Iranian hackers breach US bank, airport, and defense supplier following US-Israel Attacks

In a major escalation of the digital conflict following recent U.S.-Israeli strikes on Tehran, security researchers from Broadcom’s Symantec and Carbon Black revealed last week that the Iranian state-sponsored group MuddyWater (also known as Seedworm) has successfully backdoored several high-value U.S. targets.

The group, which operates as an arm of Iran’s Ministry of Intelligence and Security (MOIS), reportedly established its presence in the networks of a U.S. bank, a U.S. airport, and a major defense software supplier weeks before kinetic hostilities began.

The ‘Dindoor’ breakthrough

The primary tool used in these breaches is a previously unknown backdoor dubbed Dindoor. Unlike standard malware, Dindoor leverages Deno, a secure runtime for JavaScript and TypeScript, allowing the hackers to execute commands while bypassing many traditional security alerts.

The software company, a critical supplier to the aerospace and defense industries, was reportedly breached via its Israeli operations. This allows the hackers a potential "stepping stone" into broader Western military logistics networks.

Additionally, researchers noted that the intrusions began in early February 2026 and have continued through recent days. The hackers were observed attempting to exfiltrate data to Wasabi cloud storage using the open-source tool Rclone.

To evade detection, the Dindoor backdoor was digitally signed with a stolen or fraudulent certificate issued to an individual named "Amy Cherne."

Beyond the backdoor: ‘Fakeset’ and physical risk

In addition to the financial and software targets, a second Python-based backdoor called Fakeset was discovered on the network of a U.S. airport.

While no flights have been grounded yet, security analysts warn that a persistent presence in airport networks could disrupt passenger processing systems, baggage handling, or cargo logistics.

Retaliatory timing

Symantec believes these operations were accelerated following the death of Supreme Leader Ayatollah Ali Khamenei on March 1. The goal appears to be "political signaling". Sending a message that the U.S. critical infrastructure is within Iran’s reach.

Cross-regional support

Reports indicate that Iran is not acting alone; approximately 60 threat groups, including those aligned with Russia, have formed a loose coalition to target U.S. entities in response to the bombing campaign.

The FBI and Homeland Security respond

The Department of Homeland Security and the FBI have shifted to a state of high alert, urging critical infrastructure providers to assume they are already compromised.

• Zero Trust Mandate: Organizations are being advised to implement "phishing-resistant" multi-factor authentication (MFA) and to rigorously monitor for password spraying - a common Iranian tactic for gaining initial entry.

• OT vulnerability: Experts warn that Iranian hackers frequently target operational technology (OT), such as HVAC and water systems in hospitals, which are often less protected than standard IT networks.

"The cyber war didn't start when the bombs dropped. It was well underway in February," said a Symantec threat researcher. "MuddyWater was already sitting on these networks for weeks, waiting for the signal to activate."