U.S. federal agencies have issued a joint warning that Iran-linked cyber actors are exploiting U.S. organizations, with healthcare providers among the targets. In a joint advisory, CISA, the FBI, and the Department of Defense Cyber Crime Center describe how these actors enable ransomware activity and outline indicators and defensive guidance for network defenders. Separate U.S. law enforcement actions and Treasury sanctions over the past decade also describe Iran-linked cyber activity affecting the financial sector, and officials have warned the risk can persist even during periods of relative diplomatic calm.
Ransomware Operations Hitting Hospitals
A joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Defense Cyber Crime Center describes how Iran-based actors are enabling ransomware attacks against U.S. organizations, including those in the healthcare sector. The advisory provides specific tactics, techniques, and procedures alongside indicators of compromise that network defenders can use to detect and block intrusions. The advisory says the FBI assessed that the actors behind these operations are associated with the Government of Iran.
Ransomware in a hospital setting is not just an IT problem. When systems go dark, clinicians lose access to electronic health records, pharmacies cannot verify prescriptions, and emergency departments may need to divert ambulances. The advisory’s inclusion of healthcare organizations underscores the potential for ransomware to disrupt patient-care operations. Public reporting and prior incident responses have shown that ransomware can force diversions and delays, but the advisory itself focuses on technical details and defensive measures rather than attributing specific intent.
Federal officials have also emphasized that many healthcare organizations lack the resources to defend against sophisticated state-linked intrusions. Smaller hospitals and regional clinics often run outdated software, rely on a limited number of IT staff, and depend on third-party vendors for critical services. These weaknesses can give intruders multiple avenues to gain initial access, including through exposed remote access services and phishing, as commonly described in federal cyber guidance. The result is a threat environment in which a single successful compromise can cascade across an entire regional care network.
A Long Record of Targeting U.S. Finance
The threat to American financial institutions stretches back more than a decade. From late 2011 to mid-2013, Iran-sponsored or directed actors carried out a systematic distributed denial-of-service campaign against nearly 50 banks, according to a DOJ case summary published by the FBI. Those attacks flooded bank websites with junk traffic, at times preventing customers from accessing online services and forcing institutions to spend heavily on mitigation. The scale of the campaign, hitting dozens of institutions over roughly 18 months, demonstrated an operational tempo that few non-state actors could sustain.
More recently, the Justice Department announced charges against four Iranian nationals accused of running a multi-year cyber campaign against U.S. companies. Prosecutors alleged that an Iran-based company served as a front for compromising both public and private sector systems, using spearphishing emails and social engineering to gain initial access. The indictment connects the defendants to Iranian entities, reinforcing a pattern in which private firms in Iran allegedly operate as extensions of the state’s cyber apparatus, providing plausible deniability while still advancing strategic objectives.
Financial institutions remain attractive targets because they sit at the intersection of money, data, and public trust. Even short-lived disruptions can fuel rumors about bank solvency, trigger customer panic, or complicate monetary policy responses during a crisis. For Iran-linked actors, this makes cyber operations against finance a flexible tool: they can be calibrated to send a political signal, raise revenue through extortion, or quietly gather intelligence on sanctions enforcement and transaction monitoring.
Treasury Sanctions and the Money Trail
Financial penalties have become one of Washington’s primary tools for imposing costs on these networks. The U.S. Treasury Department sanctioned individuals and entities it described as IRGC-linked in connection with ransomware-related activity, and Treasury said the compromise activity had been ongoing since at least 2020. By naming individuals and entities tied to the Islamic Revolutionary Guard Corps, Treasury aimed to cut off their access to the global financial system and deter future operations.
The sanctions extend beyond cyber operators to the financial infrastructure that supports the Iranian regime. Treasury designated an entire network alleged to have laundered billions through Iranian exchange houses and foreign front companies in what officials described as a shadow banking scheme. This action highlights how illicit finance networks can operate alongside other national-security threats. While the Treasury release focuses on the alleged laundering network, U.S. officials have separately used sanctions and law enforcement actions to target cyber operators; analysts often look for points where illicit finance channels could also facilitate cyber-enabled crime, including the movement of extortion proceeds.
Enforcement has also reached funds moving through oil networks. The United States filed civil forfeiture complaints against $15 million allegedly linked to an Iranian oil shipping network, according to IRS Criminal Investigation. Seizing money already in the banking system is a different lever than sanctions designations: it removes capital that has already entered U.S.-connected accounts, raising the direct financial cost of operating these networks and signaling that even complex offshore structures can be penetrated.
Behind these headline actions lies a quieter layer of compliance work carried out by banks, payment processors, and other intermediaries. Financial institutions are expected to file suspicious activity reports, enhance due diligence on high-risk customers, and respond quickly to law enforcement inquiries. More broadly, everyday financial interactions increasingly rely on online portals and identity systems, which expands the number of internet-facing services that defenders must secure. The same connectivity that makes it easier to pay taxes or move funds also creates additional attack surfaces for state-linked actors to probe.
Why the Threat Persists During Calm Periods
A common assumption is that cyber risk from state actors rises during open conflict and falls during ceasefires or diplomatic engagement. Reporting from the Associated Press has challenged that view, noting that U.S. officials have warned about ongoing Iranian-affiliated cyber risk even during periods of reduced military tension. Separate AP accounts have also highlighted that Iran-linked hackers continue to target the United States and other nations, raising the risk of disruptive attacks during wartime conditions and underscoring that the operational tempo does not neatly track public headlines.
The logic behind persistent operations is straightforward. Cyber intrusions require months of preparation: scanning for vulnerabilities, establishing footholds, and moving laterally through networks before deploying ransomware or exfiltrating data. Actors who pause during quiet periods lose that preparation time and must rebuild access from scratch. Maintaining continuous access to healthcare and financial networks gives Iran-linked groups the option to escalate quickly if geopolitical conditions shift, without the delay of starting a new intrusion cycle.
Continuous activity also serves intelligence-gathering goals. Access to hospital networks can reveal information about senior officials’ medical care or emergency preparedness, while access to banks can shed light on sanctions implementation and the movement of funds through correspondent accounts. Even when no ransomware is deployed and no data is publicly leaked, the persistence of low-level intrusions can incrementally improve Iran’s understanding of U.S. vulnerabilities and crisis-response playbooks.
Where Standard Analysis Falls Short
Much of the public discussion treats Iranian cyber threats as a series of isolated incidents: a DDoS campaign here, a ransomware attack there, a sanctions designation in between. That framing misses the structural connection between the technical operations and the financial networks that sustain them. The same ecosystem that launders proceeds from oil shipments and sanctions evasion can also move ransomware payments, fund front companies that hire programmers, and finance the infrastructure used to stage attacks.
Viewing these activities as a single, integrated system has practical implications for defense. For hospitals and banks, cybersecurity cannot be separated from compliance and fraud monitoring; indicators that suggest money laundering or sanctions evasion may also point to networks supporting future cyber operations. For policymakers, sanctions and forfeiture actions are not just punitive tools but opportunities to map relationships between operators, intermediaries, and state entities. And for the public, the warning is that Iranian-linked cyber campaigns are unlikely to disappear with any single indictment or diplomatic agreement, because they are rooted in enduring strategic incentives and a resilient financial architecture that spans both licit and illicit channels.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
