Threat Vector by Palo Alto Networks

Episode: Unit 42's Iran Threat Brief: What We're Seeing

Date: March 4, 2026
Host: David Moulton
Guests: Justin Moore & Andy Piazza (Unit 42)

Episode Overview

This episode dives deep into Unit 42’s recent threat brief on Iran-linked cyber activity, spotlighting what Palo Alto Networks’ experts are seeing on the frontlines. Host David Moulton interviews Unit 42 leaders Justin Moore (Fusion Intelligence/Rapid Response) and Andy Piazza (Threat Research), discussing current Iran-origin threats, notable threat groups, the operational context amid Iranian internet outages, best practices for global defenders, and the essential role of verifying claims. The conversation is rich with practical recommendations for CISOs and security teams, emphasizing basics, collaboration, and measured, evidence-driven responses.

Key Discussion Points & Insights

1. Unit 42 Response Dynamics & Internal Collaboration [02:10]

• Rapid Response Explained:
  • Fusion intelligence (Justin) pulls together real-time perspectives from across Unit 42 and product teams, compiling threat briefs for customer awareness.
  • Threat research (Andy) gathers data, analyzes threat actor intent and capability, and bridges the gap between technical and strategic intelligence.
  • Quote (Andy at 01:35):
    “Within the organization, it gives us a really good opportunity to collaborate and work with some really, really smart peers… despite the stress… it's a really, really cool opportunity to make an impact for our customers.”

2. Current Situation: Iranian Internet Outage & Threat Landscape [04:14]

• Significance of Internet Disruption:

  • Iran has had near-total internet blackout for more than 72 hours.
  • Most observed activity is currently driven by actors outside Iran—regionally or globally dispersed activists.
  • Quote (Justin at 04:31):
    “Iran has been without near Internet for over 72 hours... the majority of activity we’re seeing is coming from outside of the country.”

• Effect on Iranian State-Aligned Units:

  • Units may be acting without central command; greater autonomy, less coordination.
  • Raises uncertainty and changes operational calculus for both attackers and defenders.
  • Quote (Andy at 05:41):
    “With a nation state actor… primarily a military or government intelligence unit is going to be more worried about collection and intelligence… seeing those espionage accesses… is much harder when you’re in the middle of a DDoS.”

3. Active Threat Actors & Tracking Their Claims [06:38, 07:09]

• Key Groups Named:
  • HANDELA hack, Dark Storm Team, Dinette, Cardinal, and some pro-Russian factions.
  • Many are self-named activist groups, relying on chat handles or group names; Unit 42 uses standard attribution only for mature actors.
• Methodology:
  • Excel-driven validation of claims (is the attack real? What type: DDoS, defacement, hack-and-leak?).
  • Significant effort is placed on verifying claims and distinguishing between fact and threat actor exaggeration.
  • Quote (Justin at 08:49):
    “Groups are very well known to exaggerate access, exaggerate impact… just because they’ve claimed access doesn’t mean they have access.”

4. Notable Threat Actor: HANDELA hack & Escalating Physical Threats [09:17]

• Behavior:

  • HANDELA hack is reportedly issuing death threats and leaking home addresses of US and Canadian targets.
  • Marks an escalation beyond cyber threats, venturing into the realm of physical intimidation.
  • Quote (Andy at 09:42):
    “We need to continue to monitor them and try to validate them, first off. Second, I do think it is an escalation of threats… The rule book’s out, right? ... They may feel like this is a gloves off situation and those red lines don’t exist anymore.”

• Guidance for Individuals:

  • Take such threats seriously—report to law enforcement and the FBI.
  • Bolster OPSEC and personal security (social media vigilance, cyber hygiene, MFA).
  • Quote (Andy at 12:00):
    “If individuals are named, they need to take it seriously and consult with local law enforcement… and federal as well. Since this is an international thing, I would definitely touch base with the FBI…”

5. Key TTPs and IOCs: What to Watch For [13:05]

• Trends Observed:
  • Disruption is the priority—DDoS attacks, data center destruction, defacement.
  • Stress on supply chains—any disruption in logistics, transport, or energy can have cascading effects.
  • Defenders must be ready for destructive malware/wipers and ensure recovery capabilities.
  • Quote (Andy at 13:16):
    “We’ve seen a data center literally destroyed. That might not be in most people’s threat model…”

6. CISOs & Exposure—Who Needs to Worry? [15:35, 17:58]

• All organizations should review their supply chain, especially those with international ties, energy, telecom, or operations in/through the Middle East.
• “You may unexpectedly be impacted by an upstream vendor.”
  (Justin at 17:58)
• Focus on cyber hygiene basics: MFA, patching, robust backups, asset & identity inventory, continuous risk assessment.

