Create a free Industrial Equipment News account to continue

AI Allowing Iran and Cybercriminals to Scale Massive Attacks

The speed and scope of the attacks, which includes new U.S. infrastructure targets, present ongoing challenges.

Iran Cyber Mirsad Sarajlic

Thanks to revolutionary advances in Artificial Technology (AI), what used to require a team of elite hackers can be accomplished by one person at an industrial scale. Worse, a group of bad actors can start a war. 

The result is that cybercrime is no longer just a technical problem, it’s an economic and national security issue.

Look no further than Iran. The world’s leading sponsor of terrorism has been able to proliferate not one, but three shadow banking networks to launder billions in illegal oil sales to support its current war effort. According to FinCEN, or the Treasury Department’s Financial Crimes Enforcement Network, $9 billion in suspicious activity was identified in 2024 alone.

More recently, the Treasury Department announced that it has designated several Iranian foreign currency exchange houses, and their associated front companies, as part of President Trump’s “Operation Economic Fury,” a presidential initiative targeting the regime’s financial lifelines.

In short, the scam worked like this: fraudulent front companies helped launder illicit oil revenues using falsified trade and banking documents, as well as cryptocurrency, to then fund Iran’s military capabilities, including missiles, drone or UAV weaponry, and allied proxies.

In this context, AI can serve as a force multiplier. Microsoft and Google have already warned about state-actors using AI to scale phishing, spying, malicious coding, and other adversarial activities designed to bypass safeguards. AI can also help avoid U.S. sanctions through speed and adaption, such as scaling fake-but-believable invoices, payment explanations, shipping documents, banking records, compliance paperwork, and more.

Smooth Criminals

Whether a nation or an individual, what AI has done is turn cybercrime into an automated process. While this can include automating the appearance of everyday business to prop-up a fraudulent banking system, it also includes the automation of AI’s vast offensive attack capabilities.

Take phishing, for example. Phishing is when cyber criminals pose as a legitimate person or organization to trick someone into giving away their personal information. It used to be obvious, with ridiculous typos and strange wording. Not anymore. With AI, phishing emails and text messages are not only automated with perfect grammar, but they can incorporate websites, social media, and LinkedIn to deliver an email in your boss’s voice at scale.

The possibilities aren’t just endless, they are dangerous. AI offers both foreign enemies and armchair hackers the ability to create and scale “deepfakes” and voice cloning that can result in 30-60 seconds of real-time phone audio that can trick even the savviest of professionals. A finance employee receives a call from an AI persona impersonating his CEO, who says, “We need to move funds now, and confidentially.” Millions of dollars have been stolen this way.

The scariest part is that AI isn’t just successfully hacking machines, it’s hacking people. AI has made cybercrime more powerful and more scalable, and that’s why we are seeing it explode globally.

The following comments offer additional perspective to the topics discussed by ConnectSecure's Arnie Bellini.

Elad Ezrahi, VP Research, KELA Group:

  • Because Iranian cyber operators often "moonlight" for personal gain through front companies, industrial firms face an attribution nightmare. Paying a ransom to a seemingly independent criminal can inadvertently violate OFAC sanctions due to the actor's hidden ties to the IRGC, leading to severe legal and financial penalties for the victim organization.
  • Professionalized Iranian RaaS platforms, such as Pay2Key.I2P, are actively recruiting affiliates with a "geopolitical bounty". They offer an increased profit share—rising from 70 percent to 80 percent — for successful strikes against designated "enemies," which heightens the risk for U.S. and Israeli industrial firms involved in sensitive or high-value production.
  • Industrial defenders face the threat of "pseudo-ransomware" where encryption is a smokescreen for permanent data destruction and operational sabotage. These attacks prioritize Iran’s objectives of halted production line chaos over actual financial collection, complicating incident response and recovery.
  • Groups acting as Iranian proxies, such as Handala, are moving beyond data theft to direct psychological intimidation of the industrial workforce. A March 2026 campaign targeting a major defense contractor involved leaking the personal details of 28 senior engineers and issuing a 48-hour deadline to cease operations or face personal retribution, representing a significant escalation in supply chain threats.

SonicWall:

Data shows Iran-backed cyber activity actively targeting the systems that keep the lights on and the water running. Three of the top seven attack signatures identified by SonicWall targeted energy generation and management, matching the Islamic Revolutionary Guard Corps documented shift toward U.S. energy infrastructure as confirmed in a joint FBI/CISA/NSA advisory.

Two energy companies appear in both the top attack signatures and the 10-day daily trend totals, with one hitting 118 firewalls and the other accumulating over 12,500 total attack hits across the period. BACnet traffic reached 4.1 billion hits across SonicWall firewalls. BACnet is the primary protocol for building automation in government facilities and critical infrastructure — the exact expansion target officials confirmed Iran-linked actors have moved into beyond water and wastewater systems.

More in Artificial Intelligence