Five days ago, I wrote that the U.S. strikes on Iran put every American enterprise on the battlefield. I said cyber retaliation was "virtually guaranteed." I outlined the threat actors, the attack methods, and the sectors most at risk. Three days ago, I wrote about why healthcare couldn't go dark as Iranian proxy groups launched DDoS and wiper attacks against U.S. and Israeli targets.
Those posts were warnings. This one is confirmation.
The Symantec Threat Hunter Team published findings this week revealing that Seedworm, the Iranian APT group also known as MuddyWater, has been active on the networks of a U.S. bank, a U.S. airport, and a U.S. software company that supplies defense and aerospace industries. The software company has operations in Israel, which appears to be the primary target. Two additional organizations, a Canadian non-profit and a U.S. non-profit, were also compromised.
Here's the detail that should stop every security leader in their tracks: Seedworm's activity on these networks began in February 2026. Before the strikes on February 28. Before Operation Epic Fury. Before Iran's internet dropped to 1-4%.
They were already inside.
This Is Personal
I need to disclose something that makes this story hit differently for me. American Banker reported that from 2011 to 2013, Iran conducted Operation Ababil, a sustained DDoS campaign that targeted 46 major U.S. financial institutions. The attacks generated 140 gigabits of garbage data per second, knocked hundreds of thousands of customers off online banking, and caused tens of millions of dollars in remediation costs. Seven Iranian nationals were indicted in 2016.
One of those 46 targets was Capital One.
I work at Capital One Software, building data protection products with Databolt. When I wrote five days ago that Iranian cyber retaliation was coming, I wasn't writing as a detached analyst. I was writing as someone whose employer has been in Iranian crosshairs before. And now Symantec has confirmed that a different Iranian intelligence unit is inside a U.S. bank's network right now.
The Most Hardened Targets in America
Think about what it means that Iran's intelligence service penetrated a U.S. bank.
Banks are the most heavily regulated cybersecurity entities in the United States. They operate under OCC examination requirements, FFIEC cybersecurity assessments, SOX compliance, PCI DSS, and state-level regulations. They run 24/7 security operations centers. They spend more per employee on cybersecurity than virtually any other industry. They participate in FS-ISAC threat sharing. They employ red teams, run tabletop exercises, and undergo annual penetration testing by third-party firms.
And Seedworm got in anyway.
Not after the strikes, when you might expect a hastily assembled offensive. Before the strikes, during what should have been peacetime monitoring. Using a previously unknown backdoor called Dindoor that leverages the Deno JavaScript runtime for execution. Signed with a certificate issued to "Amy Cherne." Alongside a separate Python-based backdoor called Fakeset found on the airport and nonprofit networks, signed by certificates linked to known MuddyWater malware families.
This wasn't opportunistic. This was pre-positioned.
CISA, the FBI, and the UK's National Cyber Security Centre have all attributed Seedworm to Iran's Ministry of Intelligence and Security. The Register reported that the group has been conducting campaigns on behalf of Iranian intelligence since approximately 2018. The tools found on these networks, including Rclone configured for data exfiltration to Wasabi cloud storage, indicate that the objective wasn't just access. It was extraction.
The IED Parallel
In Navy EOD, when you find one improvised explosive device on a route, you don't breathe a sigh of relief and keep driving. You stop. You reassess. You assume the route has more devices you haven't found yet, because the bomb maker who placed one almost certainly placed others.
Symantec found Seedworm on five networks. Five organizations where the investigation happened to look. The question that should keep every CISO awake tonight isn't "are those five organizations safe now?" It's: how many networks is Seedworm on where nobody has looked?
Banks, airports, defense suppliers, nonprofits. The target selection isn't random; it maps directly to Iran's strategic intelligence priorities. Financial system disruption. Transportation infrastructure. Defense supply chain penetration. And the nonprofit compromises suggest either intelligence collection on diaspora communities or lateral access to connected networks.
The targeting of small and mid-size businesses I wrote about previously takes on new urgency here. The compromised software company supplies defense and aerospace industries. That's not just one company breached; it's a potential doorway into every organization in its customer base.
The Silence Is Deafening
Here's what makes this worse. American Banker explicitly noted that the Department of Homeland Security has not issued a formal alert regarding Operation Epic Fury's cybersecurity impact on critical infrastructure. CNBC reported that CISA, the agency specifically chartered to coordinate private-sector cyber defense, is "stretched thin" as the Iran hacking threat escalates.
Meanwhile, there's a bizarre contradiction playing out in the intelligence community. Recorded Future has stated it has "not observed any targeting of U.S. government agencies or private sector critical infrastructure" attributable to Iranian threat actors. Symantec, simultaneously, has published confirmed evidence of an Iranian MOIS unit on the networks of a U.S. bank, a U.S. airport, and a U.S. defense supplier.
Both of these cannot be true at the same time.
