Cybersecurity Alert – Heightened Threats From Iranian Cyber Actors

Impact: All Firms

Member firms should be aware of heightened cybersecurity risks to their environments amid ongoing geopolitical tensions in the Middle East. Although, as of March 16, 2026, FINRA is not aware of any significant Iran-related cyberattacks against the financial services industry, it is aware of recent reporting indicating that Iranian threat actors are actively targeting U.S. financial institutions and critical infrastructure sectors.

Iranian state-sponsored and Iran-aligned threat actors have historically demonstrated both the capability and intent to conduct disruptive and destructive cyber operations against U.S. organizations, particularly during periods of heightened geopolitical tension. The current threat environment presents an elevated risk of cyber intrusions, data theft, ransomware deployment, destructive attacks and denial-of-service campaigns.

Common Iranian Threat Actor Tactics, Techniques and Procedures

Based on U.S. government and industry reporting, member firms should be aware of the following tactics, techniques and procedures (TTPs) that Iranian threat actors commonly use to commit cyberattacks.

Gaining Initial Access

Credential compromise through password spraying (i.e., systematically trying common passwords across many accounts), brute-force attacks (using automated software to systematically attempt passwords), and exploitation of default or weak passwords on internet-facing systems and accounts.
Spear phishing and social engineering, which involves impersonating a trusted source (e.g., professional contacts, journalists or email service providers) to steal login credentials.
Exploitation of known vulnerabilities in internet-facing systems, including VPN appliances used to establish private networks, remote access solutions and unpatched software.

Persistence and Expansion

Multi-Factor Authentication (MFA) bypass techniques, including "push bombing" (i.e., sending users repeated MFA approval requests) and soliciting authentication codes from users via messaging applications.
Modification of MFA registrations and creation of email forwarding rules to maintain persistent access.
Credential harvesting (systematically collecting login information) across compromised networks to enable lateral movement (moving across or between systems within the same network).
Targeting third-party service providers to gain indirect access to victim networks.

Disruptive Actions

Deploying ransomware, often in collaboration with cybercriminal affiliates.
Destructive wiper malware designed to destroy data and systems.
Distributed denial-of-service (DDoS) attacks against websites and online services, overwhelming them with traffic to render them inaccessible.
Hack-and-leak operations, in which threat actors steal data and then disclose it publicly to cause reputational damage.

Recommended Actions

In light of the TTPs described above, member firms are encouraged to review their cybersecurity posture and consider prioritizing the following defensive measures:

Vendor and Third-Party Risk Management – Conduct risk-based assessments of vendor controls and monitor vendors that have access to sensitive data or systems, as Iranian actors frequently target third-party service providers to gain indirect access to victim networks.
Asset Management and Visibility – Identify and inventory all internet-facing systems and services, particularly VPN appliances and remote access solutions, to reduce exposure to exploitation of known vulnerabilities.
Access Control and Identity Management – Deploy phishing-resistant multi-factor authentication for external and privileged account access. Periodically review user entitlements and apply the principle of least privilege (i.e., granting the minimum access permissions necessary to perform a specific job function) to mitigate credential compromise, password spraying and techniques used to bypass MFA.
Security Awareness and Training – Conduct ongoing cyber awareness training for all personnel on how to recognize spear phishing and social engineering tactics, including impersonation of professional contacts and requests for credentials.
Vulnerability and Patch Management – Periodically scan for vulnerabilities and prioritize remediation based on the potential for bad actors to exploit them. Promptly apply software patches to internet-facing systems to prevent exploitation of known vulnerabilities in VPN appliances, remote access solutions and unpatched software.
Security Monitoring – Monitor systems and user activity for signs of unauthorized access, MFA modification, creation of unauthorized email forwarding rules, and data exfiltration attempts. Retain logs for a sufficient duration to support incident detection and forensic analysis.
Incident Response and Reporting – Review and test your Incident Response Plan with key stakeholders and document escalation and notification procedures to ensure readiness in the event of ransomware deployment, destructive attacks or compromise.
Resilience and Recovery – Maintain regularly tested backups of critical data and systems, including offline and immutable backups (backups that cannot be altered or deleted). Define recovery time objectives (how quickly systems must be restored) for your most critical systems and data.

FINRA encourages member firms that identify data breaches or attempted data breaches to contact their Risk Monitoring Analyst, and report them to:

FINRA using the Regulatory Tip Form found on FINRA.org; and
the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790.

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office (1-800-CALLFBI or 1-800-225-5324) or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

FINRA Resources

FINRA 2026 Annual Regulatory Oversight Report – Cybersecurity and Cyber-Enabled Fraud, and Third-Party Risk Landscape sections (Dec. 9, 2025)
FINRA Cybersecurity Alert – Ongoing Threats From Iranian Cyber Actors (Oct. 2024)

Additional Resources

Member firms are encouraged to remain vigilant and to review joint advisories published by CISA, the FBI, and partner agencies for additional technical indicators and mitigation strategies.

Beyond Hacktivism: Iran's Coordinated Cyber Threat Landscape, CSIS (Jan. 14, 2026)
Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest, CISA, FBI, DoD C3, NSA (June 30, 2025)
National Terrorism Advisory System Bulletin, DHS (June 22, 2025)
Cybersecurity Advisory: Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations, CISA (Oct. 16, 2024)
Joint Cybersecurity Advisory: Iranian Cyber Actors Targeting Personal Accounts to Support Operations, FBI, USCC, Treasury, NCSC (Sept. 27, 2024)
Treasury Designates Iranian Cyber Actors Targeting U.S. Companies and Government Agencies, Treasury (April 23, 2024)
The Iran Threat, FBI

FINRA Manual

Interpreting the Rules

The Rulemaking Process

Adjudications & Decisions

Enforcement

Registration

Qualification Exams

Continuing Education (CE)

Registration Systems

Personal Finance

Investing

Protect Your Money

Need Help?