CyberWire Daily – Threat Vector: Unit 42’s Iran Threat Brief – What We’re Seeing

Date: March 5, 2026
Host: David Moulton
Guests: Justin Moore (Leader, Rapid Response & Fusion Intelligence, Unit 42), Andy Piazza (Lead Threat Researcher, Unit 42)

Episode Overview

This episode of Threat Vector dives into Unit 42's recent threat brief on Iran-linked cyber activity. Justin Moore and Andy Piazza from Palo Alto Networks’ Unit 42 join host David Moulton to unpack the current threat landscape, discuss active Iranian and regional threat groups, share what they’re observing in real time, and provide concrete advice for defenders and CISOs confronting this heightened environment.

Inside Unit 42: Rapid Response in Crisis

[01:04-03:30]

• Day-to-Day in the Crisis

  • Both guests share how frenetic and collaborative life inside Unit 42 has been since the escalation:

    “Chaotic. Busy. A lot of typing and a lot of collaboration ... keeping us up late at night and early in the morning.” — Justin Moore [01:16]
    “We thrive in chaos ... it gives us a really good opportunity to collaborate ... despite the stress ... it’s a really, really cool opportunity to make an impact for our customers.” — Andy Piazza [01:35]

• Roles and Collaboration

  • Piazza leads traditional threat research, diving into technical and strategic intelligence from case data and telemetry.
  • Moore’s ‘fusion intelligence’ role brings together internal and external data—integrating insights from the broader ecosystem and condensing them for actionable briefs and rapid responses.

The Iran Threat Landscape: What’s New?

[04:14-08:49]

• Internet Blackout in Iran

  • Iran’s near-total internet shutdown for 72+ hours has shifted observable malicious activity outward:

    “The majority of activity we're seeing is ... coming from outside of the country. Regionally dispersed activists have jumped on board ... carrying the weight of retaliation right now.” — Justin Moore [04:31]

• Operational Isolation of State Actors

  • Internal leadership chaos and connectivity issues are forcing Iranian state-aligned cyber units into greater autonomy—potentially altering their risk appetite, methods, and effectiveness.

    “Individual units are more likely to have to take a more operationally autonomous role ... probably a position they’re not used to.” — Justin Moore [05:09]

  • The cyber landscape is noisy: pro-Iranian activists are flooding the space with DDoS attacks and defacements, masking or interfering with espionage operations.

    “Seeing those espionage accesses ... is much harder when you’re in the middle of a DDoS or dealing with defacements.” — Andy Piazza [05:41]

Threat Actor Groups: Categorization and Activity

[06:38-08:49]

• Active Names in the Brief

  • HANDELA hack, Dark Storm, Team Dinette, pro-Russian groups (e.g., Cardinal) stand out as newly active actors.

• Tracking Methodology

  • In rapid response, Unit 42 leans on community and self-attributed names for hacktivist groups instead of its usual rigorous internal framework, focusing on validating claims and classifying by type (DDoS, defacement, hack-and-leak).

• Verification is Key

  • Both warn about the need to verify all claims, as groups exaggerate access or impact:

    “A lot of claims are occurring. Groups are very well known to exaggerate access, exaggerate impact.” — Justin Moore [08:42]

Escalation: Physical Threats and Implications

[09:17-13:05]

• HANDELA hack's Escalation

  • The group is reportedly issuing death threats with claims of sharing home addresses with "physical operatives."

    “I do think it is an escalation of threats ... It's something new ... The rule book's out ... These pro hacktivists are going to respond differently than we've seen in the past. They may feel like this is a gloves-off situation.” — Andy Piazza [09:42]

• Practical Guidance

  • Take all physical threats seriously—consult law enforcement, the FBI, and bolster personal cyber hygiene (e.g., MFA, password changes, social media caution).

    “If individuals are named, they need to take it seriously and consult with local law enforcement ... The basics of cyber hygiene will go a long way protecting you.” — Andy Piazza [12:00]; Justin Moore [12:35]

Tactics, Techniques, and Procedures (TTPs): What Defenders Should Watch for

[13:05-15:35]

• Geopolitical and Supply Chain Risks

  • Defenders must understand indirect, supply chain impacts—not just direct targeting.

    “We've seen a data center literally destroyed ... understanding where your backbone is ... if you lose network, do you have satellite comms ... for critical systems?” — Andy Piazza [13:16]

• Cyber Resilience and Recovery

  • Importance of DDoS protection, tested backups, and preparedness for destructive malware or outages.

