![\"How](\"https:\/\/static.toiimg.com\/thumb\/msid-129414326,imgsize-454951,width-400,resizemode-4\/-.jpg\")
<\/div>\n<\/div>\n<\/div>\n<\/section>\n<\/div><\/div>\n<\/div>\nBENGALURU: Within hours of US and Israeli strikes hitting Iran on Feb 28, over 50 hacktivist groups aligned with Iranian interests had activated on Telegram. Many possibly had no background in industrial control systems and no state direction. What they had was an internet connection and an AI tool that could hand them a working map of vulnerable US infrastructure. That combination \u2014 motivated actors, accessible AI, and a growing attack surface \u2014 is the central argument of a new report from cybersecurity firm CloudSEK.CloudSEK\u2019s lead researcher Ibrahim Saify told TOI the team began by mapping threat actors targeting industrial control systems: the energy grids, water plants, and traffic infrastructure that underpin national ecosystems. One group kept surfacing. <\/p>\n Iran War: Putin Steps In As China Demands Ceasefire After Trump\u2019s New Threat To Tehran<\/p>\n<\/div>\n<\/div>\n \u201cWe came across CyberAv3ngers,\u201d Saifi says, adding: \u201cNot all threat actor groups have a very complex TTP or are technically sophisticated. And yet they were using AI Large Language Models (LLMs), ChatGPT, for their reconnaissance phase.\u201dDecade of EscalationThe report traces Iranian cyber operations to 2012, when the Shamoon wiper destroyed 30,000 endpoints at Saudi Aramco, an operation requiring nation-state resources and industrial expertise. In 2017, the TRITON malware targeted safety systems at a Saudi petrochemical plant, the only malware confirmed to attack industrial safety instrumented systems. Both reflected years of capability building.By late 2023 the pattern shifted. The Iranian group CyberAv3ngers began targeting Israel\u2019s Unitronics programmable logic controllers. On Nov 25, 2023, they breached the Municipal Water Authority of Aliquippa, Pennsylvania using the default password \u201c1111\u201d, listed in manuals and prior CISA (Cybersecurity and Infrastructure Security Agency) advisories. CISA later confirmed breaches in 75 or more US industrial control system devices.What AI ChangedIn Oct 2024, OpenAI disclosed that CyberAv3ngers accounts had used ChatGPT during reconnaissance. Queries in its threat intelligence report sought default credentials for industrial routers, ways to scan networks for ICS devices, guidance on Modbus scripts, and methods to obfuscate post-compromise tools. OpenAI said the responses offered little beyond a standard web search. CloudSEK researchers argue the point is different.\u201cThe significance is not that AI created new attack capabilities,\u201d the report notes. \u201cIt is that AI eliminated the research phase.\u201d A single session can produce the right Shodan query (search for internet-connected devices, services, and vulnerabilities using filters), confirm default credentials, and explain unfamiliar protocols, compressing weeks of background work into minutes.To illustrate this, CloudSEK replicated the CyberAv3ngers approach as a passive exercise. Using AI-generated Shodan queries, researchers located live industrial systems in the US. \u201cSubmitting one public URL to an AI system produced a threat profile: a Siemens SIMATIC CP 343-1 device, operating in RUN mode, not locked, with accessible management pages and a plain-language explanation of potential attacker actions,\u201d as per the report. Another device found was a Schneider Electric power meter with an unauthenticated interface.The Threat PoolThe current conflict has triggered the largest single activation of Iranian-aligned cyber actors on record, according to Palo Alto\u2019s Unit 42, which assessed a Telegram mobilisation on March 2.At the top are established state-linked groups such as APT33, known for password-spray attacks on US energy firms, MuddyWater, active with updated tools, and APT34, believed to be quietly pre-positioning in energy and finance networks.\u201cBelow them are groups like Handala Hack Team, linked to Iran\u2019s MOIS and known for wipers, ransomware, and supply-chain intrusions. At the bottom are more than 60 newly activated groups since Feb 28, often less skilled and more likely to rely on AI assistance,\u201d the report said.The Attack SurfaceThe report cites data from ReliaQuest showing that OT and ICS internet exposure rose 35% year-over-year in the first half of 2025. Unitronics port 20256 exposure specifically surged 160% over the same period \u2014 despite two years of CISA advisories explicitly naming that port and that vendor following the Aliquippa attack. The advisories exist. The exposure grew anyway.The attack that hit Aliquippa can possibly be scripted in under 50 lines of Python: pull a list of Unitronics devices on port 20256 from a Shodan query, attempt the default credential, log results. One operator, no industrial knowledge, many simultaneous targets. <\/div>\n\n