U.S. Agencies Issue Warnings on Heightened Threats from Iran, Citing Cyberattacks and Potential Physical Retaliation

U.S. federal authorities have issued warnings regarding potential retaliatory actions by Iran on American soil, including sophisticated cyberattacks and physical threats from sleeper cells, affiliated groups, and lone sympathizers. These warnings follow ongoing offensive strikes by U.S. and Israeli forces against Iran, with a period of heightened alert beginning around February 28. Agencies note challenges within the U.S. counterterrorism system amidst these escalating concerns.

U.S. Federal Warnings and Threat Assessment

Federal counterterrorism authorities, including the FBI and Department of Homeland Security (DHS), have expressed heightened vigilance regarding potential Iranian retaliation. This increased alert level began around February 28, a date also associated with the start of "Operation Epic Fury." Warnings indicate that potential Iranian retaliation could involve sleeper cells, affiliated terrorist groups, lone wolf sympathizers, or targeted cyberattacks.

A DHS threat assessment conducted during President Biden’s term noted Iran's reliance on individuals with pre-existing access to the United States for surveillance and plotting.

The U.S. intelligence community has communicated warnings to private sector companies regarding Iranian cyber exploitation activities impacting critical infrastructure. These advisories come from multiple agencies, including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and U.S. Cyber Command.

Cyber Threats and Attacks

Overview of Iranian Cyber Capabilities

Iran has significantly developed its offensive cyber capabilities and established connections with various hacking groups. Objectives of these operations include disrupting U.S. military support, increasing energy costs, straining cyber resources, and causing adverse impacts on American companies linked to the defense industry. Iran's cyber strategy, particularly through its proxies, is characterized by a focus on generating impact and disruption.

Key Targets and Methods

Pro-Iranian hacking groups have expanded their targeting from the Middle East into the United States. Future targets are anticipated to include U.S. defense contractors, government vendors, businesses collaborating with Israel, and critical infrastructure sectors such as hospitals, ports, water plants, power stations, and railways. In the Middle East, targets have included cameras for missile targeting, regional data centers, industrial facilities in Israel, a school in Saudi Arabia, and an airport in Kuwait.

Common attack methods include:

• Denial-of-service (DoS/DDoS) attacks: Overwhelming networks to prevent legitimate user access.
• Website defacements: Altering website content to disrupt communication.
• Hack-and-leak operations: Threatening to release stolen sensitive information.

These groups often target less secure systems within American cybersecurity, such as local water plants and healthcare facilities, due to perceived vulnerabilities.

Specific Cyber Incidents

On or around February 28, a U.S. medical technology firm, Stryker, reported a cyberattack that caused a temporary "global network disruption." The hacking group Handala, identified as pro-Iranian and pro-Palestinian, claimed responsibility for the attack. Handala stated the attack was in response to alleged U.S. strikes resulting in Iranian schoolchildren's deaths. Cybersecurity analysts indicate Handala's primary objective is data destruction. Palo Alto Networks describes Handala as directly linked to Iran's Ministry of Intelligence and Security, primarily conducting operations against Israeli targets.

Iranian drone strikes reportedly damaged Amazon data centers in the UAE and caused infrastructure damage near a Bahraini facility. Amazon Web Services confirmed structural damage, power disruptions, and the need for fire suppression activities.

Iran-affiliated advanced persistent threat (APT) actors have reportedly compromised internet-facing industrial control systems developed by Rockwell Automation, specifically Rockwell's Studio 5000 Logix Designer programmable logic controllers (PLCs), across several U.S. critical infrastructure sectors. This has led to operational disruption and financial loss for victims in sectors including government services, water and wastewater services, and energy.

Tehran-affiliated groups have historically targeted U.S. water infrastructure. In late 2023, Iran-backed hackers operating under the pseudonym “CyberAv3nger” reportedly breached at least 75 devices, though no significant damage was publicly reported. In 2015, Iran-backed hackers accessed data related to Calpine Corp., a California power producer.

The Los Angeles Metro transit system experienced a partial network shutdown due to a hack. While the official culprit remains unclear, Iran-backed hackers are reportedly under investigation.

Polish authorities are investigating a recent cyberattack on a nuclear research facility for potential links to Iran.

Iranian Cyber Messaging and Threats

Iran's semi-official Tasnim News Agency, associated with the Islamic Revolutionary Guard Corps (IRGC), identified major U.S. tech companies as potential targets. A social media post listed Amazon, Microsoft, Palantir, and Oracle with the caption: "Enemy's technological infrastructure: Iran's new goals in the region," stating that "Iran's legitimate targets are gradually expanding" with the "expansion of regional war dimensions."

Separately, the IRGC issued a threat via Telegram against 18 U.S. technology companies with operations in the Middle East, advising employees to leave their workplaces. Companies cited included Nvidia, Apple, Microsoft, Alphabet, Cisco Systems, Intel, Oracle, Tesla, Boeing, and JPMorgan Chase.