Either we have a definitional disagreement about what constitutes "targeting," or we have a fragmented intelligence-sharing ecosystem where confirmed compromises aren't reaching the analysts who need to see them. Neither explanation is comforting. And Secretary Noem's statement that she is "in direct coordination with our federal intelligence and law enforcement partners" rings hollow when the coordinating agency is operating at reduced capacity and the department hasn't issued a public alert.
The 60+ Groups Are the Noise. Seedworm Is the Signal.
Unit 42 reported that 60-plus hacktivist groups were active as of March 2, many operating through an "Electronic Operations Room" formed the day of the strikes. DieNet claimed attacks on U.S. energy, financial, healthcare, government, transit, and communication systems. Cyber Islamic Resistance launched DDoS operations. FAD Team claimed SCADA access in Israel.
Most of that is noise. DDoS attacks and website defacements are disruptive but recoverable. They generate headlines and serve Iran's psychological operations goals, but they don't represent the existential threat to American institutions.
Seedworm is the signal.
A state intelligence service pre-positioning backdoors on critical infrastructure networks, using previously unknown malware, with data exfiltration tools already configured. That's not hacktivism. That's espionage infrastructure being built for a campaign that hasn't fully materialized yet.
CSIS analyst Jiwon Lim described the dynamic precisely: Iranian proxy groups operate "under a smokescreen of hacktivism while mirroring" advanced persistent threat tactics. The 60 hacktivist groups provide cover. The real operations happen underneath.
And here's the detail that most coverage is missing: pro-Russian groups including NoName057(16) and Russian Legion are operating alongside Iranian hacktivists. Cardinal, a pro-Russian group operating independently, claimed IDF network infiltration. This Russia-Iran cyber convergence is a force multiplier that changes the threat calculus entirely, and almost nobody is talking about it.
This Is the Opening Phase
Iran's internet is at 1-4%. Its conventional military capability has been degraded. And yet its cyber operations abroad are accelerating.
Fortune reported that Iranian actors are using locally deployed open-source AI models, including Meta's Llama and DeepSeek, for intelligence gathering, phishing message creation, and tool development. Leeron Walter of Teramind described these models as having "no kill switch, no logging, no terms of service." Google confirmed Iranian hackers have used Gemini AI for similar purposes.
The intersection of degraded domestic internet and locally deployed AI models that don't require connectivity is something analysts aren't examining closely enough. Iran's hackers may be more capable offline than anyone assumes.
History tells us the most dangerous Iranian cyber operations arrive weeks to months after the triggering event, not in the first 72 hours. Operation Ababil was a sustained campaign over two years. The current hacktivist surge is the opening phase. The Seedworm pre-positioning suggests the infrastructure for a longer campaign is already in place.
What to Do Right Now
If you're running security for any organization, not just financial services, here's what this week's revelations demand:
1. Hunt for Seedworm indicators. Symantec published specific indicators of compromise. Look for the Dindoor backdoor leveraging Deno runtime. Look for Fakeset, the Python backdoor signed by certificates issued to "Amy Cherne" and "Donald Gay." Look for unauthorized Rclone configurations pointing to Wasabi cloud storage. Look for PDQ remote access tool deployments your team didn't authorize.
2. Audit every internet-facing system. The Fortinet SAML SSO bypasses I wrote about earlier this year demonstrated how perimeter devices become entry points. Iranian operators specifically hunt for internet-facing systems with known vulnerabilities. If you have VPN appliances, PLCs, or remote access tools exposed to the internet with default credentials or unpatched firmware, assume compromise.
3. Examine your defense supply chain connections. If you're a supplier to defense or aerospace, or if you use software from companies with Israeli operations, the Seedworm targeting pattern puts you in scope. Audit every third-party VPN connection and API integration into your network.
4. Protect the data itself. When a state intelligence service is pre-positioning inside your network with exfiltration tools already configured, your perimeter has already failed. As I've written about in the context of ransomware exfiltration, the only defense that survives a breach is data that was never stored in a usable format. Tokenize sensitive data at the field level. Make the exfiltration worthless even when the access succeeds.
5. Don't wait for the government alert. DHS hasn't issued one. CISA is stretched thin. The intelligence community can't agree on whether targeting is happening. You have Symantec's published research, Unit 42's threat brief, and Sophos's elevated threat assessment. Act on what's confirmed, not on what the government has gotten around to announcing.
The Warning Became the Headline
Five days ago, I wrote that Iranian cyber retaliation against American enterprises was virtually guaranteed. That CISA was running at 38% capacity. That your perimeter was never designed for state-sponsored adversaries. That the only question was whether your data was protected at the level that matters.
Now Symantec has confirmed that Iran's intelligence service was already inside a U.S. bank before the first missile launched. The most regulated, most hardened, most resourced cybersecurity targets in America, and they were already compromised.
In EOD, we had another saying beyond "the bomb doesn't care about your rank": when the first device detonates, the second one is already armed. Seedworm didn't start building access after the strikes. They built it before, because they knew what was coming. And the five networks Symantec found are almost certainly not the only ones.
The question is no longer whether Iran will retaliate in cyberspace. They already have. The question is whether you'll find them on your network before they finish what they came to do.
