How AI may have handed Iran’s proxies a map to US infra

BENGALURU: Within hours of US and Israeli strikes hitting Iran on Feb 28, over 50 hacktivist groups aligned with Iranian interests had activated on Telegram. Many possibly had no background in industrial control systems and no state direction. What they had was an internet connection and an AI tool that could hand them a working map of vulnerable US infrastructure. That combination — motivated actors, accessible AI, and a growing attack surface — is the central argument of a new report from cybersecurity firm CloudSEK.CloudSEK’s lead researcher Ibrahim Saify told TOI the team began by mapping threat actors targeting industrial control systems: the energy grids, water plants, and traffic infrastructure that underpin national ecosystems. One group kept surfacing.

“We came across CyberAv3ngers,” Saifi says, adding: “Not all threat actor groups have a very complex TTP or are technically sophisticated. And yet they were using AI Large Language Models (LLMs), ChatGPT, for their reconnaissance phase.”Decade of EscalationThe report traces Iranian cyber operations to 2012, when the Shamoon wiper destroyed 30,000 endpoints at Saudi Aramco, an operation requiring nation-state resources and industrial expertise. In 2017, the TRITON malware targeted safety systems at a Saudi petrochemical plant, the only malware confirmed to attack industrial safety instrumented systems. Both reflected years of capability building.By late 2023 the pattern shifted. The Iranian group CyberAv3ngers began targeting Israel’s Unitronics programmable logic controllers. On Nov 25, 2023, they breached the Municipal Water Authority of Aliquippa, Pennsylvania using the default password “1111”, listed in manuals and prior CISA (Cybersecurity and Infrastructure Security Agency) advisories. CISA later confirmed breaches in 75 or more US industrial control system devices.What AI ChangedIn Oct 2024, OpenAI disclosed that CyberAv3ngers accounts had used ChatGPT during reconnaissance. Queries in its threat intelligence report sought default credentials for industrial routers, ways to scan networks for ICS devices, guidance on Modbus scripts, and methods to obfuscate post-compromise tools. OpenAI said the responses offered little beyond a standard web search. CloudSEK researchers argue the point is different.“The significance is not that AI created new attack capabilities,” the report notes. “It is that AI eliminated the research phase.” A single session can produce the right Shodan query (search for internet-connected devices, services, and vulnerabilities using filters), confirm default credentials, and explain unfamiliar protocols, compressing weeks of background work into minutes.To illustrate this, CloudSEK replicated the CyberAv3ngers approach as a passive exercise. Using AI-generated Shodan queries, researchers located live industrial systems in the US. “Submitting one public URL to an AI system produced a threat profile: a Siemens SIMATIC CP 343-1 device, operating in RUN mode, not locked, with accessible management pages and a plain-language explanation of potential attacker actions,” as per the report. Another device found was a Schneider Electric power meter with an unauthenticated interface.The Threat PoolThe current conflict has triggered the largest single activation of Iranian-aligned cyber actors on record, according to Palo Alto’s Unit 42, which assessed a Telegram mobilisation on March 2.At the top are established state-linked groups such as APT33, known for password-spray attacks on US energy firms, MuddyWater, active with updated tools, and APT34, believed to be quietly pre-positioning in energy and finance networks.“Below them are groups like Handala Hack Team, linked to Iran’s MOIS and known for wipers, ransomware, and supply-chain intrusions. At the bottom are more than 60 newly activated groups since Feb 28, often less skilled and more likely to rely on AI assistance,” the report said.The Attack SurfaceThe report cites data from ReliaQuest showing that OT and ICS internet exposure rose 35% year-over-year in the first half of 2025. Unitronics port 20256 exposure specifically surged 160% over the same period — despite two years of CISA advisories explicitly naming that port and that vendor following the Aliquippa attack. The advisories exist. The exposure grew anyway.The attack that hit Aliquippa can possibly be scripted in under 50 lines of Python: pull a list of Unitronics devices on port 20256 from a Shodan query, attempt the default credential, log results. One operator, no industrial knowledge, many simultaneous targets.