U.S. Counter-Cyber Measures and Industry Response

On February 28, Iran’s internet connectivity significantly dropped. Joint Chiefs of Staff Chairman Gen. Dan Caine confirmed that U.S. Cyber Command was involved in "coordinated space and cyber operations" that disrupted Iranian communications and sensor networks.

Major U.S. firms, including Amazon, Google, Snap, and Nvidia, have reportedly implemented emergency protocols to protect personnel in the Middle East. Cybersecurity professionals emphasize the importance of maintaining strong cyber hygiene. The private sector, which owns approximately 85% of the nation's critical infrastructure, bears significant responsibility for defense against these threats.

Potential International Cyber Collaborations

Analysts are monitoring for the possibility of Russia, China, or their allied hacking groups providing cyber assistance to Iran. Evidence suggests pro-Iranian hackers in Russia have increased activity in support of Tehran since the conflict began, with the group Z-Pentest claiming responsibility for disrupting several U.S. networks. China has reportedly adopted a cautious stance regarding cyber assistance.

Physical Threats and Plots

Sleeper Cells and Cryptic Communications

Federal authorities detected cryptic messages broadcast globally on a new shortwave radio frequency days after the reported killing of Iranian Supreme Leader Ayatollah Ali Khamenei on February 28. The messages, which began with "Tavajjoh!" (Persian for "attention") and included a sequence of numbers, were described as "likely of Iranian origin" and potentially "an operational trigger" for "sleeper assets" in the U.S. While no specific credible threat has been found, local law enforcement was alerted.

Former head of counterterrorism for the Los Angeles police, Horace Frank, noted that "sleeper cells have always been a concern" regarding Iran and its proxies.

Past Assassination Attempts

Iran has reportedly attempted to hire assassins to target U.S. officials. Following a 2020 U.S. airstrike that killed Iranian Gen. Qassem Soleimani, Iran reportedly sought to target former Secretary of State Mike Pompeo and former National Security Advisor John Bolton.

Shahram Poursafi, a member of Iran’s Islamic Revolutionary Guard Corps (IRGC), was charged by the Department of Justice (DOJ) with attempting to hire individuals to assassinate Bolton between October 2021 and April 2022 for $300,000. Poursafi remains a fugitive. In 2024, Asif Raza Merchant was convicted for a murder-for-hire plot targeting former President Trump and others, and attempting to commit an act of terrorism. Merchant, recruited in Karachi in 2022 or early 2023, received training from the IRGC. In November 2024, the DOJ charged Farhad Shakeri, an Afghan national residing in Tehran, in a separate IRGC-tasked plot to assassinate former President Trump.

Threats from Proxies and Border Security Concerns

Counterterrorism experts note a threat from Iranian government-associated proxies such as Hezbollah and the Houthi movement. A Rand report indicated Hezbollah had a significant network in Latin America. Former police official Horace Frank mentioned proxies traditionally using California for financing.

In 2023, two Iranian nationals on a U.S. security watch list were apprehended at the Texas-Mexico border.

Customs & Border Patrol Commissioner Rodney Scott reported that "thousands of Iranian nationals have been documented entering the United States illegally" between 2022 and 2025.

Experts suggest Iranians with government ties may use fake identities, citing a document-forging hub unmasked in São Paulo.

U.S. Law Enforcement Preparedness

The Los Angeles Police Department (LAPD) has prepared for various threats since the September 11 attacks and maintains a "heightened level of awareness" regarding "lone wolves" who may be inspired by events in the Middle East. Southern California has a large population of Iranian descent, numbering over 700,000.

Domestic Terrorism Concerns

The U.S. is experiencing a heightened terrorism threat, with concerns about "lone actors" radicalized online. While not always directly attributed to Iran, international conflicts can act as "accelerants" for disaffected individuals.

• In New York City, federal authorities stated two men, reportedly inspired by the Islamic State, brought homemade bombs to a far-right protest.
• In Michigan, an individual rammed his vehicle into a synagogue and later died by suicide after being shot by security.
• In Virginia, a man previously imprisoned on a terrorism conviction reportedly yelled "Allahu akbar" before opening fire in a university classroom. Officials stated the shooter was killed by students.
• The 2015 San Bernardino attack, which killed 14 and injured over 30, involved individuals apparently inspired by jihadi propaganda.
• In Austin, Texas, an individual reportedly killed three and wounded 13 after Iranian leadership was targeted, with investigators examining a potential "nexus to terrorism."

U.S. Counterterrorism System Challenges

The heightened threat coincides with challenges within the U.S. counterterrorism system, particularly due to experienced national security professionals departing from the FBI and Justice Department. Retired senior FBI officials have commented on the significant loss of experience. The Justice Department's National Security Division has seen approximately half of its counterterrorism prosecutors and about a third of its senior leadership depart since the beginning of the Trump administration. Concerns have been expressed that these agencies may not be as capable as they were previously due to this loss of experienced personnel. The FBI stated its agents and staff are dedicated to defending the homeland.