategic success abroad does not automatically translate into safety at home. Epic Fury raises the odds that Iran will try to impose costs on the American homeland in the one domain where distance is meaningless: cyber.
The good news is we do not have to guess what Iran will do. The playbook is already written, and much of it depends on basic, preventable weaknesses. In a joint fact sheet, CISA, the FBI, the NSA, and the Department of Defense Cyber Crime Center warned that Iranian cyber actors may target U.S. networks for near-term operations and that Defense Industrial Base firms face heightened risk, especially those with ties to Israeli research and defense organizations. The same warning lays out Iran’s repeatable methods: exploiting unpatched, internet-facing systems and using default or common passwords, including automated password guessing.
Iran’s advantage is not elegance. It is reach. They scan constantly for the doors we leave unlocked.
The clearest reminder is operational technology, the industrial control systems that keep water clean, power stable, and manufacturing lines running. The joint fact sheet documents a campaign from November 2023 through January 2024 in which actors affiliated with IRGC targeted internet-exposed programmable logic controllers and human-machine interfaces, and that the campaign included dozens of U.S. victims across water and wastewater; energy, food and beverage manufacturing; and healthcare and public health. The access vector was painfully familiar: public-facing control systems protected by factory-default passwords or no passwords at all.
We have also seen Iran use blunt-force disruption to create public pressure. In 2016, the Department of Justice announced charges against Iranian nationals tied to IRGC-affiliated entities for a coordinated distributed denial-of-service (DDoS) campaign that targeted U.S. financial institutions and for unauthorized access into a New York dam’s control systems. That case is a decade old, but its lesson is current: Iran does not need a perfect cyber …
0 Comments
0 Shares
44 Views
0 Reviews
