MSSP, Ransomware, Threat Management, Threat Intelligence, Data Security

MSSPs Caught in the Middle of Iran’s Cyber Escalation

Iran Flag Digital Binary Code Cyberpunk Technology Concept

COMMENTARY: The surge in Iranian cyber activity directly intersects with how MSSPs operate. Attackers are using the same tools and access paths that providers use every day. That makes it harder to spot and easier to spread. This is not just about protecting customers. MSSPs have to treat their own platforms and access as part of the risk. The shift toward wiper-style attacks makes it more serious. If recovery is not possible, then fast detection and containment are all that matter. This comes down to how well MSSPs operate, not just what tools they use.


Ransomware may still dominate boardroom discussions, but the cyber risk facing managed security service providers is shifting in a more strategic direction. As tensions escalate in the Middle East, Iranian cyber actors have mobilized in ways that put both MSSPs and their customers at acute risk. Recent incidents, including the disruption of medical device manufacturer Stryker by Iran-linked hackers, underscore how quickly geopolitical conflict can translate into cyber operations against Western companies.

The February 28, 2026, U.S. and Israeli strikes against Iran triggered an immediate surge in cyber activity from Iranian-aligned groups. Within hours, hacktivist collectives began launching disruptive campaigns. Within days, government cyber agencies across the U.S., Canada, and the UK issued advisories warning organizations to raise their defensive posture.

For MSSPs, the concern is not just the increase in activity, but the way Iran-nexus operators conduct their campaigns. These groups frequently target the same administrative tools, remote management platforms, and trust relationships that managed service providers depend on. MSSPs face risk from two directions: Iranian actors may target customers directly using techniques that mimic legitimate managed service activity, or they may compromise an MSSP itself to access a downstream client base. Both scenarios are documented, but the first is far more common. In either case, MSSPs become part of the attack surface.

Iran’s Cyber Actor Ecosystem

Iran’s cyber capability operates through a layered ecosystem of government units and deniable proxy groups linked primarily to the Islamic Revolutionary Guard Corps (IRGC) or the Ministry of Intelligence (MOIS). MSSPs may encounter multiple types of activity depending on the clients they support.

MuddyWater (MOIS) is one of the most operationally relevant groups for MSSPs. The group built its reputation on abusing legitimate RMM tools to blend malicious activity into normal administrative traffic. Since early 2025, MuddyWater has shifted toward targeted spear phishing and custom backdoors, including Phoenix, StealthCache, and MuddyViper, designed to evade EDR solutions. RMM monitoring alone is no longer sufficient. Analysts have also assessed that MuddyWater may be acting as an initial access broker for other Iranian groups.

Agrius (MOIS) is known for destructive wiper campaigns. Early operations disguised wipers as ransomware to delay attribution; more recent campaigns move directly to data destruction, often pairing it with public data leaks to maximize reputational damage. Agrius has also demonstrated supply chain capability, deploying wipers through a software vendor’s update mechanism to hit multiple victims simultaneously.

APT33 / Peach Sandstorm (IRGC) focuses on destructive operations against industrial targets, with increasing interest in cloud environments, making it relevant for MSSPs managing hybrid infrastructure for energy, defense, or industrial clients.

The hacktivist proxy ecosystem expanded rapidly after February 28, with some analysts estimating that more than 60 groups were activated. These include pro-Russian collectives and multiple Iranian-aligned personas forming a coordinated “Electronic Operations Room” within hours of the strikes. Handala Hack (MOIS-linked) blends exfiltration with targeted harassment. FAD Team, despite its hacktivist branding, is better described as a destructive proxy group with documented SCADA/PLC access; MSSPs with OT clients should treat it as a genuine destructive threat. Dark Storm Team specializes in DDoS and ransomware.

These actors increasingly coordinate with state-sponsored campaigns rather than operating independently. Iran’s internet connectivity dropped to 1–4% immediately after the strikes, temporarily degrading state-level coordination. As a result, hacktivist proxies outside Iran represent the most immediate threat. More sophisticated APT activity will likely follow as Iranian infrastructure is restored, so MSSPs should prepare for both waves.