7. Operational Recommendations & Prioritization [18:41, 19:19]

• Resilience is Key:
  • Crank up DDoS protection, test and secure air-gap backups, focus on recovery drills.
  • Prepare for both immediate disruption and prolonged destructive campaigns.
  • Quote (Andy at 19:19):
    “Resilience, anything resilience, if you’ve got DDoS protection... crank up to 11 right now… Recovery operations, the air gap backups… prepared for those types of things.”

8. Where Organizations Most Often Go Wrong [20:05]

• Burnout is a Critical Risk:
  • Leaders must proactively manage team rotation, resilience, and health; avoid war-room fatigue unless truly under attack.
  • Quote (Andy at 20:27):
    “Burnout. Definitely burnout. You can’t be intelligent if you’re not sleeping and eating and getting up and moving…”

9. The Importance of a Calm, Evidence-Led Incident Response [22:24, 22:57]

• Validating Claims:
  • Don’t overreact to unverified threat actor boasts; systematically validate before escalating.
  • Quote (Andy at 22:57):
    “You’re still allowed to lie on the Internet. So don’t burn all your resources trying to… jump on these claims.”
• Communications Plan:
  • Transparent, pre-tested comms both reduce reputational damage and undermine attacker narratives.
  • Quote (Andy at 25:42):
    "A comms plan can make or break a company’s response... have those [plans] in place ahead of time."

10. Concrete, High-Impact Security Actions [26:50, 27:20, 27:59]

• Educate and Re-confirm with Staff:
  • Update everyone about increased phishing, the risks of oversharing online, and the need for vigilance.
• Audit & Close Policy Exceptions:
  • Review temporary exceptions (esp. patching & MFA); threat actors exploit neglected gaps.
  • Quote (Andy at 27:59):
    “There’s nothing more permanent than a temporary exception to policy… It’s better that you do your asset and identity inventory than letting the bad guys do it.”
• Prioritize Security Fundamentals:
  • “Show up and do it every day. Wait, what? No, no. But what’s the secret? Patch. Audit. Secure. That’s it. Every day.”

Notable Quotes & Moments

• On threat actor claims:
  “Groups are very well known to exaggerate access, exaggerate impact... just because they’ve claimed access doesn’t mean they have access.”
  —Justin (08:49)

• On physical threats in cyber conflicts:
  “They may feel like this is a gloves off situation and those red lines don’t exist anymore.”
  —Andy (09:42)

• On burnout and team management:
  “You can't be intelligent if you're not sleeping and eating and getting up and moving...if your network is not under threat right now, you should not be in a war room.”
  —Andy (20:27)

• On comms planning:
  “A comms plan can, can make or break a company's response...You should not be trying to write a PR response during an incident, just like you should not be trying to write an incident response plan during an incident.”
  —Andy (25:42)

• On the basics:
  “Go back to the basics when it comes to cyber hygiene and policy...that goes so far in the long run.”
  —Justin (21:29)

• On shining a spotlight on fundamentals:
  “What’s that one secret? Patch. Audit. Secure. That’s it. Every day.”
  —Andy (29:12)

Timestamps for Major Segments

• Unit 42 response dynamics & collaboration: 02:10–03:30
• Iranian internet outage overview: 04:14–05:41
• Operating in chaos, rapid response: 05:41–06:38
• Threat actor tracking & methodology: 06:38–08:49
• Physical threats & HANDELA hack: 09:17–12:35
• TTPs & IOCs for defenders: 13:05–15:35
• CISO considerations: 15:35–18:41
• Resilience & security controls prioritization: 18:41–20:05
• Common mistakes (burnout): 20:05–22:24
• Incident comms and response validation: 22:24–26:50
• Concrete recommendations: 26:50–29:12

Final Takeaways

• Stay skeptical of reported breaches; validate before reacting.
• Assume upstream attacks can lead to unintended downstream impact—check your vendors and supply chain.
• Prioritize resilience—test backups, shore up DDoS protection, and revisit the basics.
• Key: Security hygiene, measured response, and a strong comms plan are your best defense.

For updated intelligence and IOCs, visit Unit 42’s Threat Research Center (link in show notes).