Iran-affiliated Advanced Persistent Threat (APTs) actors and pro-Iran hacktivists historically increase attacks against adversaries during periods of heightened geo-political tensions, such as the recent military operations in the Middle East.
An uptick in Iranian APT activity is likely based on current events. For example, according to TSA, a category II U.S. commercial airport reported two brute force attacks targeting its login portal on February 27 and March 2, 2026. The airport successfully detected, responded, and mitigated both attacks, and suffered no known operational disruption or loss of data. Attacks targeted the local municipality’s IT enterprise network, which hosts airport IT/OT infrastructure.
The first attack, on February 27, involved more than 40,000 unauthorized login attempts using at least 393 active and deactivated accounts. Airport investigation determined the attack originated from Iran-based IP addresses. The second attack, on March 2, followed a similar pattern but appeared to originate from United Arab Emirates-based IP addresses. In each event, responders updated firewall geo-blocking configurations, locked accounts with excessive logins, reviewed authentication logs to determine exposure, and verified no breach and no loss of data.
NATA members are urged to consider key security measures to mitigate risk: 1) heighten employee awareness of evolving social engineering techniques; 2) offer recurring phishing training and simulations; 3) verify up-to-date patches for enterprise systems and assets; and 4) implement robust password complexity and reset requirements for devices, systems, and services throughout the enterprise information environment.