How Iranian Actors Target MSSPs and Their Clients

The most common documented scenario involves Iranian actors targeting organizations directly using techniques that resemble legitimate managed service activity. MuddyWater’s use of RMM tools, , PowerShell, WMI, and file-sharing platforms to deliver malware can appear indistinguishable from routine IT administration until the attack reaches its final stage—and that is precisely the point.

The MSSP-as-direct-target scenario is also real. CISA has repeatedly warned that attackers exploit MSP trust relationships to gain broad access across multiple networks through a single breach. A compromised MSSP provides access to dozens or hundreds of organizations simultaneously, which is exactly the scale Iranian actors seek.

MSSPs should remain vigilant against both models: defending against Iranian TTPs used against clients and hardening their own management infrastructure against direct compromise.

Wipers Blur the Line with Ransomware

Iran has been developing and deploying wiper malware for more than a decade, with the Shamoon attacks against Saudi Arabia serving as an early benchmark. The distinction between wipers and ransomware is increasingly unreliable. Agrius initially disguised destructive malware as ransomware to delay detection. A newer threat, Sicarii—a ransomware-as-a-service (RaaS) operation that surfaced in December 2025—contains a flaw in its key handling that makes decryption permanently impossible, regardless of whether a ransom is paid. The operational result is indistinguishable from a wiper.

MSSP incident response playbooks that assume ransomware recovery is eventually possible must be revisited. Iranian actors deliver wipers through phishing, exploitation of internet-facing services, credential compromise, and supply chain attacks, relying on native tools like PowerShell and WMI that blend into legitimate operations. Many campaigns disable endpoint protection before triggering destruction, collapsing the response window. For MSSPs, the worst-case scenario is destructive malware cascading across multiple client environments simultaneously through compromised management infrastructure.

How MSSPs Should Prepare

Several defensive priorities consistently reduce risk across these attack models:

  • Treat RMM platforms as high-value attack surfaces: enforce phishing-resistant MFA on all management platforms and monitor for anomalous deployment activity. Unauthorized RMM installation is a documented early indicator of MuddyWater intrusions, though RMM monitoring alone is insufficient given the group’s custom backdoor capabilities.
  • Audit cross-tenant exposure: shared credentials, over-permissioned integrations, and unmanaged administrative pathways allow attackers to pivot between client environments. This is what turns a single MSSP compromise into a multi-client incident.
  • Tune detection for living-off-the-land (LOTL) behavior: monitor process creation, credential access attempts, and endpoint protection tampering. Behavioral baselines matter more than signature detection against these actors.
  • Isolate backup infrastructure from management networks: if attackers can reach both production and backup environments, recovery options disappear before the attack is detected.
  • Extend incident response planning to OT and ICS environments: FAD Team has demonstrated capabilities against industrial control systems. MSSPs serving utilities, manufacturing, or critical infrastructure must account for this threat.
  • Incorporate true no-recovery scenarios into tabletop exercises: the line between ransomware and wipers is blurring, and response plans that assume eventual recovery will increasingly fall short.

The cyber activity following the February strikes points to a shift already underway. Nation-state actors, proxy groups, and criminal organizations are converging on the same targets and techniques—many of which intersect directly with MSSP infrastructure. Understanding how Iranian actors operate, and how those tactics align with managed service environments, is now essential to protecting both providers and the organizations that depend on them.


MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].


An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Brad Shannon

Brad Shannon is the Director of Product Management for Managed Services at Summit 7, where he works across departments to bring innovative, compliance-focused solutions to market. With more than 20 years of IT experience spanning cloud and on-premises technologies, Brad specializes in developing and executing IT strategies, managing infrastructure and budgets, and ensuring compliance with standards such as NIST SP 800-171 and CMMC. He holds a degree in Cybersecurity and Information Assurance from Western Governors University, along with multiple industry certifications from CompTIA, ITIL, and others.

You can skip this ad in 5 seconds