Iran-linked hackers plant secret backdoors in critical American infrastructure

• Iranian hackers have infiltrated critical U.S. and Canadian organizations.
• The campaign targets a bank, an airport, and a key defense software supplier.
• Experts warn this access could quickly turn into disruptive attacks on infrastructure.
• The cyber activity has resumed and escalated alongside military tensions.
• Thousands of vulnerable industrial systems remain exposed to these state-backed threats.

A stealthy cyber invasion is underway, with Iranian state-backed hackers now confirmed to be lurking inside the networks of critical American and Canadian organizations. As military tensions between the U.S. and Iran reach a boiling point, cybersecurity researchers revealed this week that the advanced threat group Seedworm has infiltrated a U.S. bank, an airport, and a key software supplier to the defense and aerospace industries. This campaign, active since early February, signals a dangerous new phase where cyber espionage could swiftly turn into disruptive attacks on the foundational systems of daily life.

The findings, published Thursday by threat hunters at Symantec and Carbon Black, expose a calculated operation by a group linked to Iran’s Ministry of Intelligence and Security. The hackers planted a previously unknown backdoor malware, dubbed “Dindoor,” to maintain secret access to compromised systems. Researchers warn this is not merely about stealing data but about positioning for potential future strikes. “These attacks are about sending a message rather than stealing information, which means any organization in the targeted country could be in the firing line,” the researchers stated.

A campaign of strategic access

The campaign’s timing is critical, unfolding alongside a major U.S.-Israeli military offensive. Investigators found the software company, which has an Israeli branch, was a primary target. The same Dindoor backdoor was later discovered on the networks of a U.S. bank and a Canadian non-profit, confirming a coordinated effort. The malware uses a programming tool called Deno to run commands and was digitally signed with a certificate linked to a known Seedworm alias, “Amy Cherne.”

While the exact data taken remains unclear, the hackers attempted to copy information from the tech firm to external cloud storage. More alarming is the persistent access gained. “Given the current escalations between the U.S. and Iran, it is likely that critical national infrastructure is at high risk of attack,” the research concludes. This includes energy grids, transportation, finance, and healthcare—sectors essential to national security and public safety.

Experts warn of imminent escalation

The cyber activity has resumed after a brief pause during initial military strikes, indicating Iran’s digital operatives are now fully mobilized. John Hultquist, chief analyst at Google’s Threat Intelligence Group, confirmed the shift. “Iranian cyber espionage has resumed after a brief lull during the initial military strikes, and hacktivist fronts with ties to the IRGC are making claims and threats about disruptive attacks in the region,” Hultquist said Sunday.

This is not speculative fearmongering. Adam Meyers, head of counter adversary operations at CrowdStrike, noted that reconnaissance and initial attacks now being observed “often precede more aggressive operations.” He warned that Iran-backed groups align their cyber activity with strategic objectives to increase pressure, historically targeting energy, critical infrastructure, and finance. The U.K. National Cyber Security Centre has echoed these concerns, urging organizations to remain alert.

The reality is that tens of thousands of U.S. industrial control systems remain directly reachable from the internet, often protected by nothing more than a factory-default password. This persistent vulnerability, combined with a state actor actively hunting for access, creates a perfect storm. The hackers are no longer just probing Middle Eastern targets; Seedworm has expanded its scope to critical infrastructure across North America, Europe, Asia, and Africa.

Federal authorities are on alert. Department of Homeland Security Secretary Kristi Noem stated, “I am in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland.” Yet, official vigilance alone cannot patch every vulnerable system in private hands.

Iran has a documented history of targeting poorly secured critical infrastructure, such as water utilities, during periods of geopolitical tension. The current military conflict provides both motive and opportunity for a significant escalation. Researchers warn the next steps may involve “multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage.”

What we are witnessing is the silent battleground of modern conflict opening inside our most trusted institutions. While jets fly and missiles strike, a more patient enemy secures digital beachheads within the networks that manage our money, our travel, and our national defense. The intrusion into a bank, an airport, and a defense supplier is not an endgame; it is a preparation. The message is clear: the front lines are no longer just overseas. They are here, hidden in the code and connections we rely on every day, waiting for a trigger that recent history suggests is already being pulled.

Sources for this article include:

DailyMail.co.uk

CyberNews.com

CybersecurityDive.com