For CISOs: Is This Your Problem Too?

[15:35-18:41]

• Don’t Assume Non-Involvement

  • Even if not a direct target, exposure can come through upstream vendors or supply chain partners.

    “Anyone who’s doing business internationally, any sort of upstream target is going to have downstream impact ... if you're not paying attention ... you may unexpectedly be impacted.” — Justin Moore [17:58]

• Fundamentals Remain Key

  • MFA, patching, asset management, and tabletop exercises are repeatedly emphasized. The threat landscape may alter actors’ targeting logic, especially during active conflict.

Prioritizing Controls: Where to Focus

[18:41-20:05]

• Crank Up Resilience
  • Shore up DDoS defences, ensure robust backups and well-drilled recovery practices.

    “Because of the threat of disruption, anything resilience ... DDoS protection ... recovery operations ... test your backups ... I would definitely be prepared for those types of things.” — Andy Piazza [19:19]

Where Organizations Trip Up

[20:05-21:29]

• Burnout is the Silent Risk

  • Leaders must rotate teams, encourage breaks, and avoid all-day war rooms unless truly needed.

    “Burnout. Definitely burnout. You can't be intelligent if you're not sleeping and eating and getting up and moving ... Take care of your people right now.” — Andy Piazza [20:27]

• Back to Basics

  • Keep incident response plans up-to-date; ensure comms plans and cyber hygiene are strong.

    “Go back to the basics when it comes to cyber hygiene and policy ... make sure your IR plan is solid.” — Justin Moore [21:29]

Handling False Claims and Communications Strategy

[22:22-26:50]

• Don’t Overreact to Every Claim

  • Be systematic: validate, don’t panic, don’t burn out resources.

    “You're still allowed to lie on the Internet ... take a systematic approach ... don't be reactionary. Some of these false claims are literally to stress people out.” — Andy Piazza [22:57]

• Good Comms Limit Impact

  • Transparent, well-handled public response can reduce attacker’s reputational gains and blunt future campaigns.

    “If your comms plan ensures ... you’re coming out to say, well, this is actually only a 12-minute downtime ... it degrades the ability for those activists to continue to exaggerate ... it discredits the group in its future operations.” — Justin Moore [24:54]

  • Have IR and comms plans prepared and tested before an incident:

    “You should not be trying to write a PR response during an incident, just like you should not be trying to write an incident response plan during an incident.” — Andy Piazza [25:42]

Top Concrete Actions for Organizations

[26:50-29:12]

• Educate Your People

  • Reiterate vigilance on phishing and personal OPSEC; social media is a primary threat vector.

    “Ensuring companies are educating and reconfirming with their employees that they're paying attention to their social media, they're paying attention to phishing attempts ... those are the easiest access vectors.” — Justin Moore [27:20]

• MFA, and Kill “Temporary” Exceptions

  • Make multifactor authentication mandatory, especially for remote access; sweep for unpatched devices and policy exceptions.

    “Nothing more permanent than a temporary exception to policy ... it's better that you do your asset and identity inventory than letting the bad guys do it.” — Andy Piazza [27:59]

• Work the Risk Register

  • CISOs likely know where their risks are—now is the time to close known gaps.

    “Patch. Audit. Secure. That's it. Every day.” — Andy Piazza [29:12]

Notable Quotes & Memorable Moments

• On threat actor claims:

  “Bad guys still lie on the Internet. Do not burn all of your resources.” — Andy Piazza [22:57]

• On response and burnout:

  “No situation is made better by being tired.” — Andy Piazza [22:22]

• On cyber ops during armed conflict:

  “When there is an armed conflict, it's more of an acting out situation ... it doesn't take anyone off the table.” — Justin Moore [17:58]

• On the danger of exceptions:

  “There’s nothing more permanent than a temporary exception to policy.” — Andy Piazza [27:59]

Final Recommendations

• Validate, Don’t React — Systematically assess breach claims before expending resources; false claims are frequent.
• Harden Fundamentals — Focus on MFA, patching, asset inventory, tested incident response and comms plans.
• Practice Resilience — Prepare for disruption with robust backups, DDoS controls, and tested recovery.
• Prioritize Well-Being — Avoid team burnout; ensure staff rotations and breaks.
• Stay Informed — Follow Unit 42’s research center and continual blog updates for real-time threat intelligence.

For further updates, listeners are directed to Unit 42’s Threat Research Center and blog (see episode show notes).