Iran-Linked Cyber Operators Raise Regional Alarm Arabian Post

(MENAFN- The Arabian Post) clearfix"> A destructive cyber campaign tied to Iran-linked operators has targeted organisations in the Middle East and abroad, deleting virtual machines, databases, partitions and backup repositories in attacks designed to cripple recovery as well as disrupt daily operations.

The activity has been linked by forensic investigators to infrastructure and tactics associated with Black Shadow, a long-running threat group assessed by Israeli authorities and private researchers as operating on behalf of Iran's Ministry of Intelligence and Security. The operation marks a shift from data theft and public leak threats towards attacks that use legitimate administration tools to erase core systems from inside compromised networks.

The campaign's most serious feature is its focus on recovery infrastructure. Attackers did not merely delete production data. They moved through virtualisation platforms, database management consoles, file servers and backup systems, including Veeam Backup & Replication environments, where deletion from disk can remove entire backup chains from repositories. That pattern points to an attempt to leave victims without the standard fallback options needed to restore services after an intrusion.

Investigators found that the attackers used both automated scripts and manual“hands-on keyboard” activity. In some cases, they opened the same consoles used by system administrators and clicked through deletion functions. In others, they ran scripts to enumerate assets and issue destructive commands across multiple databases and servers. This blend of automation and direct control enabled faster damage while allowing operators to adapt when they encountered unfamiliar environments.

Transport, maintenance, media, education, insurance and digital services organisations were among the entities identified in the wider investigation. One publicly documented case involved LA Metro, where an authenticated vCenter session was used to power off and delete a virtual machine from disk in March. The same operation later involved access to Windows disk management tools, where volumes were enumerated and partitions deleted. The incident affected rider-facing digital services, including delays in service alerts and problems loading fare through a mobile app.

See also Apache OFBiz flaw raises ERP security alarm

Another case involved the South Florida Regional Transportation Authority, where attackers used remote access into an internet-facing environment, gained administrator-level control and used database tools to take systems offline before deleting database objects. File deletion utilities were also used against hosted sites and backup directories. The tactics illustrate how public infrastructure operators can face disruption even when attackers do not directly interfere with trains, tracks or physical control systems.

The Middle East dimension of the campaign is significant because Iran-linked groups have long used cyber operations for espionage, intimidation and retaliation. Black Shadow has previously been associated with hack-and-leak activity against Israeli targets, while other Iran-linked clusters have used password spraying, phishing, remote-access malware and destructive wipers across the region. The latest activity shows a growing willingness to combine stolen credentials, remote administration tools, custom scripts and public pressure campaigns.

Security teams are treating the attacks as a warning that backup systems are now frontline targets. Older recovery models often assumed that attackers would focus on encrypting or deleting production systems while backups remained available. The Black Shadow-linked operation challenges that assumption by showing how attackers can first obtain administrator privileges, then remove the very systems needed to rebuild.

The campaign also reflects a broader regional threat pattern. Iran-linked operators have targeted high-value sectors including transport, defence, aerospace, telecommunications, finance and government-linked organisations. Some campaigns use carefully tailored lures, including fake job offers and spoofed meeting invitations, to gain access. Others depend on leaked credentials, weak remote access controls or exposed management interfaces. Once inside, the same access can be used for espionage, data theft, public leaks or destructive action.

See also AI commit opens crypto wallet risk

Cyber authorities and private researchers have urged organisations to tighten controls around privileged accounts, remote access platforms and backup consoles. The most urgent safeguards include enforcing multi-factor authentication, removing dormant administrator accounts, restricting management tools to hardened networks, segmenting backup infrastructure from production systems, using immutable or offline backups, and testing restoration procedures under attack conditions.

The use of legitimate tools makes detection harder. Commands issued from administrator consoles may not immediately appear malicious unless security teams monitor for unusual timing, unusual source locations, mass deletion activity or changes to backup repositories. Attackers can exploit this gap by moving slowly during the reconnaissance phase and then acting quickly when they begin deletion.

The destructive campaign also raises attribution challenges. Iran-linked cyber activity often involves overlapping state-linked operators, contractors and hacktivist brands that claim responsibility for attacks while obscuring the command chain. Public claims may exaggerate stolen data volumes or operational impact, but the technical evidence in the Black Shadow-linked cases shows real destructive capability and a clear intention to interfere with recovery.

Also published on Medium.

MENAFN01062026000152002308ID1111195127