Heightened Threat Environment: DHS Warns of Cyberattacks Amid Iran Conflict

On Sunday, the U.S. Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) bulletin, highlighting an escalating threat environment within the United States fueled by the ongoing conflict with Iran. The bulletin emphasizes the potential for pro-Iranian hacktivists to launch low-level cyberattacks against U.S. networks, while state-affiliated cyber operators may attempt more targeted intrusions.

The Nature of the Threat

The NTAS bulletin underscores Iran’s longstanding intent to retaliate against U.S. government officials for the January 2020 killing of Qassem Soleimani, a top Iranian military commander. DHS warns that the threat of violence from domestic extremists could intensify, especially if Iranian leadership issues a religious decree urging attacks on U.S. soil. Recent domestic terror incidents driven by anti-Semitic and anti-Israel sentiment further underscore the risk of additional plots sparked by the Israel-Iran conflict.

Iran has publicly condemned U.S. involvement in the conflict and continues to direct cyber and physical threats toward U.S. interests. Both pro-Iranian hacktivists and state-affiliated cyber hackers frequently target poorly secured American networks and Internet-connected devices, aiming for disruptive attacks. Since 2020, U.S. law enforcement has disrupted multiple potentially lethal Iranian-backed plots on U.S. soil, while Iranian operatives have attempted, albeit unsuccessfully, to carry out attacks against regime critics based in the U.S.

The Role of Domestic Extremism

The NTAS bulletin warns that if Iranian leadership were to issue a religious ruling calling for retaliatory violence against specific targets in the U.S., it could inspire supporters of the Iranian regime to commit acts of violence domestically. The bulletin also notes that foreign terrorist organizations (FTOs) such as HAMAS, Lebanese Hizballah, and the Houthis have released media calling for violence against U.S. assets and personnel in the Middle East due to Israel’s actions. This conflict could motivate violent extremists and hate crime perpetrators to attack targets perceived to be Jewish, pro-Israel, or linked to the U.S. government or military.

Cyberattacks as a Strategic Tool

Theresa Payton, former White House chief information officer and CEO of Fortalice Solutions, emphasized that Iran may resort to cyberattacks as it becomes increasingly desperate. She noted that everything is on the table for Iran, especially if they are running low on traditional weaponry. Payton suggested that Iran could target a range of entities, from everyday citizens to U.S. elected officials and critical infrastructure.

Brian Harrell, former assistant secretary for infrastructure protection at DHS, echoed these sentiments, stating that Iranian Advanced Persistent Threats (APTs) and the Islamic Revolutionary Guard Corps (IRGC) often employ Distributed Denial of Service (DDoS) attacks against soft targets. These attacks typically focus on strategically relevant sectors such as water, energy, and telecommunications. Harrell also pointed out that Iran’s cyber capabilities have evolved since the infamous “Shamoon” attacks on oil companies.

The Broader Implications

Joe Slowik, a threat intelligence leader at Dataminr, cautioned against fear-mongering surrounding Iran’s capabilities. He noted that while the narrative of Iran being positioned to wreak havoc on critical infrastructure makes for compelling headlines, it often overshadows the need for actionable intelligence for those operating critical national infrastructure. Slowik emphasized the importance of informing asset owners and operators rather than merely generating sensational soundbites.

The Office of the Director of National Intelligence (ODNI) 2025 Threat Assessment report identified Iran’s growing expertise and willingness to conduct aggressive cyber operations as a significant threat to U.S. networks and data. The guidance from Iranian leaders has incentivized cyber actors to develop more aggressive capabilities for conducting cyberattacks.

Public Safety and Preparedness

In light of these threats, the NTAS bulletin includes guidance and resources aimed at helping the public stay alert and safe. It encourages individuals to follow instructions from local authorities and public safety officials. The Cybersecurity and Infrastructure Security Agency (CISA) provides best practices for defending U.S. networks against cyber threats.

Additionally, the bulletin highlights the Nationwide Suspicious Activity Reporting Initiative, a collaborative effort by DHS, the FBI, and law enforcement to identify and report signs of terrorism and related criminal activity. The public is urged to report any suspicious behavior or threats of violence, including online threats, to local law enforcement, FBI field offices, or Fusion Centers.

Conclusion

The DHS’s NTAS bulletin serves as a crucial reminder of the evolving threat landscape posed by Iran and its affiliates. As tensions escalate, the potential for cyberattacks and domestic extremism increases, necessitating vigilance and preparedness from both authorities and the public. By staying informed and proactive, individuals can contribute to a safer environment in the face of these emerging threats.